DATA-01

Will the institution's data be stored on any devices (database servers, file servers, SAN, NAS, etc.) configured with non-RFC 1918/4193 (i.e., publicly routable) IP addresses?

Explanation

This question is asking whether the institution's data will be stored on devices that have public IP addresses (non-RFC 1918/4193) rather than private IP addresses. RFC 1918/4193 define private IP address ranges that are not routable on the public internet. These include: - 10.0.0.0/8 (10.0.0.0 - 10.255.255.255) - 172.16.0.0/12 (172.16.0.0 - 172.31.255.255) - 192.168.0.0/16 (192.168.0.0 - 192.168.255.255) - fc00::/7 (for IPv6) Any IP address outside these ranges is considered publicly routable, meaning it can be directly accessed from the internet if not protected by firewalls. This question is asked in security assessments because storing data on systems with public IP addresses increases the risk surface. Devices with public IPs are directly exposed to the internet and potentially to attackers, whereas devices with private IPs have an inherent layer of protection through network address translation (NAT) and are not directly accessible from the internet. The best way to answer this question is to: 1. Check with your network team to understand the IP addressing scheme for your storage infrastructure 2. Verify whether any storage systems holding the institution's data use public IP addresses 3. If public IPs are used, explain what compensating security controls are in place (like firewalls, access controls, etc.) 4. If only private IPs are used, simply state that

Example Responses

Example Response 1

No, all of our storage systems that will contain the institution's data use RFC 1918 private IP addressing Our database servers use addresses in the 10.45.0.0/16 range, and our file storage systems (NAS/SAN) use addresses in the 172.20.0.0/16 range These systems are not directly accessible from the internet and must be accessed through our secure application layer which implements proper authentication and authorization controls.

Example Response 2

Yes, some of our storage infrastructure does use public IP addresses, specifically our cloud-based database clusters However, these systems are protected by multiple security controls including: 1) IP-based access control lists that only allow connections from authorized sources, 2) a web application firewall, 3) encryption of data both in transit and at rest, 4) multi-factor authentication for administrative access, and 5) continuous security monitoring No direct public access to these databases is permitted - all data access is mediated through our application layer which enforces proper authentication and authorization.

Example Response 3

No, we do not use public IP addresses for any storage systems containing institutional data Our architecture follows a defense-in-depth approach where all data storage systems are placed in private subnets (192.168.0.0/16 range) within our VPC These systems can only be accessed through application servers in a DMZ that implement proper authentication, authorization, and encryption While our web application servers do have public IP addresses to serve content to users, the database and file servers are completely isolated from direct internet access.

Context

Tab
Product
Category
Data

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron