Back

Control remote access through a network access control.


CONTROL ID
01421
CONTROL TYPE
Technical Security
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Control all methods of remote access and teleworking., CC ID: 00559

This Control has the following implementation support Control(s):
  • Install and maintain remote control software and other remote control mechanisms on critical systems., CC ID: 06371
  • Prohibit remote access to systems processing cleartext restricted data or restricted information., CC ID: 12324
  • Employ multifactor authentication for remote access to the organization's network., CC ID: 12505


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Disallowing remote access by policy and practice unless a compelling business need exists and requiring management approval for remote access (Critical components of information security 25) iii.a., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Remote access to a bank's provides an attacker with the opportunity to manipulate and subvert the bank's systems from outside the physical security perimeter. The management should establish policies restricting remote access and be aware of all remote-access devices attached to their systems. These… (Critical components of information security 25) ii., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Institute strong controls over remote access by privileged users; (§ 11.2.3.b, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • The control system shall provide the capability to authorize, monitor and enforce usage restrictions for wireless connectivity to the control system according to commonly accepted security industry practices. (6.4.1 ¶ 1, IEC 62443-3-3: Industrial communication networks – Network and system security – Part 3-3: System security requirements and security levels, Edition 1)
  • The control system shall provide the capability to automatically enforce configurable usage restrictions that include: (6.5.1 ¶ 1, IEC 62443-3-3: Industrial communication networks – Network and system security – Part 3-3: System security requirements and security levels, Edition 1)
  • If a component supports usage through wireless interfaces it shall provide the capability to integrate into the system that supports usage authorization, monitoring and restrictions according to commonly accepted industry practices. (6.4.1 ¶ 1, IEC 62443-4-2: Security for industrial automation and control systems – Part 4-2: Technical security requirements for IACS components, Edition 1.0)
  • Are system services and parameter files configured to prevent the use of Telnet and other insecure remote login commands? (2.3 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.1)
  • Customer access to business applications should be protected (based on the principle of 'least access') by restricting methods of connection (e.g., to define remote access connection devices or entry points and only through firewalls). (CF.05.03.07a, The Standard of Good Practice for Information Security)
  • Customer access to business applications should be protected (based on the principle of 'least access') by configuring Information Systems and networks to restrict access (e.g., to specific Internet Protocol addresses or an Internet Protocol range). (CF.05.03.07b, The Standard of Good Practice for Information Security)
  • External access should be provided using a dedicated Remote Access Server, which provides reliable and complete authentication for external connections (e.g., by running an authentication system, such as radius or tacacs+). (CF.09.03.07a, The Standard of Good Practice for Information Security)
  • Customer access to business applications should be protected (based on the principle of 'least access') by restricting methods of connection (e.g., to define remote access connection devices or entry points and only through firewalls). (CF.05.03.07a, The Standard of Good Practice for Information Security, 2013)
  • Customer access to business applications should be protected (based on the principle of 'least access') by configuring Information Systems and networks to restrict access (e.g., to specific Internet Protocol addresses or an Internet Protocol range). (CF.05.03.07b, The Standard of Good Practice for Information Security, 2013)
  • External access should be provided using a dedicated Remote Access Server, which provides reliable and complete authentication for external connections (e.g., by running an authentication system, such as radius or tacacs+). (CF.09.03.07a, The Standard of Good Practice for Information Security, 2013)
  • All enterprise devices remotely logging into the internal network should be managed by the enterprise, with remote control of their configuration, installed software, and patch levels. For third-party devices (e.g., subcontractors/vendors), publish minimum security standards for access to the enterp… (Control 12.7, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
  • Scan all enterprise devices remotely logging into the organization's network prior to accessing the network to ensure that each of the organization's security policies has been enforced in the same manner as local network devices. (CIS Control 12: Sub-Control 12.12 Manage All Devices Remotely Logging into Internal Network, CIS Controls, 7.1)
  • Scan all enterprise devices remotely logging into the organization's network prior to accessing the network to ensure that each of the organization's security policies has been enforced in the same manner as local network devices. (CIS Control 12: Sub-Control 12.12 Manage All Devices Remotely Logging into Internal Network, CIS Controls, V7)
  • When remote users are attempting to access the network, some form of authentication should be used. This could be a cryptographic-based technique, hardware tokens, or a challenge/response protocol. (§ 11.4.2, ISO 27002 Code of practice for information security management, 2005)
  • Remote access is actively managed and restricted to necessary systems. (PR.AC-3.1, CRI Profile, v1.2)
  • Remote access is actively managed and restricted to necessary systems. (PR.AC-3.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The information system routes all remote accesses through [Assignment: organization-defined number] managed network access control points. (AC-17(3) ¶ 1, StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • The information system routes all remote accesses through [Assignment: organization-defined number] managed network access control points. (AC-17(3) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • All External Routable Connectivity must be through an identified Electronic Access Point (EAP). (CIP-005-5 Table R1 Part 1.2 Requirements ¶ 1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Electronic Security Perimeter(s) CIP-005-5, Version 5)
  • Utilize an Intermediate System such that the Cyber Asset initiating Interactive Remote Access does not directly access an applicable Cyber Asset. (CIP-005-5 Table R2 Part 2.1 Requirements ¶ 1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Electronic Security Perimeter(s) CIP-005-5, Version 5)
  • All External Routable Connectivity must be through an identified Electronic Access Point (EAP). (CIP-005-6 Table R1 Part 1.2 Requirements, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Electronic Security Perimeter(s) CIP-005-6, Version 6)
  • Utilize an Intermediate System such that the Cyber Asset initiating Interactive Remote Access does not directly access an applicable Cyber Asset. (CIP-005-6 Table R2 Part 2.1 Requirements, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Electronic Security Perimeter(s) CIP-005-6, Version 6)
  • Have one or more method(s) to disable active vendor remote access (including Interactive Remote Access and system-to-system remote access). (CIP-005-6 Table R2 Part 2.5 Requirements, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Electronic Security Perimeter(s) CIP-005-6, Version 6)
  • Is there a separate network segment or endpoints for remote access? (§ G.11.15, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Systems that are remotely accessed should positively identify users before allowing any processing. Callback mechanisms are preferred for dial-up networks. (§ 2-24.b, Army Regulation 380-19: Information Systems Security, February 27, 1998)
  • CSR 2.9.11: When remotely accessing databases that contain sensitive information, the system must provide authentication through the use of a userID and password encryption for use over public telephone lines; provide standard access through the use of a toll-free number and local numbers to local d… (CSR 2.9.11, CSR 2.9.20, CSR 10.10.4, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • The organization will implement a Virtual Private Network (VPN) for users to communicate. Each employee that will have access to the VPN will be issued two factor authentication. (Pg 47, C-TPAT Supply Chain Security Best Practices Catalog)
  • The information assurance officer must ensure that remote access to classified networks is protected by using a National Security Agency approved, type 1 device. (§ 3.4.1.2 ¶ AC44.010, DISA Access Control STIG, Version 2, Release 3)
  • Remote access users must be authenticated by one of the following methods: RADIUS, TACACS+, CiscoSecure ACS, or SecurID. If the organization wants to use a different method, it must first be approved and documented by the Information Assurance Manager. RADIUS servers may not use NetWare Bindery to a… (§ 6.2.1, DISA Secure Remote Computing Security Technical Implementation Guide, Version 1 Release 2)
  • § 2.5 The most critical part of a remote access solution is to create a centralized point of access and authentication close to the network edge. Both the accessing device and user must be verified prior to allowing access to network resources on the internal LAN. The remote access servers must be … (§ 2.5, § 3.1, DISA Secure Remote Computing Security Technical Implementation Guide, Version 2, Release 1)
  • Route remote access via managed access control points. (AC.2.015, Cybersecurity Maturity Model Certification, Version 1.0, Level 2)
  • Route remote access via managed access control points. (AC.2.015, Cybersecurity Maturity Model Certification, Version 1.0, Level 3)
  • Authorize remote execution of privileged commands and remote access to security-relevant information. (AC.3.021, Cybersecurity Maturity Model Certification, Version 1.0, Level 3)
  • Route remote access via managed access control points. (AC.2.015, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
  • Restrict remote network access based on organizationally defined risk factors such as time of day, location of access, physical location, network connection state, and measured properties of the current user and role. (AC.4.032, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
  • Authorize remote execution of privileged commands and remote access to security-relevant information. (AC.3.021, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
  • Route remote access via managed access control points. (AC.2.015, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • Authorize remote execution of privileged commands and remote access to security-relevant information. (AC.3.021, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • Restrict remote network access based on organizationally defined risk factors such as time of day, location of access, physical location, network connection state, and measured properties of the current user and role. (AC.4.032, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • Route remote access via managed access control points. (AC.L2-3.1.14 Remote Access Routing, Cybersecurity Maturity Model Certification, Version 2.0, Level 2)
  • Authorize remote execution of privileged commands and remote access to security-relevant information. (AC.L2-3.1.15 Privileged Remote Access, Cybersecurity Maturity Model Certification, Version 2.0, Level 2)
  • The protections in place in the CSP's network and CSO to prevent any Internet connection to the CSP's/CSO's network and CSO from becoming a back door to the NIPRNet via the private connection through the BCAP. (Section 5.1.7 ¶ 2 Bullet 9, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • A managed Access Control point must be used to manage all remote access, including telework access. (EBRU-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • The agency shall use managed access control points to control all remote access. (§ 5.5.6 ¶ 2, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The agency shall employ automated mechanisms to facilitate the monitoring and control of remote access methods. The agency shall control all remote accesses through managed access control points. The agency may permit remote access for privileged functions only for compelling operational needs but s… (§ 5.5.6 ¶ 2, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Uses remote access technologies that can be protected. (App A Objective 9:1b, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Remote access policy that includes tiered levels of remote access and risk-based security controls. (App A Objective 9:1c Bullet 1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Plans for the methods and access points to maintain security and control access to entity resources. (App A Objective 9:1a Bullet 1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Controls are maintained over telecommunication(s), including remote access by users, programmers and vendors; and over firewalls and routers to control and monitor access to platforms, systems and applications; (TIER II OBJECTIVES AND PROCEDURES D.1. Bullet 9, FFIEC IT Examination Handbook - Audit, April 2012)
  • All remote access to telecommunications equipment should have prior approval by the organization. (Pg 28, FFIEC IT Examination Handbook - Operations, July 2004)
  • The information system routes all remote accesses through [Assignment: organization-defined number] managed network access control points. (AC-17(3) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The information system routes all remote accesses through [Assignment: organization-defined number] managed network access control points. (AC-17(3) Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • A virtual private network and/or an encrypted modem must be used when remotely accessing a system that contains Federal Tax Information. (§ 5.6.1, § 5.6.17.3, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Route remote accesses through authorized and managed network access control points. (AC-17(3) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Route remote accesses through authorized and managed network access control points. (AC-17(3) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Access Control (AC): Organizations must limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems) and to the types of transactions and functions that authorized users are permitted to exercise. (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
  • The system should be examined to ensure the system is configured to control remote access through a managed access control point. Test the system by attempting to gain remote access without connecting through the managed access control point. Interviews should be conducted with personnel involved in… (AC-17(3), AC-17.16, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • The information system routes all remote accesses through [Assignment: organization-defined number] managed network access control points. (AC-17(3) ¶ 1 Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The information system routes all remote accesses through [Assignment: organization-defined number] managed network access control points. (AC-17(3) ¶ 1 High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Conduct access enabling of wireless computer and digital networks. (T0609, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • The smart grid Information System must route the remote access through a managed Access Control point. (SG.AC-15 Requirement Enhancements 2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • Authorize remote execution of privileged commands and remote access to security-relevant information. (3.1.15, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171)
  • Route remote access via managed access control points. (3.1.14, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171)
  • Authorize remote execution of privileged commands and remote access to security-relevant information. (3.1.15, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 1)
  • Route remote access via managed access control points. (3.1.14, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 1)
  • Authorize remote execution of privileged commands and remote access to security-relevant information. (3.1.15, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 2)
  • Route remote access via managed access control points. (3.1.14, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 2)
  • Remote access should be routed through a limited number of managed access control points. (App F § AC-17(3), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Conduct access enabling of wireless computer and digital networks. (T0609, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The information system routes all remote accesses through {organizationally documented number} managed network access control points. (AC-17(3), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The information system routes all remote accesses through {organizationally documented number} managed network access control points. (AC-17(3), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The information system routes all remote accesses through {organizationally documented number} managed network access control points. (AC-17(3), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The information system routes all remote accesses through [Assignment: organization-defined number] managed network access control points. (AC-17(3) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The information system routes all remote accesses through [Assignment: organization-defined number] managed network access control points. (AC-17(3) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • The information system routes all remote accesses through [Assignment: organization-defined number] managed network access control points. (AC-17(3) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The information system routes all networked, privileged accesses through a dedicated, managed interface for purposes of access control and auditing. (SC-7(15) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Route remote accesses through authorized and managed network access control points. (AC-17(3) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Route networked, privileged accesses through a dedicated, managed interface for purposes of access control and auditing. (SC-7(15) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • The information system routes all remote accesses through [Assignment: organization-defined number] managed network access control points. (AC-17(3) ¶ 1, TX-RAMP Security Controls Baseline Level 2)