AC-17b. Authorizes remote access to the information system prior to allowing such connections. Remote access is access to organizational information systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include, for example, dial-up, broadband, and wireless.
Full Answer
What is an authorized remote access?
Authorizes the execution of privileged commands and access to security-relevant information via remote access only for Assignment: organization-defined needs; and Documents the rationale for such access in the security plan for the information system.
How do I enforce access restrictions for remote access?
Enforcing access restrictions for remote access is addressed via AC-3. Employ automated mechanisms to monitor and control remote access methods. Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions. Route remote accesses through authorized and managed network access control points.
What are the different methods of remote access?
Remote access methods include, for example, dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality and integrity over remote connections.
What is the purpose of the remote access protection organization?
The organization ensures that users protect information about remote access mechanisms from unauthorized use and disclosure. Withdrawn: Incorporated into AC-3 (10). Withdrawn: Incorporated into CM-7.
AC-17 (3): Managed Access Control Points
The information system routes all remote accesses through [Assignment: organization-defined number] managed network access control points.
AC-17 (6): Protection Of Information
The organization ensures that users protect information about remote access mechanisms from unauthorized use and disclosure.
What is remote access?
Remote access is access to organizational information systems by users (or processes acting on behalf of users) communicating through external networks ( e.g., the Internet). Remote access methods include, for example, dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality and integrity over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate security controls (e.g., employing appropriate encryption techniques for confidentiality and integrity protection) may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. Also, VPNs with encrypted tunnels can affect the organizational capability to adequately monitor network communications traffic for malicious code. Remote access controls apply to information systems other than public web servers or systems designed for public access. This control addresses authorization prior to allowing remote access without specifying the formats for such authorization. While organizations may use interconnection security agreements to authorize remote access connections, such agreements are not required by this control. Enforcing access restrictions for remote connections is addressed in AC-3.
Does PCF support remote access?
PCF complies with this requirement by providing TLS 1.2 support for all user network connections. However, PCF does not provide any native support for “remote” access, and inherits controls from the supporting infrastructure.
Does VPN enhance remote connections?
Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. Also, VPNs with encrypted tunnels can affect the organizational capability to adequately monitor network communications traffic for malicious code.
What is remote access?
Remote access is access to organizational information systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet).
What is remote access monitoring?
Automated monitoring and control of remote access sessions allows organizations to detect cyber attacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote users on a variety of information system components (e.g., servers, workstations, notebook computers, smart phones, and tablets).
Why limit the number of access control points for remote accesses?
Limiting the number of access control points for remote accesses reduces the attack surface for organizations. Organizations consider the Trusted Internet Connections (TIC) initiative requirements for external network connections.
How is encryption strength selected?
The encryption strength of mechanism is selected based on the security categorization of the information.
Does VPN enhance remote access?
Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. Also, VPNs with encrypted tunnels can affect the organizational capability to adequately monitor network communications traffic for malicious code. Remote access controls apply to information systems other ...
