INF-010 Web Filtering and Egress Controls
Description
Outbound web access from production systems and corporate devices is filtered to restrict access to malicious or unauthorised external destinations. Egress filtering policies are documented and reviewed at defined intervals.
Rationale
Egress controls break command-and-control channels for compromised systems and reduce the risk of data exfiltration via web-based routes.
Framework Mappings (3)
| I&S-03 | Network Security | partial |
| 8.23 | Web filtering | full |
| SC-7 | Boundary Protection | partial |
Evidence (2)
Web filtering policy configuration showing categories of restricted destinations applied to outbound web traffic from production systems and corporate devices.
Example: Zscaler, Cisco Umbrella, Palo Alto DNS security, or equivalent web filtering policy export showing blocked categories, custom blocklist entries, and enforcement scope
Test: Export the web filtering policy configuration. Verify: (1) web filtering is enforced for outbound traffic from all in-scope devices and production systems; (2) malicious and prohibited destination categories are blocked; (3) the policy was reviewed within the defined interval; (4) test a request to a known malicious domain indicator from an in-scope device — confirm it is blocked.
Egress filtering policy document defining approved egress destinations, blocked categories, and the review cycle for egress rules.
Example: Web Filtering and Egress Control Policy (version-controlled, approved within last 12 months) with defined egress rules and a documented review schedule
Test: Request the egress filtering policy. Verify: (1) permitted and prohibited outbound destinations or categories are defined; (2) the policy explicitly addresses production system egress and corporate device egress; (3) a review schedule is documented and the last review was completed within the required interval.
Questions (2)
Is outbound web access from production systems and corporate devices filtered to restrict access to malicious or unauthorised external destinations?
Web filtering should block known malicious categories and command-and-control infrastructure. Egress filtering policies should be documented and applied to both production and corporate traffic.
Which technology is used to enforce web filtering and egress controls?
A cloud-delivered Secure Web Gateway or DNS-based filtering provides the broadest coverage for distributed and remote workforces. Network-layer egress rules are acceptable for production infrastructure.