This article brings together common customer questions and practical answers based on typical Secureframe workflows, compliance situations and unique tech stacks.

It is meant as quick reference material for day-to-day use of the product.

Network controls

Are WAFs necessary for internal (within our VPC) Elastic Load Balancers?

• Yes, even without a WAF, security groups should be configured to route traffic to specific targets.

Examples of firewalls for cloud infrastructure?

• In AWS, security groups can be used as a pseudo firewall, or you can use AWS Network Firewall. In GCP, VPC firewall rules can be configured. Alternatively, a web application firewall like Cloudflare can be used in front of applications as an additional layer of protection.

Is GuardDuty an acceptable alternative to enabling VPC flow logs?

• If GuardDuty can prove proper monitoring for network intrusions, it may suffice. CloudTrail logging with GuardDuty alerting is the most common configuration seen by auditors.

Is HTTPS necessary for ElasticSearch instances when they're entirely within our VPC?

• HTTPS is still good practice to encrypt data in transit, but the primary intent is to ensure that the VPC and the traffic flowing through it are encrypted. HTTPS is one way to secure that data.

Is it necessary to have both anti-malware software and a web application firewall?

• Yes — they serve different purposes and complement each other, so having both is often recommended.

  1. Anti-malware software

  Protects endpoints (servers, desktops, laptops) from malicious software such as viruses, ransomware, and spyware.

  Scans files, memory, and processes for known and suspicious patterns.

  Provides real-time protection and often includes features like email scanning and removable media checks.

  2. Web Application Firewall (WAF)

  Protects web applications from attacks like SQL injection, cross-site scripting (XSS), and request forgery.

  Works at the HTTP/HTTPS layer to filter, monitor, and block malicious traffic before it reaches the app.

  Often tailored to the application’s normal traffic patterns to block anomalies.

  Why both are useful

  Different threat surfaces: Anti-malware defends individual systems; WAF defends your public-facing applications.

  Defense in depth: If an attacker bypasses the WAF (e.g., through stolen credentials), anti-malware can still stop malicious payloads on the endpoint — and vice versa.

  Compliance & best practice: Many frameworks (SOC 2, ISO 27001, PCI DSS) encourage or require layered protections.

  If you only had one, you’d be leaving a major attack vector unprotected — so for most organizations, both are necessary.

Is there a feature to whitelist specific IPs to ensure that only users on a VPN can access the application?

• At this time, we do not have a feature to limit access to the app based on specific VPN.

re shared data center services (co-location) considered multi-tenant service providers?

• Service providers that provide only shared data center services (often called co-location or “co-lo” providers), where equipment, space, and bandwidth are available on a rental basis, are not considered multi-tenant service providers for purposes of this Appendix.

What do IDs (also referred to as “accounts”) fundamentally establish?

• The identity of an individual or process by assigning unique identification to each person or process to distinguish one user or process from another.

What do you recommend we use for IDS and/or IPS?

• For AWS: GuardDuty; for GCP: Cloud IDS and Security Command Center.

What is a DMZ?

• DMZ is a part of the network that manages connections between an untrusted network and services that an organization needs to have available to the public, such as a web server.

What is an example of an exceptional circumstance where shared IDs may be needed?

• Where all other authentication methods have failed, and a shared ID is needed for emergency use or “break the glass” administrator access.

What is required for a network security diagram?

• The diagram should include, but is not limited to: applications, servers, virtual machines, networks, firewalls, subnets, routers/switches, VPCs, databases, S3 buckets, load balancers, VPNs, end-user devices, user access points, third-party tools, and traffic flow.

What is the idea/purpose behind the NET-05 test "SQL server firewall rule alerting (Azure)" ?

• The test aims to trigger an alert whenever SQL server firewall rules are modified, ensuring that admins review changes to verify they are intentional. This alert should also be used for firewall rules in individual servers or PostgreSQL servers.

What is the objective regarding actions performed by users with group, shared, or generic IDs?

• ll actions performed by users with group, shared, or generic IDs are attributable to an individual person.

What is the objective regarding lifecycle events for user IDs and authentication factors?

• Lifecycle events for user IDs and authentication factors cannot occur without appropriate authorization.

What should be examined to verify that terminated user IDs have been deactivated or removed from the access lists?

• Information sources for terminated users and review current user access lists—for both local and remote access.

Physical security

Does physical security need to be in scope if we have a physical office?

• Physical security only needs to be in scope if the office contains servers, hardware, or system components that process and store customer data. If the office is a regular workspace without such components, physical security is not required.

How long are visitor logs retained?

• Visitor logs are retained for at least three months, unless otherwise restricted by law.

If a company has all its data in the cloud and no on-premises servers, do they still need to enable physical security controls under NYDFS?

• Not necessarily. Physical security controls are only required if your office contains servers, hardware, or system components that process and store customer data. If the office is only used as a general workspace, with no local storage, physical security tests may be out of scope.

Should physical security be in scope if we use a shared work space?

• No, physical security applies if you control physical access to servers containing customer data.

We don’t have visitor badges, visitor escorts, visitor authentication, or visitor logs. We also don’t have employee badges. Access to the server room is controlled by two individuals who unlock the door when needed. Can we disable these physical controls?

• It depends on whether the server room contains systems that process or store customer data.

  Physical security requirements only apply if personnel have physical access to systems or components involved in storing, transmitting, or processing customer data.

  Before deciding, confirm the following:

  Do any systems in the server room process or store customer data?

  Or is the room limited to networking gear (internet modem, switches, routing equipment) with no customer-data processing?

  If no customer data is processed or stored there:

  You may be able to mark related PHYS controls as out of scope.

  You should document your current access procedure (e.g., “Access is restricted and managed manually by two authorized staff members”).

  If customer data IS involved:

  Physical security controls must remain enabled and some form of visitor/access management is required.

What information is maintained in visitor logs?

• The visitor’s name and the organization represented, the date and time of the visit, the name of the personnel authorizing physical access, and retaining the log for at least three months, unless otherwise restricted by law.

When is physical security in scope?

• Physical security is in scope if employees or contractors have physical access to servers or system components that process or store customer data. If the environment is virtual or cloud-based with no physical access, physical security is not required.

Why are all of the physical security tests automatically disabled?

• Physical security tests are disabled by default since most of Secureframe’s customers are remote. If the organization has physical facilities, those tests should be enabled and evidence uploaded.

Additional customer questions

What is an NSC?

• n NSC, or network security control, is a network policy enforcement point that typically controls network traffic between two or more logical or physical network segments (or subnets) based on pre-defined policies or rules.