3.1.12 has a weight of -5 points

(Access Control Family) 12/22

Monitor and control remote access sessions.

Video:

Example of Sysytem Security Plan (SSP):

System Security Plan (SSP) for [Company Name]

1. Introduction

This System Security Plan describes how the organization manages, monitors, and restricts access to Controlled Unclassified Information (CUI). It includes the implementation of a Security Information and Event Management (SEIM) solution, firewalls, Multi-Factor Authentication (MFA), and training procedures.

2. Security Measures

2.1 SEIM and Firewall

The SEIM solution, in conjunction with firewall technology, monitors and logs VPN usage. MFA secures the connections, ensuring unauthorized users are restricted.

2.2 Remote Access Control

Remote access is limited to authorized users who need it to complete assigned job duties. Remote support sessions require MFA, and workstations remain locked without proper device-specific credentials and MFA.

2.3 Workstation Security

Access to workstations requires MFA. When not in use, workstations lock with a screensaver, requiring authentication to regain access. Any remote access directly leads to a lock screen.

2.4 Device Management

Devices authorized to store, process, and transmit CUI are always monitored and controlled by trained and authorized users. These measures ensure that access to CUI is only granted to those who have completed the required training and have signed the necessary policies.

3. Training and Awareness

All users with access to CUI must undergo training and adhere to signed policies. This ensures that only knowledgeable and compliant personnel have access to sensitive information.

4. Compliance

Alignment with relevant standards and the organization’s specific guidelines.

5. Review and Updates

Ongoing monitoring, audits, and necessary revisions to ensure compliance and effectiveness.

6. Responsibilities

The IT Department, in collaboration with other relevant departments, is responsible for implementing and maintaining these security measures.

7. Approval

This SSP is approved by: [Name, Title]

Signature:________________________ Date: _______________

Example of Plan of Action and Milestones ( POA & M):

Plan of Action & Milestones (POA&M) for [Company Name]

1. Introduction

This POA&M outlines the organization’s strategies to address identified gaps in securing Controlled Unclassified Information (CUI) as described in the System Security Plan (SSP). It highlights the actions, timelines, and responsibilities necessary to achieve full compliance.

2. Security Measures Enhancements

2.1 SEIM and Firewall

  • Action: Upgrade firewall to the latest version.
  • Responsibility: IT Security Team.
  • Timeline: Q1 2023.
  • Resources Needed: $5,000 for hardware/software.

2.2 Remote Access Control

  • Action: Implement additional access controls for remote users.
  • Responsibility: Remote Access Management Team.
  • Timeline: Q2 2023.
  • Resources Needed: $2,000 for software and licenses.

2.3 Workstation Security

  • Action: Roll out new MFA protocols across all workstations.
  • Responsibility: IT Security Team.
  • Timeline: Q2 2023.
  • Resources Needed: $3,000 for software and training.

2.4 Device Management

  • Action: Implement continuous monitoring solution for devices handling CUI.
  • Responsibility: IT Operations Team.
  • Timeline: Q3 2023.
  • Resources Needed: $4,000 for monitoring tools and licenses.

3. Training and Awareness

  • Action: Develop and deploy a new CUI handling training program.
  • Responsibility: HR and Training Department.
  • Timeline: Q1 2023.
  • Resources Needed: $1,500 for training materials and facilitators.

4. Review and Monitoring

  • Action: Regular audits and reviews of security measures.
  • Responsibility: Compliance and Audit Team.
  • Timeline: Ongoing.
  • Resources Needed: Internal resources.

5. Approval

This POA&M is approved by: [Name, Title] Signature:________________________ Date: _______________


This POA&M should be viewed as a living document, requiring updates as tasks are completed or as new issues are identified. It serves as a roadmap for the organization to follow in implementing the necessary security controls and measures. Feel free to adjust the specifics to match your organization’s requirements and constraints!

 

RELEVANT INFORMATION:

Remote access is access to organizational systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate control (e.g., employing encryption techniques for confidentiality protection), may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. VPNs with encrypted tunnels can affect the capability to adequately monitor network communications traffic for malicious code. Automated monitoring and control of remote access sessions allows organizations to detect cyber-attacks and help to ensure ongoing compliance with remote access policies by auditing connection activities of remote users on a variety of system components (e.g., servers, workstations, notebook computers, smart phones, and tablets). [SP 800-46], [SP 800-77], and [SP 800-113] provide guidance on secure remote access and virtual private networks



Resources to consider:

Security Policy Document:

This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.

Asset Inventory and Access Control Sheet:

Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.

User Account Management Log:

Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.

Password and Multi-Factor Authentication Policy:

Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.

Process and Script Accountability Log:

Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.

Device Access Control and VPN Policy:

Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.

Access Control Review and Monitoring Schedule:

Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.

User Training and Awareness Materials:

Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.