3.13.7 has a weight of -1 points

(System and Communication Protection Family 7/16

Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling).



Example of Sysytem Security Plan (SSP):

    Prevention of Split Tunneling in Remote Devices

    1. Policy Statement: The organization prohibits split tunneling in remote devices to prevent unauthorized external connections and enhance the security of organizational systems.
    2. Purpose: This policy aims to minimize the risk of potential attacks and information exfiltration through split tunneling while allowing secure communication with local system resources.
    3. Implementation: The organization configures remote devices (e.g., notebook computers, smart phones, tablets) to disable split tunneling through appropriate configuration settings. Users are restricted from modifying these settings to maintain security.
    4. Detection and Prohibition: Systems are designed to detect split tunneling or configuration settings that enable it in remote devices. If split tunneling is detected, the connection to organizational systems is prohibited to ensure security.
    5. Exception: In exceptional cases where remote users require communication with local system resources such as printers or file servers, the organization may allow split tunneling on a case-by-case basis, subject to proper authorization and risk assessment.
    6. Scope: This policy applies to all remote devices accessing organizational systems.
    7. Continuous Monitoring: Regularly monitor remote devices and systems to identify any instances of split tunneling or unauthorized configurations.
    8. Compliance: Adherence to this policy is crucial for maintaining a secure and controlled network environment.
    9. Enforcement: The organization enforces this policy through strict configuration management and monitoring of remote devices and systems.
    10. Review: The policy is subject to periodic reviews and updates to align with evolving security threats and technology advancements.
    11. Training: Ensure remote device users are educated on the risks of split tunneling and the importance of compliance with this policy.
    12. Documentation: Document the split tunneling prevention policy and any authorized exceptions for audit and reference purposes.
    13. Communication: Communicate the policy and its implications to all remote device users to foster awareness and compliance.

    Example of Plan of Action and Milestones ( POA & M):

    Milestone 1: Policy Development and Communication

    Develop a comprehensive “Prevention of Split Tunneling in Remote Devices Policy” that clearly outlines the purpose, scope, implementation, and benefits of the policy. Communicate the policy to all remote device users and relevant stakeholders. [Target Date]

    Milestone 2: Configuration and Prohibition of Split Tunneling

    Configure all remote devices, including notebook computers, smartphones, and tablets, to disable split tunneling through appropriate configuration settings. Implement measures to prevent users from modifying these settings. [Target Date]

    Milestone 3: Detection Mechanisms

    Design and implement systems that can detect instances of split tunneling or unauthorized configurations on remote devices. Ensure that immediate action is taken if split tunneling is detected to prohibit access to organizational systems. [Target Date]

    Milestone 4: Exception Management

    Establish a process for handling exceptional cases where remote users require communication with local system resources. Develop criteria for authorizing split tunneling on a case-by-case basis, subject to proper risk assessment and approval. [Target Date]

    Milestone 5: Continuous Monitoring and Enforcement

    Implement continuous monitoring of remote devices and systems to identify any instances of split tunneling or unauthorized configurations. Enforce the policy through strict configuration management and take necessary actions if violations are detected. [Target Date]

    Milestone 6: Training and Awareness

    Conduct training and awareness programs to educate all remote device users about the risks of split tunneling and the importance of compliance with the policy. Ensure that users understand their responsibilities in maintaining a secure network environment. [Target Date]

    Milestone 7: Documentation and Review

    Document the “Prevention of Split Tunneling in Remote Devices Policy,” including any authorized exceptions, for audit and reference purposes. Subject the policy to periodic reviews to ensure its effectiveness against emerging security threats and advancements in technology. [Target Date]

    Milestone 8: Compliance and Reporting

    Regularly assess the organization’s compliance with the policy and provide periodic reports to relevant stakeholders and management. Demonstrate the successful implementation of the policy and its impact on the security posture. [Target Date]

    Milestone 9: Continuous Improvement

    Foster a culture of continuous improvement by encouraging feedback from remote device users, conducting regular assessments, and staying informed about emerging best practices and technologies. Regularly update the policy and configurations based on lessons learned and new insights. [Target Date]

    RELEVANT INFORMATION:

    Split tunneling might be desirable by remote users to communicate with local system resources such as printers or file servers. However, split tunneling allows unauthorized external connections, making the system more vulnerable to attack and to exfiltration of organizational information. This requirement is implemented in remote devices (e.g., notebook computers, smart phones, and tablets) through configuration settings to disable split tunneling in those devices, and by preventing configuration settings from being readily configurable by users. This requirement is implemented in the system by the detection of split tunneling (or of configuration settings that allow split tunneling) in the remote device, and by prohibiting the connection if the remote device is using split tunneling.

     

    Resources to consider:

    Security Policy Document:

    This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.

    Asset Inventory and Access Control Sheet:

    Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.

    User Account Management Log:

    Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.

    Password and Multi-Factor Authentication Policy:

    Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.

    Process and Script Accountability Log:

    Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.

    Device Access Control and VPN Policy:

    Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.

    Access Control Review and Monitoring Schedule:

    Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.

    User Training and Awareness Materials:

    Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.