AC-04 Information Flow Enforcement

Access Control

Low Moderate High

Description

The information system enforces assigned authorizations for controlling the flow of information within the system and between interconnected systems in accordance with applicable policy.

Supplemental Guidance

Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. A few, of many, generalized examples of possible restrictions that are better expressed as flow control than access control are: keeping export controlled information from being transmitted in the clear to the Internet, blocking outside traffic that claims to be from within the organization, and not passing any web requests to the Internet that are not from the internal web proxy. Information flow control policies and enforcement mechanisms are commonly employed by organizations to control the flow of information between designated sources and destinations (e.g., networks, individuals, devices) within information systems and between interconnected systems. Flow control is based on the characteristics of the information and/or the information path. Specific examples of flow control enforcement can be found in boundary protection devices (e.g., proxies, gateways, guards, encrypted tunnels, firewalls, and routers) that employ rule sets or establish configuration settings that restrict information system services or provide a packet filtering capability. Related security control: SC-07.

MITRE ATT&CK Techniques (158)

ATT&CK v16.1

Techniques mitigated by this control, mapped via CTID.

Reconnaissance 5 Initial Access 9 Execution 10 Persistence 20 Privilege Escalation 15 Defense Evasion 24 Credential Access 17 Discovery 4 Lateral Movement 10 Collection 18 Command & Control 37 Exfiltration 14 Impact 11

Show all 158 techniques grouped by tactic

Persistence

Privilege Escalation

T1068 Exploitation for Privilege Escalation T1098 Account Manipulation T1484 Domain or Tenant Policy Modification T1574 Hijack Execution Flow T1611 Escape to Host T1098.001 Additional Cloud Credentials T1098.007 Additional Local or Domain Groups T1134.005 SID-History Injection T1547.003 Time Providers T1574.004 Dylib Hijacking T1574.005 Executable Installer File Permissions Weakness T1574.007 Path Interception by PATH Environment Variable T1574.008 Path Interception by Search Order Hijacking T1574.009 Path Interception by Unquoted Path T1574.010 Services File Permissions Weakness

Defense Evasion

T1197 BITS Jobs T1205 Traffic Signaling T1211 Exploitation for Defense Evasion T1218 System Binary Proxy Execution T1484 Domain or Tenant Policy Modification T1574 Hijack Execution Flow T1599 Network Boundary Bridging T1601 Modify System Image T1622 Debugger Evasion T1070.008 Clear Mailbox Data T1134.005 SID-History Injection T1205.001 Port Knocking T1205.002 Socket Filters T1218.012 Verclsid T1564.008 Email Hiding Rules T1574.004 Dylib Hijacking T1574.005 Executable Installer File Permissions Weakness T1574.007 Path Interception by PATH Environment Variable T1574.008 Path Interception by Search Order Hijacking T1574.009 Path Interception by Unquoted Path T1574.010 Services File Permissions Weakness T1599.001 Network Address Translation Traversal T1601.001 Patch System Image T1601.002 Downgrade System Image

Credential Access

T1003 OS Credential Dumping T1187 Forced Authentication T1212 Exploitation for Credential Access T1528 Steal Application Access Token T1552 Unsecured Credentials T1557 Adversary-in-the-Middle T1003.001 LSASS Memory T1003.005 Cached Domain Credentials T1003.006 DCSync T1552.001 Credentials In Files T1552.005 Cloud Instance Metadata API T1552.007 Container API T1552.008 Chat Messages T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay T1557.002 ARP Cache Poisoning T1557.003 DHCP Spoofing T1557.004 Evil Twin

Discovery

T1046 Network Service Discovery T1482 Domain Trust Discovery T1622 Debugger Evasion T1654 Log Enumeration

Lateral Movement

T1072 Software Deployment Tools T1210 Exploitation of Remote Services T1563 Remote Service Session Hijacking T1570 Lateral Tool Transfer T1021.001 Remote Desktop Protocol T1021.002 SMB/Windows Admin Shares T1021.003 Distributed Component Object Model T1021.005 VNC T1021.006 Windows Remote Management T1563.002 RDP Hijacking

Collection

T1114 Email Collection T1213 Data from Information Repositories T1530 Data from Cloud Storage T1557 Adversary-in-the-Middle T1602 Data from Configuration Repository T1114.001 Local Email Collection T1114.002 Remote Email Collection T1114.003 Email Forwarding Rule T1213.001 Confluence T1213.002 Sharepoint T1213.004 Customer Relationship Management Software T1213.005 Messaging Applications T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay T1557.002 ARP Cache Poisoning T1557.003 DHCP Spoofing T1557.004 Evil Twin T1602.001 SNMP (MIB Dump) T1602.002 Network Device Configuration Dump

Command & Control

T1001 Data Obfuscation T1008 Fallback Channels T1071 Application Layer Protocol T1090 Proxy T1095 Non-Application Layer Protocol T1102 Web Service T1104 Multi-Stage Channels T1105 Ingress Tool Transfer T1132 Data Encoding T1205 Traffic Signaling T1219 Remote Access Software T1568 Dynamic Resolution T1571 Non-Standard Port T1572 Protocol Tunneling T1573 Encrypted Channel T1659 Content Injection T1001.001 Junk Data T1001.002 Steganography T1001.003 Protocol or Service Impersonation T1071.001 Web Protocols T1071.002 File Transfer Protocols T1071.003 Mail Protocols T1071.004 DNS T1071.005 Publish/Subscribe Protocols T1090.001 Internal Proxy T1090.002 External Proxy T1090.003 Multi-hop Proxy T1102.001 Dead Drop Resolver T1102.002 Bidirectional Communication T1102.003 One-Way Communication T1132.001 Standard Encoding T1132.002 Non-Standard Encoding T1205.001 Port Knocking T1205.002 Socket Filters T1568.002 Domain Generation Algorithms T1573.001 Symmetric Cryptography T1573.002 Asymmetric Cryptography

Exfiltration

T1029 Scheduled Transfer T1030 Data Transfer Size Limits T1041 Exfiltration Over C2 Channel T1048 Exfiltration Over Alternative Protocol T1537 Transfer Data to Cloud Account T1567 Exfiltration Over Web Service T1020.001 Traffic Duplication T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol T1567.001 Exfiltration to Code Repository T1567.002 Exfiltration to Cloud Storage T1567.003 Exfiltration to Text Storage Sites T1567.004 Exfiltration Over Webhook

Impact

T1489 Service Stop T1498 Network Denial of Service T1499 Endpoint Denial of Service T1565 Data Manipulation T1498.001 Direct Network Flood T1498.002 Reflection Amplification T1499.001 OS Exhaustion Flood T1499.002 Service Exhaustion Flood T1499.003 Application Exhaustion Flood T1499.004 Application or System Exploitation T1565.003 Runtime Data Manipulation

Compliance Mappings

ISO 27001:2022

A.5.14A.8.12A.8.20A.8.23A.8.3

ISO 27002:2022

5.148.128.208.238.3

COBIT 2019

APO14DSS05DSS06

CIS Controls v8

CIS 12CIS 13.10CIS 13.4CIS 3CIS 3.12CIS 3.13CIS 3.8CIS 9.3

NIST CSF 2.0

ID.AM-03PR.DS-10PR.IR-01

SOC 2 TSC

CC6.1CC6.1-POF6CC6.6CC6.6-POF1

PCI DSS v4.0.1

1.21.3

CSA CCM v4

DSP-05DSP-10IVS-03IVS-06UEM-11

CSA AICM v1

AIS-08DSP-05DSP-10DSP-22I&S-03I&S-06UEM-11

FINOS CCC

CCC-C05CCC-C09

ISO 42001:2023

A.9.4

IEC 62443

3-3 SR 2.13-3 SR 5.1

NIS2 Directive

Art. 21(2)(i)

PRA Operational Resilience

SS2/21-11.1

MAS TRM

BSI IT-Grundschutz

NET.1.1ORP.4

ANSSI

Hygiene.23Hygiene.27SecNumCloud.14.1

FINMA Circular 2023/1

IV.B.d(59)IV.C(62)IV.C(63)

OSFI B-13

B-13.3.2

EU GDPR

Art.32(1)(a)Art.44Art.46(1)Art.5(1)(f)

EU DORA

Art.9(4)(a)

BIO2

5.148.128.208.238.3

RBI CSF

Annex1.4Annex1.15ITGRCA.19

FISC Security Guidelines

FISC.T13FISC.T2FISC.T3FISC.T5FISC.T8

LGPD + BCB 4893

BCB.Art.13BCB.Art.14BCB.Art.3BCB.OpenFinanceBCB.PIXLGPD.Art.23-26LGPD.Art.33-36LGPD.Art.46

HKMA TM-E-1

TME1.10.1TME1.10.3

MLPS 2.0

8.1.2.18.1.3.28.28.5

DNB Good Practice

DNB.12.3DNB.18.4DNB.18.5

EU CRA

CRA.I.2j

SWIFT CSCF

SWIFT.1.1SWIFT.1.3SWIFT.1.4SWIFT.1.5SWIFT.2.4A

SAMA CSF

3.13.3

NCA ECC

2-142-52-7

UAE IA

T8T9

CBB TM

TM-6TM-8

Qatar NIA

ACCS

CBUAE

CR-4CR-5

CBE CSF

CTO-1CTO-2CTO-5CTO-6CTO-8

SA JS2

JS2-7.1JS2-8.2

CBN CSF

Part3.2Part3.4Part5.2

BoG CISD

CISD-VIIICISD-XICISD-XIII

POPIA

s19s72

BoM CTRM

3.103.2

IOSCO Cyber Resilience

PFMI-20PROT-2

BCBS 239

Principle 11

CPMI-IOSCO PFMI

CG.PRPFMI.P17PFMI.P22

FFIEC IS

II.C.13II.C.13(b)II.C.6II.C.9

NYDFS 500

500.18

HIPAA Security Rule

§164.308(a)(4)(i)§164.308(a)(4)(ii)(A)§164.314(b)(1)§164.314(b)(2)

ECB CROE

CROE.2.3.5

EBA ICT Guidelines

3.4.2

SEBI CSCRF

DATALOCEMAIL-SECPR.AAPR.DSPR.NS

BOT Cyber Resilience

Ch2.2Ch2.4

CMMC 2.0

NERC CIP

CIP-005-7

10 CFR 73.54

73.54(c)(1)73.54(c)(2)

TSA Pipeline SD

SD-2 Sec A

IEEE 1686-2022

5.6

FERC CIP Orders

Order 887Order 2222

DOE C2M2 v2.1

ARCHITECTURE

API 1164

Sec 5Sec 8

AWIA

AWWA Sec 4

IAEA NSS 17-T

Sec 5.1Sec 5.6

PCI PTS v6

FIPS 140-3

FIPS 140-3 §7.3

PCI HSM

Common Criteria

CC Part 2 — FDP

ISAE 3402

Clause 4

Solvency II

Art.49(3)DR.266-DataSecEIOPA-Cloud-GL9EIOPA-ICT-4.6

Lloyd's Minimum Standards

BP2.2MS13.2MS6.1MS8.9

NAIC Insurance Data Security

4B8

HITRUST CSF v11

01.b09.e

FDA Cybersecurity Guidance

SA-4TM-2

ISO 27799

13.113.29.5H.2H.4

NHS DSPT

NDG-9.2NDG-9.5

OWASP MASVS v2.1

MASVS-STORAGE-2MASVS-PLATFORM-1MASVS-PLATFORM-2MASVS-PLATFORM-3

CCSS v9.0

1.05.4

MiCA

Art.63(1)Art.68(1)Art.76(1)

Basel SCO60

SCO60.64

BSSC Standards

NOS-04TIS-04

SEC Custody (Digital Assets)

SEC-CD-04

ISO 17799 (legacy)

10.6.211.4.511.4.611.4.7

COBIT 4.1 (legacy)

DS5.10