SC.L1-B.1.XI
Public-access System Separation

FCI Data

Security Requirement

Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.

USU Policy, Procedures, and Standards

University Policy 5200: Information Security and Appropriate Use

Policy refers to control of devices and accountability for protecting IT resources from unauthorized access.

University Policy 2402: Public Safety, Response, and Reporting

USU manages building access according to the building type and purpose and considers security in the maintenance of campus facilities.

NIST Cybersecurity Framework v2

  • Protect (PR): PR.PS-04 - Physical access devices are inventoried and managed.

Implementation Details

Documentation should include details to meet the Security Requirement for this control. Complete this list for each system or systems that process or access FCI data:

  • List which public-facing systems (e.g., web servers) are logically or physically separated from internal FCI systems.
  • List how this separation is implemented (e.g., VLANs, DMZ, separate cloud tenancy).
  • List who is responsible for approving and reviewing separation of public and internal systems.
  • List any additional protections in place to reduce the risk of public systems exposing internal data.

Document How

  • publicly accessible system components are identified
  • subnetworks for publicly accessible system components are physically or logically separated from internal networks

Example

quote block

Public-facing systems such as the university's main website and event platforms are hosted in a network that is separated from internal academic and administrative networks. Firewall rules and routing controls prevent public systems from initiating connections to internal FCI systems. System logs and alerts are configured to detect and report any anomalous behavior at network boundaries.

quote block

USU Firewalls

What it does:
  • Provides advanced protection for network boundaries by filtering and monitoring inbound and outbound traffic.
  • Implements default deny rules to control access, ensuring only authorized communications are allowed.
How it helps a researcher:
  • Monitors and logs all network traffic, providing an audit trail for security reviews.
  • Blocks unwanted and unknown activity from accessing systems.
Example:
  • A research lab's web server is protected by USU Firewalls, allowing external access while preventing direct communication with internal research databases.

USU Network Segmentation (VLANs, DMZ)

What it does:
  • Divides the network into multiple segments, each acting as its own subnetwork.
  • Creates demilitarized zones (DMZs) to separate publicly accessible systems from internal networks.
How it helps a researcher:
  • Limits access to devices, data, and applications, reducing the risk of unauthorized access.
  • Protects internal systems from external threats by restricting communications between networks.
Example:
  • A data analysis server is placed in a DMZ and segmented using VLANs, allowing secure access from external collaborators while isolating it from internal databases.

USU Intrusion Prevention System (IPS)

What it does:
  • Monitors network traffic for potential threats or unexpected activity and automatically blocks them.
  • Uses signature-based and anomaly-based detection to identify malicious activity.
How it helps a researcher:
  • Provides real-time protection by detecting and preventing unauthorized access attempts.
  • Alerts administrators and highlights potential misconfigurations.
Example:
  • The IPS detects an unusual login attempt to a research server and blocks the connection, logging the incident and alerting the security team.

Azure-hosted Web Services

What it does:
  • Separates web services from campus systems, ensuring secure and isolated environments.
How it helps a researcher:
  • Allows researchers to host web applications in a secure, cloud-based environment, reducing the risk of unauthorized access to campus systems.
Example:
  • A research team hosts their web application on Azure, allowing secure access for external collaborators without compromising internal networks.

Campus CMS (Web Content Management)

What it does:
  • Provides a centralized platform for managing and publishing content to public-facing websites with role-based access control, publishing workflows, and audit trails.
How it helps a researcher:
  • Prevents accidental publication of FCI or restricted data by limiting publishing rights to authorized personnel.
Example:
  • A research group works with the campus web team to publish a project summary. Only designated staff with CMS rights can publish the content, ensuring compliance with privacy standards.

USU Network Monitoring Tools

What it does:
  • Collects and analyzes traffic across the university network to support visibility, troubleshooting, and security.
  • Feeds telemetry into the university’s SIEM system to detect anomalies and enforce segmentation.
How it helps a researcher:
  • Ensures systems storing or processing FCI are within clearly defined network boundaries and helps detect misconfigurations or threats.
Example:
  • Network flow data from a secure VLAN is monitored. When a scan is detected, security staff alert the research team, who confirm and adjust access controls accordingly.

USU Services that could be leveraged to meet control requirements include*:

*List of services may not be complete or applicable for a given configuration. The use of a given service does not necessarily satisfy control requirements or may require specific configuration to meet control requirements. Documentation should include how the service is implemented to meet the control requirements.
Back to content

How might an auditor assess this control?

Method

  • Examine:
    • Review network diagrams, VLAN configurations, firewall rules, and public system inventories.
  • Interview:
    • Ask system and network admins how public systems are segmented and how that separation is maintained.
  • Test:
    • Verify routing and firewall configurations prevent public systems from reaching internal FCI networks. Simulate access attempts or lateral movement.

Objects (examples of items you could present to the auditor)

  • Network Architecture Diagrams: Highlighting VLANs and segmentation practices.
  • Firewall Configurations: Showing restricted access between public and internal systems.
  • System Inventory: Listing internal and public-facing components and their locations.
  • Routing Tables: Evidence of explicitly controlled and isolated paths.
  • Monitoring Reports: Logs showing alerting or event correlation related to boundary enforcement.
  • Access Approval Records: For any exceptions or shared access between zones.