SC.L1-B.1.X
Boundary Protection

FCI Data

Security Requirement

Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.

USU Policy, Procedures, and Standards

University Policy 5200: Information Security and Appropriate Use

Policy refers to control of devices and accountability for protecting IT resources from unauthorized access.

University Policy 2402: Public Safety, Response, and Reporting

USU manages building access according to the building type and purpose and considers security in the maintenance of campus facilities.

NIST Cybersecurity Framework v2

  • Protect (PR): PR.PS-03 - Physical access logs are maintained and reviewed.

Implementation Details

Documentation should include details to meet the Security Requirement for this control. Complete this list for each system or systems that process or access FCI data:

  • List how external system communications are monitored and controlled (e.g., firewalls, network segmentation).
  • List how inbound and outbound network traffic is filtered or logged.
  • List which systems are in place to protect network perimeters and detect unauthorized connections.
  • List any additional measures for protecting internal boundaries between systems or networks.

Document How

  • the external system boundary is defined
  • key internal system boundaries are defined
  • communications are monitored at the external system boundary
  • communications are monitored at key internal boundaries

Example

quote block

All FCI systems reside in a segmented network protected by Enterprise firewall and intrusion prevention system. Default deny rules are used at all network boundaries. Inbound and outbound connections are explicitly defined and logged. Internal VLAN segmentation limits lateral movement. USU's network monitoring and IPS tools continuously scan for anomalies. Firewall rule changes must be reviewed and approved by network security staff.

quote block

Enterprise Firewall and Intrusion Prevention System (IPS)

What it does:
  • Protects USU’s network by filtering traffic, enforcing segmentation, and detecting/preventing malicious activity.
How it helps a researcher:
  • Ensures that only authorized traffic reaches systems storing or processing FCI, reducing exposure to external threats.
Example:
  • Firewall rules block unauthorized access to research servers, while IPS detects and alerts on suspicious traffic patterns targeting FCI systems.

Institutional VPN Solution

What it does:
  • Provides encrypted remote access to USU’s internal network and restricts access to university-managed devices.
How it helps a researcher:
  • VPN access is limited to approved USU accounts and compliant devices, ensuring secure remote access to FCI systems.
Example:
  • A researcher connects via VPN using a USU-issued laptop. The system verifies endpoint protection and updates before granting access to the lab network.

Private IP Address Management

What it does:
  • Assigns private IP addresses to internal systems, isolating them from public internet exposure.
How it helps a researcher:
  • Reduces the risk of unauthorized access by ensuring systems are only accessible from within the private network or via VPN.
Example:
  • A research database is assigned a private IP and is only accessible to specific users through the institutional VPN.

USU Network Monitoring Tools

What it does:
  • Collects and analyzes network traffic to support visibility, troubleshooting, and security enforcement.
How it helps a researcher:
  • Ensures FCI systems are within defined network boundaries and helps detect misconfigurations or threats.
Example:
  • Network flow data from a secure VLAN is monitored. When a scan is detected, security staff alert the research team, who confirm and adjust access controls accordingly.

Endpoint Detection and Response (EDR) Platform

What it does:
  • Provides advanced threat detection and response capabilities for endpoints.
How it helps a researcher:
  • Protects devices accessing research data from malware and other threats by automatically scanning and mitigating risks.
Example:
  • A researcher’s laptop is protected by EDR, which automatically scans for and mitigates threats, ensuring the research systems are secure.

USU Services that could be leveraged to meet control requirements include*:

*List of services may not be complete or applicable for a given configuration. The use of a given service does not necessarily satisfy control requirements or may require specific configuration to meet control requirements. Documentation should include how the service is implemented to meet the control requirements.
Back to content

How might an auditor assess this control?

Method

  • Examine:
    • Review network architecture diagrams, firewall configurations, and logs of boundary activity.
  • Interview:
    • Ask network security staff how external traffic is monitored and filtered.
  • Test:
    • Attempt to access internal systems from an unauthorized external network or review logging/alerting from simulated unauthorized attempts.

Objects (examples of items you could present to the auditor)

  • Firewall Rule Documentation: Showing traffic filtering and default deny configurations.
  • Network Diagrams: Highlighting boundary controls and internal segmentation.
  • IPS Reports: Output from intrusion prevention systems showing blocked traffic.
  • Traffic Logs: Firewall or network logs demonstrating monitoring at boundaries.
  • Change Approval Records: Documentation of firewall or rule changes and approvals.
  • Alerting Configuration: Screenshots or rules showing boundary anomaly detection.