Firewall

A firewall is a device or set of devices designed to permit or deny network transmissions based upon a set of rules and is frequently used to protect networks from unauthorized access while permitting legitimate communications to pass. Many personal computer operating systems include software-based firewalls to protect against threats from the public Internet. Many routers that pass data between networks contain firewall components.

Cloud Controls Matrix (CCM) Data

Array

SA-09 | Security Architecture | Segmentation

Control Specification +-

System and network environments are separated by firewalls to ensure the following requirements are adhered to: ? Business and customer requirements ? Security requirements ? Compliance with legislative, regulatory, and contractual requirements ? Separation of production and non-production environments ? Preserve protection and isolation of sensitive data

Architectural Relevance +-

PhysicalNetworkComputeAppData
True True True True True

Corp Gov Relevance +-

Corp Gov Relevance
False

Cloud Service Delivery Model Applicability +-

SaaSPaaSIaaS
True True True

Supplier Relationship +-

Service ProviderTenant / Consumer
True True

Scope Applicability +-

COBIT 4.1HIPAA / HITECH ActISO/IEC 27001-2005

DS5.10

45 CFR 164.308 (a)(4)(ii)(A)

A.11.4.5
A.11.6.1
A.11.6.2
A.15.1.4

NIST SP800-53 R3FedRAMP (Final 2012) Low ImpactFedRAMP (Final 2012) Moderate ImpactPCI DSS v2.0

AC-4
SC-2
SC-3
SC-7

NIST SP 800-53 R3 SC-7

NIST SP 800-53 R3 AC-4
NIST SP 800-53 R3 SC-2
NIST SP 800-53 R3 SC-7
NIST SP 800-53 R3 SC-7 (1)
NIST SP 800-53 R3 SC-7 (2)
NIST SP 800-53 R3 SC-7 (3)
NIST SP 800-53 R3 SC-7 (4)
NIST SP 800-53 R3 SC-7 (5)
NIST SP 800-53 R3 SC-7 (7)
NIST SP 800-53 R3 SC-7 (8)
NIST SP 800-53 R3 SC-7 (12)
NIST SP 800-53 R3 SC-7 (13)
NIST SP 800-53 R3 SC-7 (18)

1.1
1.2
1.2.1
1.3
1.4

BITS Shared Assessments SIG v6.0BITS Shared Assessments SIG v5.0GAPP (Aug 2009)

G.9.2, G.9.3, G.9.13

G.17

Jericho ForumNERC CIP

Commandment #1
Commandment #2
Commandment #3
Commandment #9
Commandment #10
Commandment #11

CIP-004-3 R3

Array

Consensus Assessments Initiative Questionnaire (CAIQ) Data

Security Architecture (SA) | ID #SA-09.1

Are system and network environments logically separated to ensure Business and customer security requirements?

Compliance Mapping +-

COBITHIPAAISO27001SP800_53

COBIT 4.1 DS5.10

45 CFR 164.308 (a)(4)(ii)(A)

A.11.4.5
A.11.6.1
A.11.6.2
A.15.1.4

NIST SP800-53 R3 AC-4
NIST SP800-53 R3 SC-2
NIST SP800-53 R3 SC-3
NIST SP800-53 R3 SC-7

FedRAMPPCI_DSSBITSGAPP

PCI DSS v2.0 1.1
PCI DSS v2.0 1.2
PCI DSS v2.0 1.2.1
PCI DSS v2.0 1.3
PCI DSS v2.0 1.4

AUP v5.0 G.17 SIG v6.0: G.9.2, G.9.3, G.9.13

Model Applicability +-

SaaSPaaSIaaS
True True True

Scope Applicability +-

SPCUST
True True

Consensus Assessments Initiative Questionnaire (CAIQ) Data

Security Architecture (SA) | ID #SA-09.2

Are system and network environments logically separated to ensure compliance with legislative, regulatory, and contractual requirements?

Compliance Mapping +-

COBITHIPAAISO27001SP800_53

COBIT 4.1 DS5.10

45 CFR 164.308 (a)(4)(ii)(A)

A.11.4.5
A.11.6.1
A.11.6.2
A.15.1.4

NIST SP800-53 R3 AC-4
NIST SP800-53 R3 SC-2
NIST SP800-53 R3 SC-3
NIST SP800-53 R3 SC-7

FedRAMPPCI_DSSBITSGAPP

PCI DSS v2.0 1.1
PCI DSS v2.0 1.2
PCI DSS v2.0 1.2.1
PCI DSS v2.0 1.3
PCI DSS v2.0 1.4

AUP v5.0 G.17 SIG v6.0: G.9.2, G.9.3, G.9.13

Model Applicability +-

SaaSPaaSIaaS
True True True

Scope Applicability +-

SPCUST
True True

Consensus Assessments Initiative Questionnaire (CAIQ) Data

Security Architecture (SA) | ID #SA-09.3

Are system and network environments logically separated to ensure separation of production and non-production environments?

Compliance Mapping +-

COBITHIPAAISO27001SP800_53

COBIT 4.1 DS5.10

45 CFR 164.308 (a)(4)(ii)(A)

A.11.4.5
A.11.6.1
A.11.6.2
A.15.1.4

NIST SP800-53 R3 AC-4
NIST SP800-53 R3 SC-2
NIST SP800-53 R3 SC-3
NIST SP800-53 R3 SC-7

FedRAMPPCI_DSSBITSGAPP

PCI DSS v2.0 1.1
PCI DSS v2.0 1.2
PCI DSS v2.0 1.2.1
PCI DSS v2.0 1.3
PCI DSS v2.0 1.4

AUP v5.0 G.17 SIG v6.0: G.9.2, G.9.3, G.9.13

Model Applicability +-

SaaSPaaSIaaS
True True True

Scope Applicability +-

SPCUST
True True

Consensus Assessments Initiative Questionnaire (CAIQ) Data

Security Architecture (SA) | ID #SA-09.4

Are system and network environments logically separated to ensure protection and isolation of sensitive data?

Compliance Mapping +-

COBITHIPAAISO27001SP800_53

COBIT 4.1 DS5.10

45 CFR 164.308 (a)(4)(ii)(A)

A.11.4.5
A.11.6.1
A.11.6.2
A.15.1.4

NIST SP800-53 R3 AC-4
NIST SP800-53 R3 SC-2
NIST SP800-53 R3 SC-3
NIST SP800-53 R3 SC-7

FedRAMPPCI_DSSBITSGAPP

PCI DSS v2.0 1.1
PCI DSS v2.0 1.2
PCI DSS v2.0 1.2.1
PCI DSS v2.0 1.3
PCI DSS v2.0 1.4

AUP v5.0 G.17 SIG v6.0: G.9.2, G.9.3, G.9.13

Model Applicability +-

SaaSPaaSIaaS
True True True

Scope Applicability +-

SPCUST
True True