Back

Monitor and evaluate all remote access usage.


CONTROL ID
00563
CONTROL TYPE
Monitor and Evaluate Occurrences
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Control all methods of remote access and teleworking., CC ID: 00559

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Logging and monitoring the date, time, user, user location, duration, and purpose for all remote access including all activities carried out through remote access (Critical components of information security 25) iii.j., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Regularly reviewing remote access approvals and rescind those that no longer have a compelling business justification (Critical components of information security 25) iii.b., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Central management and monitoring is performed by means of MDM solutions, including a possibility for remote deletion. A site plausibility check of the access is carried out. An inventory list of mobile terminal devices with access to the cloud service (among other things, with information of the op… (Section 5.17 MDM-01 Description of additional requirements (confidentiality and availability) ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • (§ II.28, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Do System Administrators note unusual access or instances of remote users? (Table Row II.21, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Interview personnel and observe processes to verify vendor remote access accounts are being monitored while they are in use. (Testing Procedures § 8.1.5.b, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • User IDs that are used by vendors to access, maintain, or support the system by remote access must be monitored when they are being used. (PCI DSS Requirements § 8.1.5 Bullet 2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Manage IDs used by vendors to access, support, or maintain system components via remote access as follows: - Enabled only during the time period needed and disabled when not in use. - Monitored when in use. (8.1.5, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
  • Manage IDs used by third parties to access, support, or maintain system components via remote access as follows: - Enabled only during the time period needed and disabled when not in use. - Monitored when in use. (8.1.5, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Manage IDs used by third parties to access, support, or maintain system components via remote access as follows: - Enabled only during the time period needed and disabled when not in use. - Monitored when in use. (8.1.5, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Are vendor remote access accounts monitored when in use? (8.1.5 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.1)
  • Are third party remote access accounts monitored when in use? (8.1.5(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
  • Are vendor remote access accounts monitored when in use? (8.1.5 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.1)
  • Are third party remote access accounts monitored when in use? (8.1.5(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.2)
  • Are vendor remote access accounts monitored when in use? (8.1.5 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.1)
  • Are third party remote access accounts monitored when in use? (8.1.5(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.2)
  • Are vendor remote access accounts monitored when in use? (8.1.5 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Are third party remote access accounts monitored when in use? (8.1.5(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Are vendor remote access accounts monitored when in use? (8.1.5 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Are third party remote access accounts monitored when in use? (8.1.5(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Interview personnel and observe processes to verify that third-party remote access accounts are monitored while being used. (8.1.5.b, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Are vendor remote access accounts monitored when not in use? (PCI DSS Question 8.1.5(b), PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
  • Are vendor remote access accounts monitored when not in use? (PCI DSS Question 8.1.5(b), PCI DSS Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.0)
  • Are vendor remote access accounts monitored when not in use? (PCI DSS Question 8.1.5(b), PCI DSS Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.0)
  • Are vendor remote access accounts monitored when not in use? (PCI DSS Question 8.1.5(b), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Are vendor remote access accounts monitored when not in use? (PCI DSS Question 8.1.5(b), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • External access should be provided using a dedicated Remote Access Server, which provides information for troubleshooting (e.g., router and firewall logs). (CF.09.03.07b, The Standard of Good Practice for Information Security)
  • External access should be provided using a dedicated Remote Access Server, which helps identify possible Information Security breaches (e.g., by logging events such as connections and terminations in a database and collating them centrally). (CF.09.03.07d, The Standard of Good Practice for Information Security)
  • Access to critical systems and networks by external individuals for remote maintenance purposes (e.g., remote diagnosis / testing, software maintenance) should be managed by logging all activity undertaken. (CF.09.05.01d, The Standard of Good Practice for Information Security)
  • Access to critical systems and networks by external individuals for remote maintenance purposes (e.g., remote diagnosis / testing, software maintenance) should be managed by performing an independent review of remote maintenance activity. (CF.09.05.01f, The Standard of Good Practice for Information Security)
  • External access should be provided using a dedicated Remote Access Server, which provides information for troubleshooting (e.g., router and firewall logs). (CF.09.03.07b, The Standard of Good Practice for Information Security, 2013)
  • External access should be provided using a dedicated Remote Access Server, which helps identify possible Information Security breaches (e.g., by logging events such as connections and terminations in a database and collating them centrally). (CF.09.03.07d, The Standard of Good Practice for Information Security, 2013)
  • Access to critical systems and networks by external individuals for remote maintenance purposes (e.g., remote diagnosis / testing, software maintenance) should be managed by logging all activity undertaken. (CF.09.05.01d, The Standard of Good Practice for Information Security, 2013)
  • Access to critical systems and networks by external individuals for remote maintenance purposes (e.g., remote diagnosis / testing, software maintenance) should be managed by performing an independent review of remote maintenance activity. (CF.09.05.01f, The Standard of Good Practice for Information Security, 2013)
  • The organization should manage all devices that remotely log in to the internal network, to include remotely controlling configuration, patch levels, and installed software. (Critical Control 13.8, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • Incident Handling. Unwanted incidents are more likely to occur, and more serious adverse business impact to result, where there are network connections (as opposed to where there are none). Further, with network connections to other organizations in particular there could well be significant legal i… (¶ 13.2.6, ISO 13335-5 Information technology - Guidelines for the management of IT Security - Part 5: Management guidance on network security, 2001)
  • Electronic Security Perimeters (CIP-005) including Interactive Remote Access; (B. R1. 1.1 1.1.2., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Security Management Controls CIP-003-6, Version 6)
  • When remote access is permitted, is remote desktop technology (citrix) used to access the network remotely? (§ H.5.4, Shared Assessments Standardized Information Gathering Questionnaire - H. Access Control, 7.0)
  • CSR 5.9.13: The organization must audit all remote maintenance sessions and have the appropriate information security personnel review the remote session audit logs. CSR 10.8.10: The organization must configure the system to prohibit the remote activation of collaborative computing mechanisms and pr… (CSR 5.9.13, CSR 10.8.10, CSR 10.10.1(9), CSR 10.10.2, CSR 10.10.4, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • The information assurance officer or network security officer must ensure that remote access to a classified network uses a National Security Agency approved remote access security solution. (§ 3.4.1.2 ¶ AC44.025, DISA Access Control STIG, Version 2, Release 3)
  • Remote access servers and remote access cards may not be used for remote access services, except when they can support authentication servers. Remote access to classified networks must implement an NSA Certified remote access security solution and be from approved locations. (§ 4.2.1, § 6.3, DISA Secure Remote Computing Security Technical Implementation Guide, Version 1 Release 2)
  • Monitor and control remote access sessions. (AC.2.013, Cybersecurity Maturity Model Certification, Version 1.0, Level 2)
  • Monitor and control remote access sessions. (AC.2.013, Cybersecurity Maturity Model Certification, Version 1.0, Level 3)
  • Monitor and control remote access sessions. (AC.2.013, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
  • Monitor and control remote access sessions. (AC.2.013, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • Monitor and control remote access sessions. (AC.L2-3.1.12 Control Remote Access, Cybersecurity Maturity Model Certification, Version 2.0, Level 2)
  • The agency shall authorize, monitor, and control all methods of remote access to the information system. Remote access is any temporary access to an agency's information system by a user (or an information system) communicating temporarily through an external, non-agency-controlled network (e.g., th… (§ 5.5.6 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Virtual escorting of privileged functions is permitted only when all the following conditions are met: (§ 5.5.6 ¶ 3, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • This examination procedure may be performed in coordination with related examination procedures in the "Business Continuity Management" booklet. Determine whether management developed, documented, and implemented environmental control policies, standards, and procedures to safeguard facilities, tech… (App A Objective 13:8, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Measures the risk associated with connections with third parties with remote access. (App A Objective 6.7.d, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Prohibits remote access to operating system and system utilities, where feasible, and, at a minimum, requires strong authentication and encrypted sessions before allowing such remote access. (App A Objective 6.21.e, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Information security personnel should monitor remote access closely. Management should implement controls for remote access, including granting the appropriate user access; logging all remote activity; and using time controls for when remote access may occur. (Pg 23, FFIEC IT Examination Handbook - Operations, July 2004)
  • Remote access to systems containing Federal Tax Information must be authorized, documented, and monitored by the organization. The system must be configured to prohibit the remote activation of collaborative computing devices and must indicate to local users when collaborative computing devices are … (§ 5.6.1, § 5.6.15, Exhibit 4 AC-17, Exhibit 4 SC-15, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Is remote access monitored? (IT - Remote Access Q 13, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Calls for Access Control (AC): Organizations must limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems) and to the types of transactions and functions that authorized users are permitted to exercise. (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
  • Organizational records and documents should be examined for implemented automated mechanisms to support the monitoring and control of remote access methods and to ensure the monitoring and control is in accordance with policies and procedures; the remote activation of collaborative computing mechani… (AC-17(1), AC-17.12, SC-15, SC-15(1), SC-15.2, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • The organization must establish Implementation Guidance and usage restrictions for each of the allowed remote access methods. (SG.AC-2 Requirement 2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must monitor the system for unauthorized remote connections, to include scanning for unauthorized Wireless Access Points, on a defined time period and taking appropriate action when discovered. (SG.AC-15 Requirement Enhancements 4, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The remote maintenance policy and procedures must include managing the remote maintenance authorization credentials. (SG.MA-6 Requirement 5, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • Monitor and control remote access sessions. (3.1.12, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171)
  • Monitor and control remote access sessions. (3.1.12, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 1)
  • Monitor and control remote access sessions. (3.1.12, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 2)
  • The organization must monitor the Information System for unauthorized remote access. (App F § AC-17.c, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should use automated mechanisms to monitor and control remote access. (App F § AC-17(1), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should monitor for unauthorized remote connections and take appropriate action if discovered. (App F § AC-17(5), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should audit remote maintenance and diagnostic sessions and review the remote session maintenance records. (App F § MA-4(1), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The information system monitors and controls remote access methods. (AC-17(1), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The information system monitors and controls remote access methods. (AC-17(1), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The information system monitors and controls remote access methods. (AC-17(1), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)