💼 PR.IR-01: Networks and environments are protected from unauthorized logical access and usage

Contextual name: 💼 PR.IR-01: Networks and environments are protected from unauthorized logical access and usage
ID: /frameworks/nist-csf-v2.0/pr-ir/01
Located in: 💼 Technology Infrastructure Resilience (PR.IR)

Description

Logically segment organization networks and cloud-based platforms according to trust boundaries and platform types (e.g., IT, IoT, OT, mobile, guests), and permit required communications only between segments
Logically segment organization networks from external networks, and permit only necessary communications to enter the organization's networks from the external networks
Implement zero trust architectures to restrict network access to each resource to the minimum necessary
Check the cyber health of endpoints before allowing them to access and use production resources

Similar

Sections
- /frameworks/nist-csf-v1.1/pr-ac/03
- /frameworks/nist-csf-v1.1/pr-ac/05
- /frameworks/nist-csf-v1.1/pr-ds/07
- /frameworks/nist-csf-v1.1/pr-pt/04
- /frameworks/nist-sp-800-53-r5/ac/03
- /frameworks/nist-sp-800-53-r5/ac/04
- /frameworks/nist-sp-800-53-r5/sc/04
- /frameworks/nist-sp-800-53-r5/sc/05
- /frameworks/nist-sp-800-53-r5/sc/07

Similar Sections (Take Policies From)

Section	Sub Sections	Internal Rules	Policies
💼 NIST CSF v1.1 → 💼 PR.AC-3: Remote access is managed
💼 NIST CSF v1.1 → 💼 PR.AC-5: Network integrity is protected (e.g., network segregation, network segmentation)		7	13
💼 NIST CSF v1.1 → 💼 PR.DS-7: The development and testing environment(s) are separate from the production environment			1
💼 NIST CSF v1.1 → 💼 PR.PT-4: Communications and control networks are protected		7	13
💼 NIST SP 800-53 Revision 5 → 💼 AC-3 Access Enforcement	15	4	17
💼 NIST SP 800-53 Revision 5 → 💼 AC-4 Information Flow Enforcement	32	61	73
💼 NIST SP 800-53 Revision 5 → 💼 SC-4 Information in Shared System Resources	2
💼 NIST SP 800-53 Revision 5 → 💼 SC-5 Denial-of-service Protection	3		2
💼 NIST SP 800-53 Revision 5 → 💼 SC-7 Boundary Protection	29	5	33

Sub Sections

Section	Sub Sections	Internal Rules	Policies	Flags

Policies (40)

Policy	Logic Count	Flags
📝 AWS Account Object-level CloudTrail Logging for Read Events for S3 Buckets is not enabled 🟢	1	🟢 x6
📝 AWS Account Object-level CloudTrail Logging for Write Events for S3 Buckets is not enabled 🟢	1	🟢 x6
📝 AWS API Gateway API Route Authorization Type is not configured 🟢	1	🟢 x6
📝 AWS API Gateway REST API Stage is not configured to use an SSL certificate for authentication 🟢	1	🟢 x6
📝 AWS EC2 Default Security Group does not restrict all traffic 🟢	1	🟢 x6
📝 AWS EC2 Instance IMDSv2 is not enabled 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows public IPv4 (0.0.0.0/0) access to admin ports 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows public IPv6 (::/0) access to admin ports 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows unrestricted CIFS traffic 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows unrestricted FTP traffic 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows unrestricted RPC traffic 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows unrestricted SMTP traffic 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows unrestricted traffic to MongoDB 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows unrestricted traffic to MSSQL 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows unrestricted traffic to MySQL 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows unrestricted traffic to Oracle DBMS 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows unrestricted traffic to PostgreSQL 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows unrestricted Telnet traffic 🟢	1	🟢 x6
📝 AWS IAM Policy allows full administrative privileges 🟢	1	🟢 x6
📝 AWS IAM User has inline or directly attached policies 🟢	1	🟠 x1, 🟢 x5
📝 AWS IAM User with credentials unused for 45 days or more is not disabled 🟢	1	🟢 x6
📝 AWS RDS Instance is publicly accessible and in an unrestricted public subnet 🟢	1	🟢 x6
📝 AWS RDS Instance uses default endpoint port 🟢	1	🟢 x6
📝 AWS RDS Snapshot is publicly accessible 🟢	1	🟢 x6
📝 AWS S3 Bucket is not configured to block public access 🟢	1	🟢 x6
📝 AWS S3 Bucket Object Lock is not enabled 🟠🟢	1	🟠 x1, 🟢 x6
📝 AWS S3 Bucket Policy is not set to deny HTTP requests 🟢	1	🟢 x6
📝 AWS S3 Bucket Versioning is not enabled 🟢	1	🟢 x6
📝 AWS VPC Network ACL exposes admin ports to public internet ports 🟢	1	🟢 x6
📝 Azure App Service Authentication is disabled and Basic Authentication is enabled 🟢	1	🟢 x6
📝 Azure App Service Basic Authentication is enabled 🟢		🟢 x3
📝 Azure App Service FTP deployments are not disabled 🟢	1	🟢 x6
📝 Azure App Service HTTPS Only configuration is not enabled 🟢	1	🟢 x6
📝 Azure MySQL Flexible Server require_secure_transport Parameter is not set to ON 🟢	1	🟢 x6
📝 Azure PostgreSQL Flexible Server require_secure_transport Parameter is not set to ON 🟢	1	🟢 x6
📝 Azure PostgreSQL Single Server Enforce SSL Connection is not set enabled 🟢	1	🟢 x6
📝 Azure PostgreSQL Single Server Infrastructure Double Encryption is not enabled 🟢	1	🟢 x6
📝 Azure Storage Account Cross Tenant Replication is enabled 🟢	1	🟢 x6
📝 Azure Storage Account Secure Transfer Required is not enabled 🟢	1	🟢 x6
📝 Azure Subscription Network Watcher is not enabled in every available region 🟢	1	🔴 x1, 🟢 x5

Description​

Similar​

Similar Sections (Take Policies From)​

Sub Sections​

Policies (40)​

Description

Similar

Similar Sections (Take Policies From)

Sub Sections

Policies (40)