💼 PR.IR-01: Networks and environments are protected from unauthorized logical access and usage

ID: /frameworks/nist-csf-v2.0/pr-ir/01

Description

Logically segment organization networks and cloud-based platforms according to trust boundaries and platform types (e.g., IT, IoT, OT, mobile, guests), and permit required communications only between segments
Logically segment organization networks from external networks, and permit only necessary communications to enter the organization's networks from the external networks
Implement zero trust architectures to restrict network access to each resource to the minimum necessary
Check the cyber health of endpoints before allowing them to access and use production resources

Similar

Sections
- /frameworks/nist-csf-v1.1/pr-ac/03
- /frameworks/nist-csf-v1.1/pr-ac/05
- /frameworks/nist-csf-v1.1/pr-ds/07
- /frameworks/nist-csf-v1.1/pr-pt/04
- /frameworks/nist-sp-800-53-r5/ac/03
- /frameworks/nist-sp-800-53-r5/ac/04
- /frameworks/nist-sp-800-53-r5/sc/04
- /frameworks/nist-sp-800-53-r5/sc/05
- /frameworks/nist-sp-800-53-r5/sc/07

Similar Sections (Take Policies From)

Section	Sub Sections	Internal Rules	Policies	Compliance
💼 NIST CSF v1.1 → 💼 PR.AC-3: Remote access is managed			22	no data
💼 NIST CSF v1.1 → 💼 PR.AC-5: Network integrity is protected (e.g., network segregation, network segmentation)		10	44	no data
💼 NIST CSF v1.1 → 💼 PR.DS-7: The development and testing environment(s) are separate from the production environment			1	no data
💼 NIST CSF v1.1 → 💼 PR.PT-4: Communications and control networks are protected		10	44	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-3 Access Enforcement	15	5	40	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4 Information Flow Enforcement	32	68	91	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-4 Information in Shared System Resources	2			no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-5 Denial-of-service Protection	3		12	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7 Boundary Protection	29	4	52	no data

Sub Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance

Policies (95)

Policy	Logic Count	Flags	Compliance
🛡️ AWS Account Object-level CloudTrail Logging for Read Events for S3 Buckets is not enabled🟢	1	🟢 x6	no data
🛡️ AWS Account Object-level CloudTrail Logging for Write Events for S3 Buckets is not enabled🟢	1	🟢 x6	no data
🛡️ AWS API Gateway API Route Authorization Type is not configured🟢	1	🟢 x6	no data
🛡️ AWS API Gateway REST API Stage is not configured to use an SSL certificate for authentication🟢	1	🟢 x6	no data
🛡️ AWS CloudFront Web Distribution Cache Behaviors allow unencrypted traffic🟢	1	🟢 x6	no data
🛡️ AWS CloudFront Web Distribution does not encrypt traffic to Custom Origins🟢	1	🟢 x6	no data
🛡️ AWS CloudFront Web Distribution Default Root Object is not configured🟢	1	🟢 x6	no data
🛡️ AWS CloudFront Web Distribution uses default SSL/TLS certificate🟢	1	🟢 x6	no data
🛡️ AWS CloudFront Web Distribution uses Dedicated IP for SSL🟢	1	🟢 x6	no data
🛡️ AWS CloudFront Web Distribution uses outdated SSL protocols with Custom Origins🟢	1	🟢 x6	no data
🛡️ AWS DMS Endpoint doesn't use SSL🟢	1	🟢 x6	no data
🛡️ AWS DMS Replication Instance is publicly accessible🟢	1	🟢 x6	no data
🛡️ AWS EBS Snapshot is publicly accessible🟢	1	🟢 x6	no data
🛡️ AWS EC2 Auto Scaling Group behind ELB assigns public IP to instances🟢	1	🟢 x6	no data
🛡️ AWS EC2 Auto Scaling Group Launch Template is not configured to require IMDSv2🟢	1	🟢 x6	no data
🛡️ AWS EC2 Default Security Group does not restrict all traffic🟢	1	🟢 x6	no data
🛡️ AWS EC2 Instance IMDSv2 is not enabled🟢	1	🟢 x6	no data
🛡️ AWS EC2 Instance with an auto-assigned public IP address is in a default subnet🟢	1	🟢 x6	no data
🛡️ AWS EC2 Security Group allows public IPv4 (0.0.0.0/0) access to admin ports🟢	1	🟢 x6	no data
🛡️ AWS EC2 Security Group allows public IPv6 (::/0) access to admin ports🟢	1	🟢 x6	no data
🛡️ AWS EC2 Security Group allows unrestricted CIFS traffic🟢	1	🟢 x6	no data
🛡️ AWS EC2 Security Group allows unrestricted FTP traffic🟢	1	🟢 x6	no data
🛡️ AWS EC2 Security Group allows unrestricted RPC traffic🟢	1	🟢 x6	no data
🛡️ AWS EC2 Security Group allows unrestricted SMTP traffic🟢	1	🟢 x6	no data
🛡️ AWS EC2 Security Group allows unrestricted traffic to MongoDB🟢	1	🟢 x6	no data
🛡️ AWS EC2 Security Group allows unrestricted traffic to MSSQL🟢	1	🟢 x6	no data
🛡️ AWS EC2 Security Group allows unrestricted traffic to MySQL🟢	1	🟢 x6	no data
🛡️ AWS EC2 Security Group allows unrestricted traffic to Oracle DBMS🟢	1	🟢 x6	no data
🛡️ AWS EC2 Security Group allows unrestricted traffic to PostgreSQL🟢	1	🟢 x6	no data
🛡️ AWS EC2 Security Group allows unrestricted Telnet traffic🟢	1	🟢 x6	no data
🛡️ AWS GuardDuty is not enabled in all regions🟢	1	🟢 x6	no data
🛡️ AWS IAM Policy allows full administrative privileges🟢	1	🟢 x6	no data
🛡️ AWS IAM User has inline or directly attached policies🟢	1	🟠 x1, 🟢 x5	no data
🛡️ AWS IAM User with credentials unused for 45 days or more is not disabled🟢	1	🟢 x6	no data
🛡️ AWS RDS Instance is publicly accessible and in an unrestricted public subnet🟢	1	🟢 x6	no data
🛡️ AWS RDS Instance uses default endpoint port🟢	1	🟢 x6	no data
🛡️ AWS RDS Snapshot is publicly accessible🟢	1	🟢 x6	no data
🛡️ AWS S3 Bucket is not configured to block public access🟢	1	🟢 x6	no data
🛡️ AWS S3 Bucket Object Lock is not enabled🟠🟢	1	🟠 x1, 🟢 x6	no data
🛡️ AWS S3 Bucket Policy is not set to deny HTTP requests🟢	1	🟢 x6	no data
🛡️ AWS S3 Bucket Versioning is not enabled🟢	1	🟢 x6	no data
🛡️ AWS VPC is not configured with a VPC Endpoint for Amazon EC2 service🟢	1	🟢 x6	no data
🛡️ AWS VPC Network ACL exposes admin ports to public internet ports🟢	1	🟢 x6	no data
🛡️ AWS VPC Subnet Map Public IP On Launch is enabled🟢	1	🟢 x6	no data
🛡️ AWS WAF Rule Group has no WAF Rules🟢	1	🟠 x1, 🟢 x5	no data
🛡️ AWS WAF Web ACL has no WAF Rules or WAF Rule Groups🟢	1	🟠 x1, 🟢 x5	no data
🛡️ Azure App Service Authentication is disabled and Basic Authentication is enabled🟢	1	🟢 x6	no data
🛡️ Azure App Service Basic Authentication is enabled🟢⚪		🟢 x2, ⚪ x1	no data
🛡️ Azure App Service FTP deployments are not disabled🟢	1	🟢 x6	no data
🛡️ Azure App Service HTTPS Only configuration is not enabled🟢	1	🟢 x6	no data
🛡️ Azure MySQL Flexible Server require_secure_transport Parameter is not set to ON🟢	1	🟢 x6	no data
🛡️ Azure PostgreSQL Flexible Server require_secure_transport Parameter is not set to ON🟢	1	🟢 x6	no data
🛡️ Azure PostgreSQL Single Server Enforce SSL Connection is not set enabled🟢	1	🟢 x6	no data
🛡️ Azure PostgreSQL Single Server Infrastructure Double Encryption is not enabled🟢	1	🟢 x6	no data
🛡️ Azure Storage Account Cross Tenant Replication is enabled🟢	1	🟢 x6	no data
🛡️ Azure Storage Account Secure Transfer Required is not enabled🟢	1	🟢 x6	no data
🛡️ Azure Subscription Network Watcher is not enabled in every available region🟢	1	🟢 x6	no data
🛡️ Google BigQuery Dataset is anonymously or publicly accessible🟢	1	🟢 x6	no data
🛡️ Google Cloud MySQL Instance Skip_show_database Database Flag is not set to on🟢	1	🟢 x6	no data
🛡️ Google Cloud SQL Instance External Authorized Networks whitelists all public IP addresses🟢	1	🟢 x6	no data
🛡️ Google Cloud SQL Instance has public IP addresses🟢	1	🟢 x6	no data
🛡️ Google Cloud SQL Instance SSL Connections are not enforced🟢	1	🟢 x6	no data
🛡️ Google Cloud SQL Server Instance cross db ownership chaining Database Flag is not set to off🟢	1	🟢 x6	no data
🛡️ Google GCE Firewall Rule logging is disabled🟢	1	🟢 x6	no data
🛡️ Google GCE Instance has a public IP address🟢	1	🟢 x6	no data
🛡️ Google GCE Instance IP Forwarding is not disabled.🟢	1	🟢 x6	no data
🛡️ Google GCE Network allows unrestricted CiscoSecure/WebSM traffic🟢	1	🟢 x6	no data
🛡️ Google GCE Network allows unrestricted DNS traffic🟢	1	🟢 x6	no data
🛡️ Google GCE Network allows unrestricted FTP traffic🟢	1	🟢 x6	no data
🛡️ Google GCE Network allows unrestricted HTTP traffic🟢	1	🟢 x6	no data
🛡️ Google GCE Network allows unrestricted LDAP traffic🟢	1	🟢 x6	no data
🛡️ Google GCE Network allows unrestricted NetBIOS traffic🟢	1	🟢 x6	no data
🛡️ Google GCE Network allows unrestricted POP3 traffic🟢	1	🟢 x6	no data
🛡️ Google GCE Network allows unrestricted SMTP traffic🟢	1	🟢 x6	no data
🛡️ Google GCE Network allows unrestricted SSH traffic🟢	1	🟢 x6	no data
🛡️ Google GCE Network allows unrestricted traffic to Cassandra🟢	1	🟢 x6	no data
🛡️ Google GCE Network allows unrestricted traffic to Directory services"🟢	1	🟢 x6	no data
🛡️ Google GCE Network allows unrestricted traffic to Elasticsearch🟢	1	🟢 x6	no data
🛡️ Google GCE Network allows unrestricted traffic to Memcached🟢	1	🟢 x6	no data
🛡️ Google GCE Network allows unrestricted traffic to MongoDB🟢	1	🟢 x6	no data
🛡️ Google GCE Network allows unrestricted traffic to MySQL🟢	1	🟢 x6	no data
🛡️ Google GCE Network allows unrestricted traffic to OracleDB🟢	1	🟢 x6	no data
🛡️ Google GCE Network allows unrestricted traffic to PostgreSQL🟢	1	🟢 x6	no data
🛡️ Google GCE Network allows unrestricted traffic to Redis🟢	1	🟢 x6	no data
🛡️ Google GCE Network allows unrestricted Telnet traffic🟢	1	🟢 x6	no data
🛡️ Google GKE Cluster Network policy is disabled.🟢	1	🟢 x6	no data
🛡️ Google GKE Cluster Node Pool uses default Service account🟢	1	🟢 x6	no data
🛡️ Google HTTPS or SSL Proxy Load Balancer permits SSL policies with weak cipher suites🟢⚪		🟢 x2, ⚪ x1	no data
🛡️ Google IAM Users are assigned the Service Account User or Service Account Token Creator roles at Project level🟢	1	🟢 x6	no data
🛡️ Google KMS Crypto Key is anonymously or publicly accessible🟠🟢⚪		🟠 x1, 🟢 x2, ⚪ x1	no data
🛡️ Google Logging Log Sink exports logs to a Storage Bucket without Bucket Lock🟢	1	🟢 x6	no data
🛡️ Google Project with KMS keys has a principal with Owner role🟢	1	🟢 x6	no data
🛡️ Google Storage Bucket is anonymously or publicly accessible🟢	1	🟢 x6	no data
🛡️ Google Storage Bucket Uniform Bucket-Level Access is not enabled🟢	1	🟢 x6	no data
🛡️ Google User has both Service Account Admin and Service Account User roles assigned🟢	1	🟢 x6	no data

Description​

Similar​

Similar Sections (Take Policies From)​

Sub Sections​

Policies (95)​

Description

Similar

Similar Sections (Take Policies From)

Sub Sections

Policies (95)