Back

Document external connections for all systems.


CONTROL ID
06415
CONTROL TYPE
Configuration
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a Configuration Management Database with accessible reporting capabilities., CC ID: 02132

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The organization should review all software applications to determine if they try to establish external connections. (Control: 0387, Australian Government Information Security Manual: Controls)
  • Determine the protection requirements for communication links and document the external connections. (4.3.5 Bullet 1, BSI-Standard 100-2 IT-Grundschutz Methodology, Version 2.0)
  • Acquire external connections and document them in tabular or graphical form (§ 8.2.8 Subsection 2 Bullet 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Information systems and networks accessible by external connections should record details relating to external connections established (e.g., the Internet, Integrated services digital network, Virtual private network, and dial-up). (CF.09.03.03e, The Standard of Good Practice for Information Security, 2013)
  • The organization should implement procedures for approving external network connections. (Table Ref 8.2.5, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • the service organization's use of technology, including its applications, infrastructure, network architecture, use of mobile devices, use of cloud technologies, and the types of external party access or connectivity to the system; (¶ 3.59 Bullet 9 Sub-Bullet 1, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • § 3.2.4 (MED0070: CAT II) All external connections that support network devices will be listed in the site accreditation documents. § 5.1.1 (MED0420: CAT II) The Information Assurance Officer/Network Security Officer will ensure that a networked medical device allows only in-band-management sessio… (§ 3.2.4 (MED0070: CAT II), § 5.1.1 (MED0420: CAT II), Medical Devices Security Technical Implementation Guide, Version 1, Release 1)
  • The organization must document all connections to the system and the security requirements for the connection. (SG.CA-4 Requirement 2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must identify all external smart grid Information System and communication connections and protect them from damage or tampering. (SG.SC-18 Requirement, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should document the installation and use of remote maintenance and diagnostic connections in the system security plan. (App F § MA-4(2), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)