Back

Protect remote access accounts with encryption.


CONTROL ID
00562
CONTROL TYPE
Configuration
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Control all methods of remote access and teleworking., CC ID: 00559

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • AIs should identify the locations of customer data residing in different parts of AIs' networks and systems and ensure that adequate logical access controls are in place at different levels (e.g. application level, database level, operating system level, network level) to prevent unauthorized access… (Annex C. ¶ 1, Hong Kong Monetary Authority Customer Data Protection, 14 October 2014)
  • Using encryption to protect communications between the access device and the institution and to protect sensitive data residing on the access device (Critical components of information security 25) iii.e., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Remote access allows users to connect to the FI's internal network via an external network to access the FI's data and systems, such as emails and business applications. Remote connections should be encrypted to prevent data leakage through network sniffing and eavesdropping. Strong authentication, … (§ 9.3.1, Technology Risk Management Guidelines, January 2021)
  • Computing devices used by staff working in remote environments should be supplied with encryption software to protect information stored on the computer (e.g., using hard disk encryption) or transmitted by the device (e.g., using a Virtual Private Network when connecting to the organization's networ… (CF.14.01.04e, The Standard of Good Practice for Information Security)
  • Require all remote login access to the organization's network to encrypt data in transit and use multi-factor authentication. (CIS Control 12: Sub-Control 12.11 Require All Remote Logins to Use Multi- Factor Authentication, CIS Controls, 7.1)
  • Require all remote login access to the organization's network to encrypt data in transit and use multi-factor authentication. (CIS Control 12: Sub-Control 12.11 Require All Remote Logins to Use Multi- Factor Authentication, CIS Controls, V7)
  • The information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions. (AC-17(2) ¶ 1, StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • The information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions. (AC-17(2) ¶ 1, StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • The information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions. (AC-17(2) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • For all Interactive Remote Access sessions, utilize encryption that terminates at an Intermediate System. (CIP-005-5 Table R2 Part 2.2 Requirements ¶ 1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Electronic Security Perimeter(s) CIP-005-5, Version 5)
  • For all Interactive Remote Access sessions, utilize encryption that terminates at an Intermediate System. (CIP-005-6 Table R2 Part 2.2 Requirements, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Electronic Security Perimeter(s) CIP-005-6, Version 6)
  • For all Interactive Remote Access sessions, utilize encryption that terminates at an Intermediate System. (CIP-005-7 Table R2 Part 2.2 Requirements, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Electronic Security Perimeter(s) CIP-005-7, Version 7)
  • When remote access is permitted, are encrypted communications required for all remote connections? (§ H.5.6, Shared Assessments Standardized Information Gathering Questionnaire - H. Access Control, 7.0)
  • CSR 2.9.11(3): When remotely accessing databases that contain sensitive information, the system must require an encrypted modem for every applicable workstation and a smart card for every remote user accessing the database using a toll-free or local number. The smart cards must have identification a… (CSR 2.9.11(3), CSR 10.10.2, CSR 10.10.3, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • For administrative access, encryption is required for all communications between remote users and the accessed system. Communications to and from the network must use a FIPS 140-2-approved algorithm, at a minimum. (§ 2.1, § 6.1, DISA Secure Remote Computing Security Technical Implementation Guide, Version 1 Release 2)
  • Employ cryptographic mechanisms to protect the confidentiality of remote access sessions. (AC.3.014, Cybersecurity Maturity Model Certification, Version 1.0, Level 3)
  • Employ cryptographic mechanisms to protect the confidentiality of remote access sessions. (AC.3.014, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
  • Employ cryptographic mechanisms to protect the confidentiality of remote access sessions. (AC.3.014, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • Employ cryptographic mechanisms to protect the confidentiality of remote access sessions. (AC.L2-3.1.13 Remote Access Confidentiality, Cybersecurity Maturity Model Certification, Version 2.0, Level 2)
  • Encryption must be used for all remote access to protect the session's confidentiality. (EBRU-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • Enforcement of folder or disk level encryption (§ 5.13.2 ¶ 3(2)(e), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Remote access to critical systems by employees, contractors, and third parties uses encrypted connections and multifactor authentication. (Domain 3: Assessment Factor: Preventative Controls, ACCESS AND DATA MANAGEMENT Baseline 1 ¶ 15, FFIEC Cybersecurity Assessment Tool, Baseline, May 2017)
  • Encryption technologies to protect communications. (App A Objective 9:1c Bullet 3, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Prohibits remote access to operating system and system utilities, where feasible, and, at a minimum, requires strong authentication and encrypted sessions before allowing such remote access. (App A Objective 6.21.e, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • The information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions. (AC-17(2) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions. (AC-17(2) Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions. (AC-17(2) ¶ 1, FedRAMP Security Controls High Baseline, Version 5)
  • Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions. (AC-17(2) ¶ 1, FedRAMP Security Controls Low Baseline, Version 5)
  • Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions. (AC-17(2) ¶ 1, FedRAMP Security Controls Moderate Baseline, Version 5)
  • To remotely access systems containing Federal Tax Information, the IRS requires identification and password encryption when using public telephone lines, a centralized Key Management Center for authentication, and access through a toll-free or local access number. Each workstation requires an encryp… (§ 5.6.17.3, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Is all remote access to the firewall by encrypted channel? (IT - Firewalls Q 36, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions. (AC-17(2) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions. (AC-17(2) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Calls for Access Control (AC): Organizations must limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems) and to the types of transactions and functions that authorized users are permitted to exercise. (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
  • The configuration of the system should be examined to ensure encryption is being used for all remote access sessions. Interviews should be conducted with personnel involved in configuring security parameters, such as setting up remote access sessions. (AC-17(2), Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • The information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions. (AC-17(2) ¶ 1 Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions. (AC-17(2) ¶ 1 High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Configure remote control software to use unique user names and passwords, strong authentication, encryption if determined appropriate, and audit logs. Use of this software by remote users should be monitored on an almost real-time frequency. (§ 6.2.1.4 ICS-specific Recommendations and Guidance Bullet 4, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization should ensure communications are encrypted, when remote access is allowed. (§ 4.3 Bullet Remote Access (AC-17), NIST SP 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII))
  • The organization must use cryptography to protect remote access sessions. (SG.AC-15 Requirement Enhancements 1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • Employ cryptographic mechanisms to protect the confidentiality of remote access sessions. (3.1.13, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171)
  • Employ cryptographic mechanisms to protect the confidentiality of remote access sessions. (3.1.13, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 1)
  • Employ cryptographic mechanisms to protect the confidentiality of remote access sessions. (3.1.13, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 2)
  • The organization should implement cryptography for remote access sessions. (App F § AC-17(2), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should protect remote maintenance sessions by using a strong authenticator that is tightly bound to the user and separating the maintenance session from other network sessions by logically separated communications paths based on encryption or physically separate communications paths… (App F § MA-4(4), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should use cryptographic mechanisms to protect the integrity and confidentiality on remote maintenance and diagnostic communications. (App F § MA-4(6), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should carefully consider the use of cryptography based on the security needs and potential ramifications on system performance for remote access on an Industrial Control System. (App I § AC-17 Control Enhancement: (2), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions. (AC-17(2), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The information system implements {organizationally documented security safeguards} to authenticate {organizationally documented remote commands}. (SI-3(9), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions. (AC-17(2), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions. (AC-17(2), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions. (AC-17(2) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions. (AC-17(2) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • The information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions. (AC-17(2) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions. (AC-17(2) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions. (AC-17(2) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • The information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions. (AC-17(2) ¶ 1, TX-RAMP Security Controls Baseline Level 2)