Homexnetd.com
xnetd.com

3.1 ACCESS CONTROL

3.1.20 Verify and control/limit connections to and use of external systems | NIST 800-171 control 3.1.20 aims to secure organizational systems by limiting connections and use from external systems. This reduces the attack surface, improves data security, and enhances network performance. System owners define allowed connections, while the IT security team monitors and audits them. Implementation involves identifying authorized external systems, defining permitted connections, and using firewalls, access controls, and intrusion detection systems.

3.1 ACCESS CONTROL
Back to "3.1 ACCESS CONTROL"
3.1 ACCESS CONTROL
🖨️

3.1.20 Verify and control/limit connections to and use of external systems

By wnoble2005@gmail.com (William Noble) 📅 2024-02-28
NIST 800-171 control 3.1.20 aims to secure organizational systems by limiting connections and use from external systems. This reduces the attack surface, improves data security, and enhances network performance. System owners define allowed connections, while the IT security team monitors and audits them. Implementation involves identifying authorized external systems, defining permitted connections, and using firewalls, access controls, and intrusion detection systems.



External systems are systems or components of systems for which organizations typically have no direct supervision and authority over the application of security requirements and controls or the determination of the effectiveness of implemented controls on those systems. External systems include personally owned systems, components, or devices and privately-owned computing and communications devices resident in commercial or public facilities. This requirement also addresses the use of external systems for the processing, storage, or transmission of CUI, including accessing cloud services (e.g., infrastructure as a service, platform as a service, or software as a service) from organizational systems.Organizations establish terms and conditions for the use of external systems in accordance with organizational security policies and procedures. Terms and conditions address as a minimum, the types of applications that can be accessed on organizational systems from external systems. Ifterms and conditions with the owners of external systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems.This requirement recognizes that there are circumstances where individuals using external systems (e.g., contractors, coalition partners) need to access organizational systems. In those situations, organizations need confidence that the external systems contain the necessary controls so as not to compromise, damage, or otherwise harm organizational systems. Verification that the required controls have been effectively implemented can be achieved by third-party, independent assessments, attestations, or other means, depending on the assurance or confidence level required by organizations.Note that while “external” typically refers to outside of the organization’s direct supervision and authority, that is not always the case. Regarding the protection of CUI across an organization, the organization may have systems that process CUI and others that do not. And among the systems that process CUI there are likely access restrictions for CUI that apply between systems. Therefore, from the perspective of a given system, other systems within the organization may be considered “external" to that system.


Benefits:

Reduced risk of data breaches: By limiting access to CUI from external systems, organizations can reduce the potential for unauthorized access and exfiltration of sensitive information.

Enhanced data integrity: Controlling the use of external systems helps prevent unauthorized modifications or manipulation of CUI.

Improved compliance: Implementing this control demonstrates an organization's commitment to protecting CUI and complying with relevant regulations, such as the Cybersecurity Maturity Model Certification (CMMC) for defense contractors.

Minimized malware risk: By limiting connections to unmanaged external systems, organizations can decrease the chance of malware infiltrating their networks through these connections.

Accountability:

Senior Management: Establish and enforce policies: They set the overall direction by defining clear policies on acceptable external connections and usage. Allocate resources: They provide the necessary resources, including budget and personnel, to implement and maintain effective controls. Conduct reviews: They oversee the implementation of control 3.1.20 and conduct periodic reviews to assess its effectiveness.

IT Security Team: Develop and implement controls: They design and implement technical controls like firewalls, access controls, and intrusion detection systems to limit and monitor external connections. Monitor and detect suspicious activity: They continuously monitor for suspicious activity related to external connections and promptly investigate and respond to incidents. Incident response: They develop and maintain an incident response plan to address security breaches involving external system connections.

System Owners: Define and document system requirements: They define the specific requirements for connecting to and using external systems for their respective systems. Approve connections: They assess and approve requests for connecting to external systems, ensuring alignment with security policies and system requirements. Manage access: They grant or deny access to external systems based on the principle of least privilege and user roles.


Individual Users: Comply with policies and procedures: They are responsible for adhering to established policies and procedures regarding external system connections and usage. Report suspicious activity: They are required to report any suspicious activity observed during their use of external systems to the IT security team.

Implementation:

Define acceptable use: Develop policies outlining authorized external systems, permitted applications, and secure data transfer methods.

Implement access controls: Utilize firewalls, intrusion detection systems, and access control lists to restrict unauthorized connections and monitor authorized ones.

Educate and train personnel: Train employees on acceptable use policies, potential security risks, and reporting procedures for suspicious activity.
Monitor and audit: Regularly monitor system logs, identify and address suspicious access attempts, and conduct periodic audits to ensure the effectiveness of implemented controls.

Continuous improvement: Regularly review and update policies and procedures based on emerging threats, evolving technologies, and lessons learned from incidents.

Go to docs.google.com

About "3.1.20 Verify and control...stems" 🡃
Category:Cybersecurity Maturity Model
Family:Access Control (AC 3.1)
Type:Derived Security Requirements
#CybersecurityMaturityModel #DerivedSecurityRequirements
⬅ Back to 3.1 ACCESS CONTROL

More on q4q.com

Q4Q Technical Solutions

© q4q.com 1999-2024