NET-06.3: Sensitive / Regulated Data Enclave (Secure Zone)
Mechanisms exist to implement segmentation controls to restrict inbound and outbound connectivity for sensitive/regulated data enclaves (secure zones).
Control Question: Does the organization implement segmentation controls to restrict inbound and outbound connectivity for sensitive/regulated data enclaves (secure zones)?
General (7)
| Framework | Mapping Values |
|---|---|
| ISO 27017 2015 | CLD.9.5.1 |
| MPA Content Security Program 5.1 | TS-2.0 |
| NIST 800-171 R3 (source) | 03.13.01.b |
| SWIFT CSF 2023 | 1.4 1.5 |
| SCF CORE Mergers, Acquisitions & Divestitures (MA&D) | NET-06.3 |
| SCF CORE ESP Level 2 Critical Infrastructure | NET-06.3 |
| SCF CORE ESP Level 3 Advanced Threats | NET-06.3 |
US (3)
| Framework | Mapping Values |
|---|---|
| US C2M2 2.1 | ARCHITECTURE-2.L.MIL3 |
| US DHS ZTCF | NTW-03 |
| US TSA / DHS 1580/82-2022-01 | III.B.1.c |
EMEA (3)
| Framework | Mapping Values |
|---|---|
| EMEA Saudi Arabia CSCC-1 2019 | 2-4-1-6 2-4-1-7 |
| EMEA Saudi Arabia OTCC-1 2022 | 2-4-1-1 |
| EMEA Saudi Arabia SACS-002 | TPC-38 TPC-40 |
APAC (2)
| Framework | Mapping Values |
|---|---|
| APAC Japan ISMAP | 13.1.4.P |
| APAC New Zealand HISF 2022 | HMS15 |
Americas (1)
| Framework | Mapping Values |
|---|---|
| Americas Canada ITSP-10-171 | 03.13.01.B |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to implement segmentation controls to restrict inbound and outbound connectivity for sensitive/regulated data enclaves (secure zones).
Level 1 — Performed Informally
C|P-CMM1 is N/A, since a structured process is required to implement segmentation controls to restrict inbound and outbound connectivity for sensitive/regulated data enclaves (secure zones).
Level 2 — Planned & Tracked
C|P-CMM2 is N/A, since a well-defined process is required to implement segmentation controls to restrict inbound and outbound connectivity for sensitive/regulated data enclaves (secure zones).
Level 3 — Well Defined
Network Security (NET) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- A Technology Infrastructure team, or similar function, defines centrally-managed network security controls for implementation across the enterprise.
- Secure engineering principles are used to design and implement network security controls (e.g., industry-recognized secure practices) to enforce the concepts of least privilege and least functionality at the network level.
- IT/cybersecurity architects work with the Technology Infrastructure team to implement a “layered defense” network architecture that provides a defense-in-depth approach for redundancy and risk reduction for network-based security controls, including wired and wireless networking.
- Administrative processes and technologies configure boundary devices (e.g., firewalls, routers, etc.) to deny network traffic by default and allow network traffic by exception (e.g., deny all, permit by exception).
- Technologies automate the Access Control Lists (ACLs) and similar rulesets review process to identify security issues and/ or misconfigurations.
- Network segmentation exists to implement separate network addresses (e.g., different subnets) to connect systems in different security domains (e.g., sensitive/regulated data environments).
Level 4 — Quantitatively Controlled
See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to implement segmentation controls to restrict inbound and outbound connectivity for sensitive/regulated data enclaves (secure zones).
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to implement segmentation controls to restrict inbound and outbound connectivity for sensitive/regulated data enclaves (secure zones).
Assessment Objectives
- NET-06.3_A01 segmentation controls restrict inbound and outbound connectivity for sensitive / regulated data enclaves (secure zones).