Back

Establish, implement, and maintain a remote access and teleworking program.


CONTROL ID
04545
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Control all methods of remote access and teleworking., CC ID: 00559

This Control has the following implementation support Control(s):
  • Refrain from allowing remote users to copy files to remote devices., CC ID: 06792


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Remote access (Critical components of information security 1) 2) q. vi., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Regularly reviewing remote access approvals and rescind those that no longer have a compelling business justification (Critical components of information security 25) iii.b., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • The FI should ensure remote access to the FI's information assets is only allowed from devices that have been secured according to the FI's security standards. (§ 9.3.2, Technology Risk Management Guidelines, January 2021)
  • The organization must ensure the area in the home where the devices are used meets the requirements of the australian government physical security management protocol. (Control: 0865, Australian Government Information Security Manual: Controls)
  • The organization must ensure when devices at home are not being actively used, they are secured in accordance with the requirements of the australian government physical security management protocol. (Control: 0685, Australian Government Information Security Manual: Controls)
  • Users who access unclassified or classified networks and systems remotely should be authenticated each time they gain access, assigned the minimum access necessary to complete their jobs, and use encryption for any actions as a privileged user. For classified connections, remote users should not be … (§ 3.10.43, § 3.10.44, Australian Government ICT Security Manual (ACSI 33))
  • The organization must establish a remote working policy. (Mandatory Requirement 42, HMG Security Policy Framework, Version 6.0 May 2011)
  • Is each user only assigned one remote computer? (Table Row II.25, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Do remote users have access to sensitive information or confidential information? (Table Row II.27, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Is remote access for CSP personnel permitted from untrusted networks? (Appendix D, Implement Strong Access Control Measures Bullet 8, Information Supplement: PCI DSS Cloud Computing Guidelines, Version 2.0)
  • Individuals who have access to information and systems should be made aware that they are prohibited from failing to protect computer equipment when using them in remote environments (e.g., when traveling or working from home). (CF.02.03.06i, The Standard of Good Practice for Information Security)
  • Access to critical systems and networks by external individuals for remote maintenance purposes (e.g., remote diagnosis / testing, software maintenance) should be managed by defining and agreeing the objectives and scope of planned work. (CF.09.05.01a, The Standard of Good Practice for Information Security)
  • There should be documented standards / procedures covering staff who work in remote environments, including public areas (e.g., hotels, trains, airports, and Internet cafes) or work from home, which covers authorization by an appropriate business representative for staff to work remotely. (CF.14.01.01a, The Standard of Good Practice for Information Security)
  • There should be documented standards / procedures covering staff who work in remote environments, including public areas (e.g., hotels, trains, airports, and Internet cafes) or work from home, which covers security requirements associated with remote working. (CF.14.01.01b, The Standard of Good Practice for Information Security)
  • There should be documented standards / procedures covering staff who work in remote environments, including public areas (e.g., hotels, trains, airports and Internet cafes) or work from home, which covers software configuration (e.g., employing standard 'builds' and relevant web browser settings). (CF.14.01.01e, The Standard of Good Practice for Information Security)
  • There should be documented standards / procedures covering staff who work in remote environments, including public areas (e.g., hotels, trains, airports, and Internet cafes) or work from home, which covers provision of software to protect computing devices (e.g., system management tools, access cont… (CF.14.01.01f, The Standard of Good Practice for Information Security)
  • There should be documented standards / procedures covering staff who work in remote environments, including public areas (e.g., hotels, trains, airports, and Internet cafes) or work from home, which covers protection against loss or theft. (CF.14.01.01g, The Standard of Good Practice for Information Security)
  • Staff who work in remote environments should be in compliance with legal and regulatory requirements (e.g., health and safety laws, and data privacy regulations). (CF.14.01.02e, The Standard of Good Practice for Information Security)
  • Staff who work in remote environments should be provided with alternative working arrangements in case of emergency. (CF.14.01.02f, The Standard of Good Practice for Information Security)
  • Computing devices used by staff working in remote environments should be supplied with a comprehensive set of system management tools (e.g., maintenance utilities, remote support, patch management, enterprise management tools, and back-up software). (CF.14.01.04b, The Standard of Good Practice for Information Security)
  • Individuals who have access to information and systems should be made aware that they are prohibited from failing to protect computer equipment when using them in remote environments (e.g., when traveling or working from home). (CF.02.03.06i, The Standard of Good Practice for Information Security, 2013)
  • Access to critical systems and networks by external individuals for remote maintenance purposes (e.g., remote diagnosis / testing, software maintenance) should be managed by defining and agreeing the objectives and scope of planned work. (CF.09.05.01a, The Standard of Good Practice for Information Security, 2013)
  • There should be documented standards / procedures covering staff who work in remote environments, including public areas (e.g., hotels, trains, airports, and Internet cafes) or work from home, which covers authorization by an appropriate business representative for staff to work remotely. (CF.14.01.01a, The Standard of Good Practice for Information Security, 2013)
  • There should be documented standards / procedures covering staff who work in remote environments, including public areas (e.g., hotels, trains, airports, and Internet cafes) or work from home, which covers security requirements associated with remote working. (CF.14.01.01b, The Standard of Good Practice for Information Security, 2013)
  • There should be documented standards / procedures covering staff who work in remote environments, including public areas (e.g., hotels, trains, airports, and Internet cafes) or who work from home, which cover the requirements for staff traveling to high-risk countries. (CF.14.01.01e, The Standard of Good Practice for Information Security, 2013)
  • Staff who work in remote environments should be in compliance with legal and regulatory requirements (e.g., health and safety laws, and data privacy regulations). (CF.14.01.02e, The Standard of Good Practice for Information Security, 2013)
  • Staff who work in remote environments should be provided with alternative working arrangements in case of emergency. (CF.14.01.02f, The Standard of Good Practice for Information Security, 2013)
  • There should be documented standards / procedures covering staff who work in remote environments, including public areas (e.g., hotels, trains, airports, and Internet cafes) or work from home, which covers protection against loss or theft. (CF.14.01.01c, The Standard of Good Practice for Information Security, 2013)
  • There should be documented standards / procedures covering staff who work in remote environments, including public areas (e.g., hotels, trains, airports, and Internet cafes) or who work from home, which cover use of a Mobile Device Management system (where appropriate) to centralise the management o… (CF.14.01.01d, The Standard of Good Practice for Information Security, 2013)
  • How people will accomplish their tasks if they cannot get to the office (4.4(c), Pandemic Response Planning Policy)
  • A policy should be developed to deal with security incidents that involve remote computers that belong to the organization or its employees, contractors, and non full-time employees. This policy should include the search and seizure of these computers. (Action 1.1.7, SANS Computer Security Incident Handling, Version 2.3.1)
  • Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures to protect information accessed, processed or stored at remote sites and locations. Review and update the policies and procedures at least annually. (HRS-04, Cloud Controls Matrix, v4.0)
  • ¶ 13.2.5 Documented Security Conditions for Users of Network Services. Users authorized to work remotely should be issued with a documented "security conditions for users of network services"' document. This should describe user responsibilities for the hardware, software and data in relation to th… (¶ 13.2.5, ¶ 13.3.2, ISO 13335-5 Information technology - Guidelines for the management of IT Security - Part 5: Management guidance on network security, 2001)
  • Guidelines, procedures, and policies should be developed for using portable equipment for recovery purposes by outsourced service provider staff. (§ 7.6.6, ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services, 2008)
  • A policy and supporting security measures shall be implemented to protect information accessed, processed or stored at teleworking sites. (A.6.2.2 Control, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • Operational procedures and plans should be developed for use by teleworking employees. Before allowing teleworkers, the organization should ensure that security controls are in place and operational. When determining whether or not to allow telework, the risks and vulnerabilities associated with the… (§ 11.7.2, ISO 27002 Code of practice for information security management, 2005)
  • A policy and supporting security measures should be implemented to protect information accessed, processed or stored at teleworking sites. (§ 6.2.2 Control, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and (AC-17a., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and (AC-17a., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and (AC-17a., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and (AC-17a., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Does the information security policy cover remote access? (§ B.1.28, Shared Assessments Standardized Information Gathering Questionnaire - B. Security Policy, 7.0)
  • Is there a remote access policy for systems transmitting scoped systems and data that has been approved by management? (§ H.5.1, Shared Assessments Standardized Information Gathering Questionnaire - H. Access Control, 7.0)
  • Is there a remote access policy for systems processing scoped systems and data that has been approved by management? (§ H.5.1, Shared Assessments Standardized Information Gathering Questionnaire - H. Access Control, 7.0)
  • Is there a remote access policy for systems storing scoped systems and data that has been approved by management? (§ H.5.1, Shared Assessments Standardized Information Gathering Questionnaire - H. Access Control, 7.0)
  • CSR 1.13.4: The organization must ensure that CMS business partner employees who are authorized to work at home on sensitive data must observe the same security practices that they observe at work. CSR 1.13.5: The organization must establish measures to control the use of notebooks, laptops, and oth… (CSR 1.13.4, CSR 1.13.5, CSR 10.8.2(2), Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • The designated approving authority must approve all remote access to Secret Internet Protocol Router Network and Non-Classified Internet Protocol Routing Network resources. (§ 3.4.1.2 ¶ AC44.020, DISA Access Control STIG, Version 2, Release 3)
  • The information assurance officer must ensure that user training and remote access configuration complies with the secure remote computing Security Technical Implementation Guide. (§ 3.4.1.2 ¶ AC44.030, DISA Access Control STIG, Version 2, Release 3)
  • The organization must develop a secure remote access policy. Remote users must follow the applicable Local Area Network (LAN) user requirements. (§ 3, § 3.1, DISA Secure Remote Computing Security Technical Implementation Guide, Version 1 Release 2)
  • The default user profile settings must prohibit all remote activities. (§ 8-609.a(3), NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006)
  • The agency may allow remote access for privileged functions for compelling operational needs and shall document the rationale in the security plan. (§ 5.5.6 ¶ 2, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The agency shall employ automated mechanisms to facilitate the monitoring and control of remote access methods. The agency shall control all remote accesses through managed access control points. The agency may permit remote access for privileged functions only for compelling operational needs but s… (§ 5.5.6 ¶ 2, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Remote access policy that includes tiered levels of remote access and risk-based security controls. (App A Objective 9:1c Bullet 1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Employs effective risk mitigation for remote access, including: (App A Objective 9:1c, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Determine whether management has policies and procedures to ensure that remote access by employees, whether using institution or personally owned devices, is provided in a safe and sound manner. Review whether management does the following: (App A Objective 6.23, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Remote access policies and procedures should be developed. The policies and procedures should include acceptable configurations, software requirements, third-party access controls, virus controls, prior approval requirements, procedures for accessing or transmitting confidential information, and req… (Pg 32, Exam Tier I Obj 8.10, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • The service provider must define the operational, technical, and Management Information System security controls for all alternate work sites. (Column F: PE-17a, FedRAMP Baseline Security Controls)
  • The joint authorization board must approve and accept the security controls for the alternate work sites. (Column F: PE-17a, FedRAMP Baseline Security Controls)
  • Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and (AC-17a. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and (AC-17a. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and (AC-17a. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Federal Tax Information (FTI) can only be stored, processed, and accessed at remote sites on organization-owned computers, media, and software. The organization must own and control all software, hardware, and telecommunications equipment. The organization should provide locking cabinets and lock-do… (§ 4.7.1, § 4.7.2, § 5.6.1, Exhibit 4 AC-18, Exhibit 4 AC-20, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Does the Credit Union Information Technology policy include remote access for employees and vendors? (IT - Policy Checklist Q 12, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Are there implemented policies and procedures describing the authorization, authentication, and monitoring of remote access employees? (IT - Remote Access Q 2a, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Are there implemented policies and procedures describing the authorization, authentication, and monitoring of remote access members? (IT - Remote Access Q 2b, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Are there implemented policies and procedures describing the authorization, authentication, and monitoring of remote access vendors? (IT - Remote Access Q 2c, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and (AC-17a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and (AC-17a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and (AC-17a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and (AC-17a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and (AC-17a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
  • Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and (AC-17a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and (AC-17a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and (AC-17a. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and (AC-17a. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and (AC-17a. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Telecommuters and home users should follow the organization's sanitization procedures, if possible. It the sanitization procedures cannot be conducted in a safe manner and there is no assurance that the information has been sanitized, the user should take the media to a professional. (App D, Guidelines for Media Sanitization, NIST SP 800-88, September 2006)
  • Develop data management capabilities (e.g., cloud-based, centralized cryptographic key management) to include support to the mobile workforce. (T0413, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • The organization should only authorize remote access for privileged commands and security-relevant information for compelling operational needs. (SG.AC-15 Additional Considerations A3, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must document the allowed remote access methods. (App F § AC-17.a, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must authorize remote access before the connection is established. (App F § AC-17.d, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must enforce the remote connection requirements. (App F § AC-17.e, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Develop data management capabilities (e.g., cloud-based, centralized cryptographic key management) to include support to the mobile workforce. (T0413, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The organization establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed. (AC-17a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed. (AC-17a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed. (AC-17a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed. (AC-17a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and (AC-17a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and (AC-17a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and (AC-17a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and (AC-17a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and (AC-17a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and (AC-17a., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Development of employee security policies and procedures for the storage of, access to, transport of and transmittal of personal information off-premises; (§ 38a-999b(b)(2)(E), Connecticut General Statutes Title 38a, Chapter 705, Section 38a - 999b, Comprehensive information security program to safeguard personal information. Certification. Notice requirements for actual or suspected breach. Penalty.)
  • Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and (AC-17a., TX-RAMP Security Controls Baseline Level 1)
  • Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and (AC-17a., TX-RAMP Security Controls Baseline Level 2)