Name/Id: ACF1029 / Microsoft Managed Control 1029 Category: Access Control Title: Information Flow Enforcement | Security Policy Filters Ownership: Customer, Microsoft Description: The information system enforces information flow control using security policy filters inherent in boundary protection devices such as gateways, routers, encrypted tunnels, and link encrypters as a basis for flow control decisions for information containing PII or customer-defined sensitive information types. Requirements: Azure enforces information flow control using VLAN isolation, software load balancers, Virtual Filtering Platform (VFP), and ACLs. As Azure only has one security domain, there is no need to enforce information flow control using security policy filters such as clean/dirty word lists that a system with multiple security domains (e.g. unclassified, secret, and top secret) require.
The following 2 compliance controls are associated with this Policy definition 'Microsoft Managed Control 1029 - Information Flow Enforcement | Security Policy Filters' (53ac8f8e-c2b5-4d44-8a2d-058e9ced9b69)
Human resources security, access control policies and asset management
n/a
The cybersecurity risk-management measures should therefore also address the physical and environmental security of network and information systems by including measures to protect such systems from system failures, human error, malicious acts or natural phenomena, in line with European and international standards, such as those included in the ISO/IEC 27000 series. In that regard, essential and important entities should, as part of their cybersecurity risk-management measures, also address human resources security and have in place appropriate access control policies. Those measures should be consistent with Directive (EU) 2022/2557.
Policies and procedures regarding the use of cryptography and, where appropriate, encryption
n/a
In order to safeguard the security of public electronic communications networks and publicly available electronic communications services, the use of encryption technologies, in particular end-to-end encryption as well as data-centric security concepts, such as cartography, segmentation, tagging, access policy and access management, and automated access decisions, should be promoted. Where necessary, the use of encryption, in particular end-to-end encryption should be mandatory for providers of public electronic communications networks or of publicly available electronic communications services in accordance with the principles of security and privacy by default and by design for the purposes of this Directive. The use of end-to-end encryption should be reconciled with the Member States’ powers to ensure the protection of their essential security interests and public security, and to allow for the prevention, investigation, detection and prosecution of criminal offences in accordance with Union law. However, this should not weaken end-to-end encryption, which is a critical technology for the effective protection of data and privacy and the security of communications.