Back

Employ multifactor authentication for remote access to the organization's network.


CONTROL ID
12505
CONTROL TYPE
Technical Security
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Control remote access through a network access control., CC ID: 01421

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • AIs should identify the locations of customer data residing in different parts of AIs' networks and systems and ensure that adequate logical access controls are in place at different levels (e.g. application level, database level, operating system level, network level) to prevent unauthorized access… (Annex C. ¶ 1, Hong Kong Monetary Authority Customer Data Protection, 14 October 2014)
  • Controls over mobile computing are required to manage the risks of working in an unprotected environment. In protecting AIs’ information, AIs should establish control procedures covering: - an approval process for user requests for mobile computing; - authentication controls for remote access to n… (3.5.2, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • The examples where increased authentication strength may be required, given the risks involved include : administration or other privileged access to sensitive or critical IT assets, remote access through public networks to sensitive assets and activities carrying higher risk like third-party fund t… (Critical components of information security 5) (v), Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Requiring a two-factor authentication process for remote access (e.g., PIN based token card with a one-time random password generator, or token based PKI) (Critical components of information security 25) iii.k., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Remote access allows users to connect to the FI's internal network via an external network to access the FI's data and systems, such as emails and business applications. Remote connections should be encrypted to prevent data leakage through network sniffing and eavesdropping. Strong authentication, … (§ 9.3.1, Technology Risk Management Guidelines, January 2021)
  • Use two-factor authentication and strong encryption for remote access. Review the method of encryption (e.g. algorithm and key length) periodically to ensure that it is recognised by the industry as relevant and secure. (Annex A2: Computer Network Security 11, Singapore(PDPC) Guide to Securing Personal Data in Electronic Medium, Revised 20 January 2017)
  • Multi-factor authentication is used to authenticate all users of remote access solutions. (Security Control: 1504; Revision: 0, Australian Government Information Security Manual, March 2021)
  • remote access (i.e. via public networks) to sensitive or critical information assets; and (Attachment C 6(b)., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • multi-factor authentication for privileged access, remote access and other high-risk activities; (¶ 44(i), APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • Remote (Internet) access to commercially or personal sensitive data and critical information requires authentication. (Secure configuration Question 26, Cyber Essentials Scheme (CES) Questionnaire, Versions 3.3)
  • Privileged access rights: financial institutions should implement strong controls over privileged system access by strictly limiting and closely supervising accounts with elevated system access entitlements (e.g. administrator accounts). In order to ensure secure communication and reduce risk, remot… (3.4.2 31(c), Final Report EBA Guidelines on ICT and security risk management)
  • The organization's network is accessed via a secured connection (e.g. VPN) and strong authentication. (2.1.4 Requirements (must) Bullet 2, Information Security Assessment, Version 5.1)
  • The control system shall provide the capability to employ multifactor authentication for human user access to the control system via an untrusted network (see 5.15, SR 1.13 – Access via untrusted networks). (5.3.3.2 ¶ 1, IEC 62443-3-3: Industrial communication networks – Network and system security – Part 3-3: System security requirements and security levels, Edition 1)
  • Incorporate multi-factor authentication for all remote network access (both user and administrator, and including third-party access for support or maintenance) originating from outside the entity’s network. (8.3.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Incorporate multi-factor authentication for all remote network access (both user and administrator, and including third-party access for support or maintenance) originating from outside the entity’s network. (8.3.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Is multi-factor authentication incorporated for all remote network access (both user and administrator, and including third party access for support or maintenance) originating from outside the entity’s network? (8.3.2, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
  • Is multi-factor authentication incorporated for all remote network access (both user and administrator, and including third party access for support and maintenance) originating from outside the entity’s network? (8.3.2, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.2)
  • Is multi-factor authentication incorporated for all remote network access (both user and administrator, and including third party access for support or maintenance) originating from outside the entity’s network? (8.3.2, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.2)
  • Is multi-factor authentication incorporated for all remote network access (both user and administrator, and including third party access for support or maintenance) originating from outside the entity’s network? (8.3.2, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Is multi-factor authentication incorporated for all remote network access (both user and administrator, and including third party access for support or maintenance) originating from outside the entity's network? (8.3.2, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Observe a sample of personnel (for example, users and administrators) connecting remotely to the network and verify that at least two of the three authentication methods are used. (8.3.2.b, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Examine system configurations for remote access servers and systems to verify multi-factor authentication is required for: - All remote access by personnel, both user and administrator, and - All third-party/vendor remote access (including access to applications and system components for support or … (8.3.2.a, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • MFA is implemented for all remote network access originating from outside the entity's network that could access or impact the CDE as follows: (8.4.3, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • All remote access by all personnel, both users and administrators, originating from outside the entity's network. (8.4.3 Bullet 1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • All remote access by third parties and vendors. (8.4.3 Bullet 2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Examine network and/or system configurations for remote access servers and systems to verify MFA is required in accordance with all elements specified in this requirement. (8.4.3.a, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Observe personnel (for example, users and administrators) connecting remotely to the network and verify that multi-factor authentication is required. (8.4.3.b, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • MFA is implemented for all remote network access originating from outside the entity's network that could access or impact the CDE as follows: (8.4.3, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • All remote access by all personnel, both users and administrators, originating from outside the entity's network. (8.4.3 Bullet 1, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • All remote access by third parties and vendors. (8.4.3 Bullet 2, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • MFA is implemented for all remote network access originating from outside the entity's network that could access or impact the CDE as follows: (8.4.3, Self-Assessment Questionnaire B-IP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • All remote access by third parties and vendors. (8.4.3 Bullet 2, Self-Assessment Questionnaire B-IP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • All remote access by all personnel, both users and administrators, originating from outside the entity's network. (8.4.3 Bullet 1, Self-Assessment Questionnaire B-IP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • All remote access by all personnel, both users and administrators, originating from outside the entity's network. (8.4.3 Bullet 1, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • MFA is implemented for all remote network access originating from outside the entity's network that could access or impact the CDE as follows: (8.4.3, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • All remote access by third parties and vendors. (8.4.3 Bullet 2, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • MFA is implemented for all remote network access originating from outside the entity's network that could access or impact the CDE as follows: (8.4.3, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • All remote access by all personnel, both users and administrators, originating from outside the entity's network. (8.4.3 Bullet 1, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • All remote access by third parties and vendors. (8.4.3 Bullet 2, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • MFA is implemented for all remote network access originating from outside the entity's network that could access or impact the CDE as follows: (8.4.3, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • All remote access by all personnel, both users and administrators, originating from outside the entity's network. (8.4.3 Bullet 1, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • All remote access by third parties and vendors. (8.4.3 Bullet 2, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Require MFA for remote network access. (CIS Control 6: Safeguard 6.4 Require MFA for Remote Network Access, CIS Controls, V8)
  • Additional authentication information or credentials are required when accessing the system from outside its boundaries. (CC6.6 ¶ 2 Bullet 3 Requires Additional Authentication or Credentials, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • The organization implements multi-factor authentication, or at least equally secure access controls for remote access, if it is warranted by applicable risk considerations. (PR.AC-3.2, CRI Profile, v1.2)
  • The organization implements multi-factor authentication, or at least equally secure access controls for remote access, if it is warranted by applicable risk considerations. (PR.AC-3.2, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requireme… (IA-2(11) ¶ 1, StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requireme… (IA-2(11) ¶ 1, StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requireme… (IA-2(11) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Additional authentication information or credentials are required when accessing the system from outside its boundaries. (CC6.6 Requires Additional Authentication or Credentials, Trust Services Criteria)
  • Additional authentication information or credentials are required when accessing the system from outside its boundaries. (CC6.6 ¶ 2 Bullet 3 Requires Additional Authentication or Credentials, Trust Services Criteria, (includes March 2020 updates))
  • Require multi-factor authentication for all Interactive Remote Access sessions. (CIP-005-5 Table R2 Part 2.3 Requirements ¶ 1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Electronic Security Perimeter(s) CIP-005-5, Version 5)
  • Where technically feasible, perform authentication when establishing Dial-up Connectivity with applicable Cyber Assets. (CIP-005-5 Table R1 Part 1.4 Requirements ¶ 1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Electronic Security Perimeter(s) CIP-005-5, Version 5)
  • Require multi-factor authentication for all Interactive Remote Access sessions. (CIP-005-6 Table R2 Part 2.3 Requirements, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Electronic Security Perimeter(s) CIP-005-6, Version 6)
  • Where technically feasible, perform authentication when establishing Dial-up Connectivity with applicable Cyber Assets. (CIP-005-6 Table R1 Part 1.4 Requirements, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Electronic Security Perimeter(s) CIP-005-6, Version 6)
  • Where technically feasible, perform authentication when establishing Dial-up Connectivity with applicable Cyber Assets. (CIP-005-7 Table R1 Part 1.4 Requirements, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Electronic Security Perimeter(s) CIP-005-7, Version 7)
  • Require multi-factor authentication for all Interactive Remote Access sessions. (CIP-005-7 Table R2 Part 2.3 Requirements, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Electronic Security Perimeter(s) CIP-005-7, Version 7)
  • Implement authentication for all Dial-up Connectivity, if any, that provides access to low impact BES Cyber Systems, per Cyber Asset capability (Section 3. 3.2, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Security Management Controls CIP-003-6, Version 6)
  • Authenticate all Dial-up Connectivity, if any, that provides access to low impact BES Cyber System(s), per Cyber Asset capability. (Attachment 1 Section 3. 3.2, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Security Management Controls CIP-003-8, Version 8)
  • Remote access to critical systems by employees, contractors, and third parties uses encrypted connections and multifactor authentication. (Domain 3: Assessment Factor: Preventative Controls, ACCESS AND DATA MANAGEMENT Baseline 1 ¶ 15, FFIEC Cybersecurity Assessment Tool, Baseline, May 2017)
  • IAM based on job type and access and appropriate authentication techniques. (App A Objective 9:1c Bullet 2, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Authentication and security of access points. (AppE.7 Objective 3:4 f., FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Operational risk mitigation: Review whether management controls include the following: risk management; transaction monitoring and geolocation tools; fraud prevention, detection, and response programs; additional controls (e.g., stronger authentication and encryption); authentication and authorizati… (AppE.7 Objective 5:4 b., FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [FedRAMP Assignment: FIPS 140-2, NIAP Certification, or NSA appro… (IA-2(11) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [FedRAMP Assignment: FIPS 140-2, NIAP Certification, or NSA appro… (IA-2(11) Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requireme… (IA-2(11) ¶ 1 Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requireme… (IA-2(11) ¶ 1 High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requireme… (IA-2(11) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requireme… (IA-2(11) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requireme… (IA-2(11) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Multi-Factor Authentication shall be utilized for any individual accessing the Covered Entity's internal networks from an external network, unless the Covered Entity's CISO has approved in writing the use of reasonably equivalent or more secure access controls. (§ 500.12 Multi-Factor Authentication (b), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies)
  • the third-party service provider's policies and procedures for access controls, including its use of multi-factor authentication as required by section 500.12 of this Part, to limit access to relevant information systems and nonpublic information; (§ 500.11 Third-Party Service Provider Security Policy (b)(1), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies, Second Amendment)
  • remote access to third-party applications, including but not limited to those that are cloud based, from which nonpublic information is accessible; and (§ 500.12 Multi-Factor Authentication (a)(2), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies, Second Amendment)
  • remote access to the covered entity's information systems; (§ 500.12 Multi-Factor Authentication (a)(1), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies, Second Amendment)
  • The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [TX-RAMP Assignment: Modern Authentication Protocols]. (IA-2(11) ¶ 1, TX-RAMP Security Controls Baseline Level 2)