System And Communications Protection
Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
Just as your office or plant has fences and locks for protection from the outside, and uses badges and keycards to keep non-employees out, your company’s IT network or system has boundaries that must be protected. Many companies use a web proxy and a firewall. Web Proxy: When an employee uses a company computer to go to a website, a web proxy makes the request on the user’s behalf, looks at the web request, and decides if it should let the employee go to the website. Firewall: A firewall controls access from the inside and outside, protecting valuable information and resources stored on the company’s network. A firewall stops unwanted traffic on the internet from passing through an outside “fence” to the company’s networks and information systems. If your company is large enough, you might want to monitor, control, or protect one part of the company enterprise/network from the other. This can also be done with a firewall. You may want to do this to stop adversaries, hackers, or disgruntled employees from entering your network and causing damage. Cybersecurity Example You are setting up the new network for your company, and want to keep the company’s information and resources safe. You make sure to buy a router—a hardware device that routes data from a local area network (LAN) to another network connection—with a builtin firewall, then configure it to limit access to trustworthy sites. Some of your coworkers complain that they cannot get onto to certain websites. You explain that the new network blocks websites that are known for spreading malware.
Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.
Communications can be monitored, controlled, and protected at boundary components and by restricting or prohibiting interfaces in organizational systems. Boundary components include gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a system security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Restricting or prohibiting interfaces in organizational systems includes restricting external web communications traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security requirements associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions. [SP 800-41] provides guidance on firewalls and firewall policy. [SP 800-125B] provides guidance on security for virtualization technologies.
NIST SP 800-53 Rev 4 SC-7
NIST SP 800-171 Rev 1 3.13.1
FAR Clause 52.204-21 b.1.x
NIST CSF v1.1 PR.PT-4
UK NCSC Cyber Essentials
SC.1.175.[a] the external system boundary is defined;
SC.1.175.[b] key internal system boundaries are defined;
SC.1.175.[c] communications are monitored at the external system boundary;
SC.1.175.[d] communications are monitored at key internal boundaries;
SC.1.175.[e] communications are controlled at the external system boundary;
SC.1.175.[f] communications are controlled at key internal boundaries;
SC.1.175.[g] communications are protected at the external system boundary; and
SC.1.175.[h] communications are protected at key internal boundaries.