Back

Control all methods of remote access and teleworking.


CONTROL ID
00559
CONTROL TYPE
Technical Security
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Technical security, CC ID: 00508

This Control has the following implementation support Control(s):
  • Establish, implement, and maintain a remote access and teleworking program., CC ID: 04545
  • Scan the system to verify modems are disabled or removed, except the modems that are explicitly approved., CC ID: 00560
  • Control remote access through a network access control., CC ID: 01421
  • Implement multifactor authentication techniques., CC ID: 00561
  • Protect remote access accounts with encryption., CC ID: 00562
  • Monitor and evaluate all remote access usage., CC ID: 00563


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • O50.7: To protect against computer viruses, unauthorized access, data leakage, and other incidents, the organization should ensure that internal network access and remote access are in accordance with the specified procedures. T43.4(2): The organization should set up access servers for remote access… (O50.7, T43.4(2), FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • Instituting strong controls over remote access by privileged users (Critical components of information security 5) (xiii) b), Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Hence, access to information assets needs to be authorised by a bank only where a valid business need exists and only for the specific time period that the access is required. The various factors that need to be considered when authorising access to users and information assets, inter-alia, include … (Critical components of information security 5) (ii), Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Disallowing remote access by policy and practice unless a compelling business need exists and requiring management approval for remote access (Critical components of information security 25) iii.a., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Using VLANs, network segments, directories, and other techniques to restrict remote access to authorized network areas and applications within the institution (Critical components of information security 25) iii.g., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Remote access to a bank's provides an attacker with the opportunity to manipulate and subvert the bank's systems from outside the physical security perimeter. The management should establish policies restricting remote access and be aware of all remote-access devices attached to their systems. These… (Critical components of information security 25) ii., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Banks may sometimes provide employees, vendors, and others with access to the institution's network and computing resources through external connections. Those connections are typically established through modems, the internet, or private communications lines. The access may be necessary to remotely… (Critical components of information security 25) i., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Appropriately configuring and securing remote access devices (Critical components of information security 25) iii.c., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Strictly control remote administrator access to the database. (Annex A2: Database Security 27, Singapore(PDPC) Guide to Securing Personal Data in Electronic Medium, Revised 20 January 2017)
  • If using a CDN, disclosing the IP address of the web server under the organisation's control (referred to as the origin server) is avoided and access to the origin server is restricted to the CDN and an authorised management network. (Security Control: 1439; Revision: 1, Australian Government Information Security Manual)
  • If using remote access without the use of a passphrase, the 'forced command' option is used to specify what command is executed and parameter checked is enabled. (Security Control: 0488; Revision: 3, Australian Government Information Security Manual)
  • The organization should use the 'forced command' option for specifying what command to execute, if it uses remote access absent a passphrase. (Control: 0488, Australian Government Information Security Manual: Controls)
  • Factors to consider when authorising access to information assets include: business role, physical location, remote access, time and duration of access, patch and anti-malware status, software, operating system, device and method of connectivity. (Attachment C 2., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • Privileged access rights: financial institutions should implement strong controls over privileged system access by strictly limiting and closely supervising accounts with elevated system access entitlements (e.g. administrator accounts). In order to ensure secure communication and reduce risk, remot… (3.4.2 31(c), Final Report EBA Guidelines on ICT and security risk management)
  • Monitoring of unusual instances of remote users, logs to be regularly reviewed, and the utilization of two-factor identification are all called for. Each user should only be allowed one remote access computer. (§ II, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • How do users access the organization's network and systems when working from home or when traveling? (Table Row IV.12, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Compared to what a user can do when physically working in the office, is remote access restricted? (Table Row IV.13, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • If possible, wireless remote access should be disallowed for accessing highly sensitive information. (§ 2.2 (2.2.170), The Center for Internet Security Wireless Networking Benchmark, 1)
  • Remote access should be securely implemented if the application can be accessed remotely. Remote security features include changing the default settings, only allowing connections from known addresses, using strong authentication procedures with complex passwords, encrypting data transmissions, lock… (§ 11.3, Payment Card Industry (PCI) Payment Application Data Security Standard, Version 1.1)
  • There should be documented standards / procedures covering staff who work in remote environments, including public areas (e.g., hotels, trains, airports, and Internet cafes) or work from home, which covers implementation and maintenance of computing devices located in remote environments. (CF.14.01.01d, The Standard of Good Practice for Information Security)
  • Web proxy servers (sometimes referred to as Internet gateways or web gateways) should be deployed and configured to restrict portable device access to only authorized websites. (CF.14.03.08b, The Standard of Good Practice for Information Security)
  • Web proxy servers (sometimes referred to as Internet gateways or web gateways) should be deployed and configured to inspect web traffic from portable devices (e.g., to identify malware and web browser attacks). (CF.14.03.08c, The Standard of Good Practice for Information Security)
  • Web proxy servers (sometimes referred to as Internet gateways or web gateways) should be deployed and configured to restrict portable device access to only authorized websites. (CF.14.03.08b, The Standard of Good Practice for Information Security, 2013)
  • Web proxy servers (sometimes referred to as Internet gateways or web gateways) should be deployed and configured to inspect web traffic from portable devices (e.g., to identify malware and web browser attacks). (CF.14.03.08c, The Standard of Good Practice for Information Security, 2013)
  • Technical controls should be implemented to help protect business information held on consumer devices (throughout the complete lifecycle of each device), which include managing which consumer devices can access business applications (e.g., by restricting access using a virtual private network, fire… (CF.14.05.09a, The Standard of Good Practice for Information Security, 2013)
  • Procedures should be developed to record every outside person given access to information and systems. These records should include details on which type of access was granted. (Action 1.1.7, SANS Computer Security Incident Handling, Version 2.3.1)
  • Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures to protect information accessed, processed or stored at remote sites and locations. Review and update the policies and procedures at least annually. (HRS-04, Cloud Controls Matrix, v4.0)
  • Manage access control for assets remotely connecting to enterprise resources. Determine amount of access to enterprise resources based on: up-to-date anti-malware software installed, configuration compliance with the enterprise's secure configuration process, and ensuring the operating system and ap… (CIS Control 13: Safeguard 13.5 Manage Access Control for Remote Assets, CIS Controls, V8)
  • ¶ 13.3.2 Remote Log-in. Remote log-ins, whether from authorized personnel working away from the organization, from remote maintenance engineers, or personnel from other organizations, are accomplished either via dial-ups to the organization, Internet connections, dedicated trunks from other organiz… (¶ 13.3.2 , ¶ 13.3.3, ¶ 13.3.4, ¶ 13.3.5 , ¶13.12, ISO 13335-5 Information technology - Guidelines for the management of IT Security - Part 5: Management guidance on network security, 2001)
  • Procedures and policies should be implemented to control remote access, when remote access is allowed to the recovery computer systems. (§ 7.5.7, ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services, 2008)
  • A policy and supporting security measures shall be implemented to protect information accessed, processed or stored at teleworking sites. (A.6.2.2 Control, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • A policy and supporting security measures should be implemented to protect information accessed, processed or stored at teleworking sites. (§ 6.2.2 Control, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • Security measures should be implemented when personnel are working remotely to protect information accessed, processed or stored outside the organization's premises. (§ 6.7 Control, ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection — Information security controls, Third Edition)
  • Remote access is managed. (PR.AC-3, CRI Profile, v1.2)
  • Remote access is actively managed and restricted to necessary systems. (PR.AC-3.1, CRI Profile, v1.2)
  • Remote access is actively managed and restricted to necessary systems. (PR.AC-3.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Authorizes remote access to the information system prior to allowing such connections. (AC-17b., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • The information system monitors and controls remote access methods. (AC-17(1) ¶ 1, StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Authorizes remote access to the information system prior to allowing such connections. (AC-17b., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • The organization provides the capability to expeditiously disconnect or disable remote access to the information system within [Assignment: organization-defined time period]. (AC-17(9) ¶ 1, StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • The information system monitors and controls remote access methods. (AC-17(1) ¶ 1, StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Authorizes remote access to the information system prior to allowing such connections. (AC-17b., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Authorizes the execution of privileged commands and access to security-relevant information via remote access only for [Assignment: organization-defined needs]; and (AC-17(4)(a), StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • The organization provides the capability to expeditiously disconnect or disable remote access to the information system within [Assignment: organization-defined time period]. (AC-17(9) ¶ 1, StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Authorizes remote access to the information system prior to allowing such connections. (AC-17b., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The information system monitors and controls remote access methods. (AC-17(1) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Authorizes the execution of privileged commands and access to security-relevant information via remote access only for [Assignment: organization-defined needs]; and (AC-17(4)(a), StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The organization provides the capability to expeditiously disconnect or disable remote access to the information system within [Assignment: organization-defined time period]. (AC-17(9) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The organization should require enhanced security controls for remote access to the system. (Table Ref 8.2.2, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The organization must implement and monitor the status of remote access controls. (§ 15.f, Corporate Information Security Working Group: Report of the best practices and metrics teams; subcommittee on technology, information policy, intergovernmental relations and the census; Government Reform Committee, United States House of Representatives)
  • Have one or more methods for determining active vendor remote access sessions (including Interactive Remote Access and system-to-system remote access). (CIP-005-6 Table R2 Part 2.4 Requirements, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Electronic Security Perimeter(s) CIP-005-6, Version 6)
  • Electronic Security Perimeters (CIP-005) including Interactive Remote Access; (B. R1. 1.1 1.1.2., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Security Management Controls CIP-003-8, Version 8)
  • On UNIX computers or Linux computers that transmit scoped data, are remote access tools that do not require authentication (e.g., rhost, shost, etc.) allowed? (§ G.16.4, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On UNIX computers or Linux computers that process scoped data, are remote access tools that do not require authentication (e.g., rhost, shost, etc.) allowed? (§ G.16.4, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On UNIX computers or Linux computers that store scoped data, are remote access tools that do not require authentication (e.g., rhost, shost, etc.) allowed? (§ G.16.4, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Is remote access permitted? (§ H.5, Shared Assessments Standardized Information Gathering Questionnaire - H. Access Control, 7.0)
  • When remote access is permitted, is split tunneling or bridged Internet connections allowed by policy and/or technical control? (§ H.5.2, Shared Assessments Standardized Information Gathering Questionnaire - H. Access Control, 7.0)
  • Are staff technically prevented from accessing the cloud computing environment for remote admin access (shell or ui) via non-managed private devices? (§ V.1.47.3, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Are staff technically prevented from accessing the cloud computing environment for remote non-admin access (shell or ui)via non-managed private devices? (§ V.1.47.4, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • The mode of operation and the information that can be accessed should be consistent between the remote terminal and the remote terminal devices. (§ 2-24.a, Army Regulation 380-19: Information Systems Security, February 27, 1998)
  • CSR 1.13.7: The organization must restrict connections to the CMS claims process network to approved portable computing and portable network devices. The organization must use a FIPS-approved method of cryptography and/or removable hard drives to protect information that is residing on mobile and po… (CSR 1.13.7, CSR 2.2.28, CSR 2.8.5, CSR 3.6.3, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • The designated approving authority must ensure the remote access to Secret Internet Protocol Router Network and Non-Classified Internet Protocol Routing Network resources complies with Department of Defense and National Security Agency policies and guidelines. (§ 3.4.1.2 ¶ AC44.020, DISA Access Control STIG, Version 2, Release 3)
  • Classified processing must not take place at remote user sites, unless explicitly approved by the appropriate authority. The alternate work site must comply with all applicable DoD policies for protecting, storing, distributing, etc., data, equipment, etc. Only government-owned or -leased equipment … (§ 3, § 6.3, App B, DISA Secure Remote Computing Security Technical Implementation Guide, Version 1 Release 2)
  • § 2.1 Remote access security policy, like other information assurance policy, depends on the sensitivity, mission criticality, and risk presented by the type of connectivity and the purpose of the remote access. Remote access can be divided into three types of access based on the purpose of the acc… (§ 2.1, § 2.2, § 2.4, § 3.2, DISA Secure Remote Computing Security Technical Implementation Guide, Version 2, Release 1)
  • If the system services on a computer are accessed remotely, user IDs and passwords should be encrypted. Inside the network, if the user account has Administrator privileges, the user account data should be encrypted. (§ 3.14, DISA Windows Server 2003 Security Checklist, Version 6 Release 1.11)
  • If the computer has services that are accessed remotely, userIDs and passwords should be sent over the network in encrypted form. Users should not be allowed to connect to a computer using Terminal Services or Remote Desktop. The "Allow users to connect remotely using Terminal Services" value should… (§ 3.1 (3.061), § 3.7.1.10 (5.117), DISA Windows VISTA Security Checklist, Version 6 Release 1.11)
  • If a computer has services that are accessed remotely, then unencrypted remote access by user accounts from inside the enclave should not have Administrator privileges. If the user is located outside the enclave, the userID and password should be encrypted. (§ 3.13, DISA Windows XP Security Checklist, Version 6 Release 1.11)
  • Wireless devices that are used to connect to the DoD network through a public wireless Internet gateway should meet the following requirements: they should be configured according to the Secure Remote Computing STIG; they should be configured with a personal firewall, VPN client, and up-to-date, ant… (§ 3.2 (WIR0280), § 4.2 (WIR0280), § 5 (WIR0280), DISA WIRELESS SECURITY CHECKLIST, Version 5, Release 2.2, Version 5, Release 2.2)
  • The Information Assurance Officer/Network Security Officer, to comply with Secure Remote Computing STIG, DODI 8551.1, Service Specific Firewall Policy and appropriate network and OS STIGS, for medical device management, maintainenance or support, will provision all remote/external or vendor connecti… (§ 5.3 (MED0560: CAT II), Medical Devices Security Technical Implementation Guide, Version 1, Release 1)
  • Enforce safeguarding measures for CUI at alternate work sites. (PE.3.136, Cybersecurity Maturity Model Certification, Version 1.0, Level 3)
  • Enforce safeguarding measures for CUI at alternate work sites. (PE.3.136, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
  • Enforce safeguarding measures for CUI at alternate work sites. (PE.3.136, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • Enforce safeguarding measures for CUI at alternate work sites. (PE.L2-3.10.6 Alternative Work Sites, Cybersecurity Maturity Model Certification, Version 2.0, Level 2)
  • Remote sessions must use security measures, such as a Virtual Private Network with blocking mode enabled. (EBRP-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • Remote access to the system must use a strong authentication method. (§ 8-607.c, § 8-607.e, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006)
  • The agency shall authorize, monitor, and control all remote access methods. (§ 5.5.6 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The agency shall use automated mechanisms for monitoring and controlling the remote access methods. (§ 5.5.6 ¶ 2, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The agency shall authorize, monitor, and control all methods of remote access to the information system. Remote access is any temporary access to an agency's information system by a user (or an information system) communicating temporarily through an external, non-agency-controlled network (e.g., th… (§ 5.5.6 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • The agency shall employ automated mechanisms to facilitate the monitoring and control of remote access methods. The agency shall control all remote accesses through managed access control points. The agency may permit remote access for privileged functions only for compelling operational needs but s… (§ 5.5.6 ¶ 2, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Designs for remote access capabilities, including: (App A Objective 9:1a, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Considers appropriate methods (e.g., tunneling, web portals, direct application access, and remote desktop access). (App A Objective 9:1a Bullet 2, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Considers protection of communications and security needs (e.g., encryption, authentication, access restrictions, application security, and activity monitoring). (App A Objective 9:1a Bullet 3, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Evaluate whether management considers the implications of remote access in AIO and does the following: (App A Objective 9:1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Remote access policy that includes tiered levels of remote access and risk-based security controls. (App A Objective 9:1c Bullet 1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • This examination procedure may be performed in coordination with related examination procedures in the "Business Continuity Management" booklet. Determine whether management developed, documented, and implemented environmental control policies, standards, and procedures to safeguard facilities, tech… (App A Objective 13:8, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Management has appropriate AIO processes for managing remote access. (III.G, "Remote Access") (App A Objective 9, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Determine whether management effectively controls employees' use of remote devices. Review whether management does the following: (App A Objective 6.24, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Implements controls over remote devices provided by the institution (e.g., securely configures remote access devices, protects devices against malware, patches and updates software, encrypts sensitive data, implements secure containers, audits device access, uses remote disable and wipe capabilities… (App A Objective 6.24.b, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Provides remote access in a safe and sound manner. (App A Objective 6.23.a, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Implements the controls necessary to offer remote access securely (e.g., disables unnecessary remote access, obtains approvals for and performs audits of remote access, maintains robust configurations, enables logging and monitoring, secures devices, restricts remote access during specific times, co… (App A Objective 6.23.b, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Adequate approvals are required before deployment of remote, Internet, or VPN access for employees, vendors, and other; ("TIER II OBJECTIVES AND PROCEDURES D.1. Bullet 15, FFIEC IT Examination Handbook - Audit, April 2012)
  • Determine whether audit procedures for information security adequately consider the risks in information security and e-banking. Evaluate whether ▪ A written and adequate data security policy is in effect covering all major operating systems, databases, and applications; ▪ Existing controls comp… (Exam Tier II Obj D.1, FFIEC IT Examination Handbook - Audit, August 2003)
  • The organization should ensure it has enough bandwidth, capacity, and authentication mechanisms for additional people to access the system from remote locations because there may be more people telecommuting in the event of a pandemic. (Pg D-8, Exam Tier I Obj 4.3, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • Calls for all access points to be identified to prevent unauthorized remote access to the network. (SS-1.2, Federal Information System Controls Audit Manual (FISCAM), February 2009)
  • Authorizes remote access to the information system prior to allowing such connections. (AC-17b. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Authorizes the execution of privileged commands and access to security-relevant information via remote access only for [Assignment: organization-defined needs]; and (AC-17(4)(a) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization provides the capability to expeditiously disconnect or disable remote access to the information system within [FedRAMP Assignment: fifteen (15) minutes]. (AC-17(9) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The information system monitors and controls remote access methods. (AC-17(1) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Authorizes remote access to the information system prior to allowing such connections. (AC-17b. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The information system monitors and controls remote access methods. (AC-17(1) Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization provides the capability to expeditiously disconnect or disable remote access to the information system within [FedRAMP Assignment: fifteen (15) minutes]. (AC-17(9) Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Authorizes the execution of privileged commands and access to security-relevant information via remote access only for [Assignment: organization-defined needs]; and (AC-17(4)(a) Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Authorizes remote access to the information system prior to allowing such connections. (AC-17b. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization must implement appropriate operational, management, and technical information system security controls at alternate work sites, including home offices and branch offices. (§ 4.7, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Do system users or vendors have access to the system from a remote location? (IT - General Q 21, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Is there remote access to the server software? (IT - Servers Q 10, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Authorize the execution of privileged commands and access to security-relevant information via remote access only in a format that provides assessable evidence and for the following needs: [Assignment: organization-defined needs]; and (AC-17(4)(a), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Employ automated mechanisms to monitor and control remote access methods. (AC-17(1) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Authorize each type of remote access to the system prior to allowing such connections. (AC-17b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Authorize each type of remote access to the system prior to allowing such connections. (AC-17b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Authorize each type of remote access to the system prior to allowing such connections. (AC-17b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Authorize the execution of privileged commands and access to security-relevant information via remote access only in a format that provides assessable evidence and for the following needs: [Assignment: organization-defined needs]; and (AC-17(4)(a), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Employ automated mechanisms to monitor and control remote access methods. (AC-17(1) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Authorize each type of remote access to the system prior to allowing such connections. (AC-17b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • The organization must control remote computing to allow only authorized users access to remote applications and components, and the servers must be able to authenticate these remote users. (§ 1.5.2, FIPS Pub 191, Guideline for the Analysis of Local Area Network (LAN) Security)
  • Calls for Access Control (AC): Organizations must limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems) and to the types of transactions and functions that authorized users are permitted to exercise. (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
  • Remote access is managed (PR.AC-3, Framework for Improving Critical Infrastructure Cybersecurity, v1.1)
  • Remote access is managed. (PR.AC-3, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0)
  • Organizational records and documents should be examined to ensure remote access is periodically monitored, restricted to dial-up connections, and restricted to authorized users; logs are being maintained for remote access; and specific responsibilities and actions are defined for the implementation … (AC-17, AC-17.7, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • Authorizes remote access to the information system prior to allowing such connections. (AC-17b. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Authorizes remote access to the information system prior to allowing such connections. (AC-17b. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Authorizes remote access to the information system prior to allowing such connections. (AC-17b. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The information system monitors and controls remote access methods. (AC-17(1) ¶ 1 Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The information system monitors and controls remote access methods. (AC-17(1) ¶ 1 High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Authorizes the execution of privileged commands and access to security-relevant information via remote access only for [Assignment: organization-defined needs]; and (AC-17(4) ¶ 1(a) High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Authorizes the execution of privileged commands and access to security-relevant information via remote access only for [Assignment: organization-defined needs]; and (AC-17(4) ¶ 1(a) Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Consider using callback systems when dial-up modems are installed in an ICS. This ensures that a dialer is an authorized user by having the modem establish the working connection based on the dialer's information and a callback number stored in the ICS approved authorized user list. (§ 6.2.1.4 ICS-specific Recommendations and Guidance Bullet 1, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Configure remote control software to use unique user names and passwords, strong authentication, encryption if determined appropriate, and audit logs. Use of this software by remote users should be monitored on an almost real-time frequency. (§ 6.2.1.4 ICS-specific Recommendations and Guidance Bullet 4, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Install or replace network hubs, routers, and switches. (T0126, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Remote access is managed. (PR.AC-P3, NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
  • The organization may choose to strictly limit or prohibit remote access to Personally Identifiable Information. (§ 4.3 Bullet Remote Access (AC-17), NIST SP 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII))
  • The organization must document the approved methods for remotely accessing the smart grid Information System. (SG.AC-2 Requirement 1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must monitor, authorize, and manage all remote access methods to the smart grid Information System. (SG.AC-15 Requirement, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should enable remote access to smart grid information system component locations only when necessary, approved, authenticated, and for the necessary time. (SG.AC-15 Additional Considerations A1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should use automated mechanisms to monitor and control the remote access methods. (SG.AC-15 Additional Considerations A2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must authorize, monitor, and manage all wireless access to the smart grid Information System. (SG.AC-16 Requirement 2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should require the use of strong authentication credentials to protect remote maintenance sessions. (SG.MA-6 Additional Considerations A1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • Enforce safeguarding measures for CUI at alternate work sites (e.g., telework sites). (3.10.6, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171)
  • Enforce safeguarding measures for CUI at alternate work sites. (3.10.6, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 1)
  • Enforce safeguarding measures for CUI at alternate work sites. (3.10.6, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 2)
  • The organization must establish Implementation Guidance and usage restrictions for each remote access method. (App F § AC-17.b, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should restrict privileged commands and access to secure information via remote access and document exceptions in the security plan. (App F § AC-17(4), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must use information system security controls at alternate work sites. (App F § PE-17.a, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must use mechanisms or procedures as compensating controls in accordance with the tailoring guidance when the Industrial Control System cannot implement any or all of the components remote access controls. (App I § AC-17, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should use nonautomated mechanisms or procedures as compensating controls in accordance with the tailoring guidance when the Industrial Control System cannot support automated mechanisms for monitoring and controlling remote access methods. (App I § AC-17 Control Enhancement: (1), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should use compensating controls in accordance with the tailoring guidance when the Industrial Control System cannot support cryptographic mechanisms to protect the integrity and confidentiality of remote sessions or cannot use cryptographic mechanisms due to significant impact on r… (App I § AC-17 Control Enhancement: (2), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization authorizes remote access to the information system prior to allowing such connections. (AC-17b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization provides the capability to expeditiously disconnect or disable remote access to the information system within {organizationally documented time period}. (AC-17(9), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization authorizes remote access to the information system prior to allowing such connections. (AC-17b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization authorizes remote access to the information system prior to allowing such connections. (AC-17b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization authorizes remote access to the information system prior to allowing such connections. (AC-17b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • Authorizes remote access to the information system prior to allowing such connections. (AC-17b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The information system monitors and controls remote access methods. (AC-17(1) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Authorizes the execution of privileged commands and access to security-relevant information via remote access only for [Assignment: organization-defined needs]; and (AC-17(4)(a), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Authorizes remote access to the information system prior to allowing such connections. (AC-17b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • The information system monitors and controls remote access methods. (AC-17(1) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Authorizes remote access to the information system prior to allowing such connections. (AC-17b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Authorizes the execution of privileged commands and access to security-relevant information via remote access only for [Assignment: organization-defined needs]; and (AC-17(4)(a), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Authorizes remote access to the information system prior to allowing such connections. (AC-17b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The information system monitors and controls remote access methods. (AC-17(1) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Authorizes the execution of privileged commands and access to security-relevant information via remote access only for [Assignment: organization-defined needs]; and (AC-17(4)(a), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization provides the capability to expeditiously disconnect or disable remote access to the information system within [Assignment: organization-defined time period]. (AC-17(9) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The information system implements [Assignment: organization-defined security safeguards] to authenticate [Assignment: organization-defined remote commands]. (SI-3(9) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Authorize each type of remote access to the system prior to allowing such connections. (AC-17b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Authorize the execution of privileged commands and access to security-relevant information via remote access only in a format that provides assessable evidence and for the following needs: [Assignment: organization-defined needs]; and (AC-17(4)(a), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Provide the capability to disconnect or disable remote access to the system within [Assignment: organization-defined time period]. (AC-17(9) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Employ automated mechanisms to monitor and control remote access methods. (AC-17(1) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Implement [Assignment: organization-defined mechanisms] to authenticate [Assignment: organization-defined remote commands]. (AC-17(10) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Authorizes remote access to the information system prior to allowing such connections. (AC-17b., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Authorizes remote access to the information system prior to allowing such connections. (AC-17b., TX-RAMP Security Controls Baseline Level 1)
  • The information system monitors and controls remote access methods. (AC-17(1) ¶ 1, TX-RAMP Security Controls Baseline Level 2)
  • Authorizes remote access to the information system prior to allowing such connections. (AC-17b., TX-RAMP Security Controls Baseline Level 2)
  • Authorizes the execution of privileged commands and access to security-relevant information via remote access only for [Assignment: organization-defined needs]; and (AC-17(4)(a), TX-RAMP Security Controls Baseline Level 2)
  • The organization provides the capability to expeditiously disconnect or disable remote access to the information system within [TX-RAMP Assignment: no greater than 15 minutes]. (AC-17(9) ¶ 1, TX-RAMP Security Controls Baseline Level 2)