💼 SC-7 BOUNDARY PROTECTION

• Contextual name: 💼 SC-7 BOUNDARY PROTECTION
• ID: /frameworks/nist-sp-800-53-r4/sc/07
• Located in: 💼 SC SYSTEM AND COMMUNICATIONS PROTECTION

Description

The information system: SC-7a. Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; SC-7b. Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and SC-7c. Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.

Similar

• Internal
  • ID: dec-c-537a8fb7

Similar Sections (Give Policies To)

Section	Sub Sections	Internal Rules	Policies	Flags
💼 NIST CSF v1.1 → 💼 DE.CM-1: The network is monitored to detect potential cybersecurity events		18	41
💼 NIST CSF v1.1 → 💼 PR.AC-5: Network integrity is protected (e.g., network segregation, network segmentation)		10	22
💼 NIST CSF v1.1 → 💼 PR.DS-5: Protections against data leaks are implemented		47	66
💼 NIST CSF v1.1 → 💼 PR.PT-4: Communications and control networks are protected		10	22

Sub Sections

Section	Sub Sections	Internal Rules	Policies	Flags
💼 SC-7 (1) PHYSICALLY SEPARATED SUBNETWORKS
💼 SC-7 (2) PUBLIC ACCESS
💼 SC-7 (3) ACCESS POINTS
💼 SC-7 (4) EXTERNAL TELECOMMUNICATIONS SERVICES
💼 SC-7 (5) DENY BY DEFAULT _ ALLOW BY EXCEPTION
💼 SC-7 (6) RESPONSE TO RECOGNIZED FAILURES
💼 SC-7 (7) PREVENT SPLIT TUNNELING FOR REMOTE DEVICES
💼 SC-7 (8) ROUTE TRAFFIC TO AUTHENTICATED PROXY SERVERS
💼 SC-7 (9) RESTRICT THREATENING OUTGOING COMMUNICATIONS TRAFFIC
💼 SC-7 (10) PREVENT UNAUTHORIZED EXFILTRATION
💼 SC-7 (11) RESTRICT INCOMING COMMUNICATIONS TRAFFIC
💼 SC-7 (12) HOST-BASED PROTECTION
💼 SC-7 (13) ISOLATION OF SECURITY TOOLS _ MECHANISMS _ SUPPORT COMPONENTS
💼 SC-7 (14) PROTECTS AGAINST UNAUTHORIZED PHYSICAL CONNECTIONS
💼 SC-7 (15) ROUTE PRIVILEGED NETWORK ACCESSES
💼 SC-7 (16) PREVENT DISCOVERY OF COMPONENTS _ DEVICES
💼 SC-7 (17) AUTOMATED ENFORCEMENT OF PROTOCOL FORMATS
💼 SC-7 (18) FAIL SECURE
💼 SC-7 (19) BLOCKS COMMUNICATION FROM NON-ORGANIZATIONALLY CONFIGURED HOSTS
💼 SC-7 (20) DYNAMIC ISOLATION _ SEGREGATION
💼 SC-7 (21) ISOLATION OF INFORMATION SYSTEM COMPONENTS
💼 SC-7 (22) SEPARATE SUBNETS FOR CONNECTING TO DIFFERENT SECURITY DOMAINS
💼 SC-7 (23) DISABLE SENDER FEEDBACK ON PROTOCOL VALIDATION FAILURE

Policies (10)

Policy	Logic Count	Flags
📝 AWS EC2 Security Group allows public IPv4 (0.0.0.0/0) access to admin ports 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows public IPv6 (::/0) access to admin ports 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows unrestricted traffic to MongoDB 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows unrestricted traffic to Oracle DBMS 🟢	1	🟢 x6
📝 AWS S3 Bucket is not configured to block public access 🟢	1	🟢 x6
📝 AWS S3 Bucket Policy is not set to deny HTTP requests 🟢	1	🟢 x6
📝 Google Cloud SQL Instance External Authorized Networks do not whitelist all public IP addresses 🟢	1	🟢 x6
📝 Google GCE Instance has a public IP address 🟢	1	🟢 x6
📝 Google GCE Network has Firewall Rules which allow unrestricted SSH access from the Internet 🟢	1	🟢 x6
📝 Google HTTPS or SSL Proxy Load Balancer permits SSL policies with weak cipher suites 🟢		🟢 x3

Internal Rules

Rule	Policies	Flags
✉️ dec-x-63737248	1
✉️ dec-x-bcae85fb	2
✉️ dec-x-d5fbfc40	1
✉️ dec-x-ec547a7c	1
✉️ dec-z-c82c9f97	1