AC-04 Information Flow Enforcement

Control: The information system enforces assigned authorizations for controlling the flow of information within the system and between interconnected systems in accordance with applicable policy.

Supplemental Guidance: Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. A few, of many, generalized examples of possible restrictions that are better expressed as flow control than access control are: keeping export controlled information from being transmitted in the clear to the Internet, blocking outside traffic that claims to be from within the organization, and not passing any web requests to the Internet that are not from the internal web proxy. Information flow control policies and enforcement mechanisms are commonly employed by organizations to control the flow of information between designated sources and destinations (e.g., networks, individuals, devices) within information systems and between interconnected systems. Flow control is based on the characteristics of the information and/or the information path. Specific examples of flow control enforcement can be found in boundary protection devices (e.g., proxies, gateways, guards, encrypted tunnels, firewalls, and routers) that employ rule sets or establish configuration settings that restrict information system services or provide a packet filtering capability. Related security control: SC-7.

Control Enhancements:

(1) The information system implements information flow control enforcement using explicit labels on information, source, and destination objects as a basis for flow control decisions.

Enhancement Supplemental Guidance: Information flow control enforcement using explicit labels is used, for example, to control the release of certain types of information.

(2) The information system implements information flow control enforcement using protected processing domains (e.g., domain type-enforcement) as a basis for flow control decisions.

(3) The information system implements information flow control enforcement using dynamic security policy mechanisms as a basis for flow control decisions.

Baseline: LOW Not Selected MOD AC-4 HIGH AC-4

Family: Access Control

Class: Technical

ISO 17799 mapping: 10.6.2, 11.4.5, 11.4.6, 11.4.7

COBIT 4.1 mapping: DS5.10

PCI-DSS v2 mapping: 4.1