Show/Hide Toolbars

ABCI Consultants

Guidance for NIST 800-171 Assessment & Compliance

Navigation: SC-FAMILY: SYSTEM AND COMMUNICATIONS PROTECTION

SC-7(4) BOUNDARY PROTECTION  |  EXTERNAL TELECOMMUNICATIONS SERVICES
Scroll Prev Top Next More

Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

 

 

 

 

 

 

 

 

 

 

 

 

###

sc-7(4)

boundary protection  | external telecommunications services

 

assessment objective:

Determine if the organization:

sc-7(4)(a)

implements a managed interface for each external telecommunication service;

sc-7(4)(b)

establishes a traffic flow policy for each managed interface;

sc-7(4)(c)

protects the confidentiality and integrity of the information being transmitted across each interface;

sc-7(4)(d)

documents each exception to the traffic flow policy with:

sc-7(4)(d)[1]

a supporting mission/business need;

sc-7(4)(d)[2]

duration of that need;

sc-7(4)(e)

sc-7(4)(e)[1]

defines a frequency to review exceptions to traffic flow policy;

sc-7(4)(e)[2]

reviews exceptions to the traffic flow policy with the organization-defined frequency; and

sc-7(4)(e)[3]

removes traffic flow policy exceptions that are no longer supported by an explicit mission/business need

potential assessment methods and objects:

Examine: [select from:  System and communications protection policy; traffic flow policy; information flow control policy; procedures addressing boundary protection; information system security architecture; information system design documentation; boundary protection hardware and software; information system architecture and configuration documentation; information system configuration settings and associated documentation; records of traffic flow policy exceptions; information system audit records; other relevant documents or records].

Interview: [select from: System/network administrators; organizational personnel with information security responsibilities; organizational personnel with boundary protection responsibilities].

Test: [select from: Organizational processes for documenting and reviewing exceptions to the traffic flow policy; organizational processes for removing exceptions to the traffic flow policy; automated mechanisms implementing boundary protection capability; managed interfaces implementing traffic flow policy].

 

Hosted by ABCI Consultants for Information Security Management Systems | Implementations, Training and Assessments for Compliance | (800) 644-2056