3.7.5 has a weight of -5 points

(Maintenance Family) 5/6

Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.

Example of Sysytem Security Plan (SSP):

     

    1. Our organization places a high priority on the security of our systems, particularly during nonlocal maintenance sessions conducted via external network connections. To achieve this, we have implemented a policy requiring multifactor authentication for such sessions and ensuring their termination upon completion.
    2. Definition of Nonlocal Maintenance:
    3. Nonlocal maintenance and diagnostic activities pertain to individuals accessing organizational systems for maintenance purposes through an external network.
    4. Multifactor Authentication Requirement:
    5. Nonlocal maintenance sessions necessitate multifactor authentication during the login process to establish a higher level of security. At least two independent authentication factors are utilized, such as passwords, smart cards, or biometrics.
    6. Network Access Requirements:
    7. The authentication techniques used for nonlocal maintenance sessions adhere to the network access requirements specified in section 3.5.3 of our security policies.
    8. Session Termination:
    9. Nonlocal maintenance sessions are promptly terminated once maintenance or diagnostic activities are completed. This practice minimizes the exposure of systems to potential security risks.
    10. Secure Communication Protocols:
    11. To ensure the confidentiality and integrity of transmitted data, nonlocal maintenance connections are established using secure communication protocols like encrypted VPN or SSH.
    12. Access Controls:
    13. Access to nonlocal maintenance sessions is strictly limited to authorized personnel with the appropriate privileges and permissions. Role-based access controls are in place to restrict access to specific systems and resources.
    14. Logging and Monitoring:
    15. For enhanced security, nonlocal maintenance sessions are logged and monitored to detect any unusual or unauthorized activities. Regular reviews of security logs are conducted to identify potential security incidents.
    16. User Awareness and Training:
    17. We emphasize the importance of multifactor authentication for nonlocal maintenance sessions through comprehensive user and administrator training. This training promotes the secure use of remote access tools and adherence to security policies.
    18. Incident Response Preparedness:
    19. In readiness for any security incidents related to nonlocal maintenance sessions, our organization maintains well-defined incident response procedures. Incident response teams are well-prepared to handle and mitigate potential security breaches.
    20. Continuous Improvement:
    21. We consistently review and enhance our multifactor authentication mechanisms and nonlocal maintenance practices to align with industry best practices. Our commitment to continuous improvement ensures the ongoing effectiveness of our security measures.

     

    Example of Plan of Action and Milestones ( POA & M):

    Milestone 1: Policy Implementation and Multifactor Authentication Setup

    • Implement the policy requiring multifactor authentication for nonlocal maintenance sessions. [Target Date]
    • Set up and configure the multifactor authentication system with at least two independent authentication factors. [Target Date]

    Milestone 2: Network Access Requirements and Session Termination

    • Ensure that the authentication techniques used for nonlocal maintenance sessions comply with section 3.5.3 of the security policies. [Target Date]
    • Implement session termination mechanisms to promptly end nonlocal maintenance sessions upon completion of maintenance or diagnostic activities. [Target Date]

    Milestone 3: Secure Communication Protocols and Access Controls

    • Establish secure communication protocols, such as encrypted VPN or SSH, for nonlocal maintenance connections. [Target Date]
    • Set up access controls to restrict nonlocal maintenance session access to authorized personnel with appropriate privileges and permissions. [Target Date]

    Milestone 4: Logging and Monitoring Implementation

    • Configure logging and monitoring for nonlocal maintenance sessions to detect unusual or unauthorized activities. [Target Date]
    • Conduct regular reviews of security logs to identify potential security incidents related to nonlocal maintenance sessions. [Target Date]

    Milestone 5: User Awareness and Training

    • Conduct comprehensive user and administrator training on the importance of multifactor authentication for nonlocal maintenance sessions. [Target Date]
    • Promote the secure use of remote access tools and adherence to security policies through user awareness initiatives. [Target Date]

    Milestone 6: Incident Response Preparedness

    • Review and update incident response procedures to address security incidents related to nonlocal maintenance sessions. [Target Date]
    • Ensure incident response teams are well-prepared to handle and mitigate potential security breaches during nonlocal maintenance activities. [Target Date]

    Milestone 7: Continuous Improvement Evaluation

    • Regularly review and assess the effectiveness of multifactor authentication mechanisms and nonlocal maintenance practices. [Target Date]
    • Identify areas for improvement and take corrective actions to enhance security measures. [Target Date]

    Milestone 8: Compliance Review

    • Conduct a compliance review to verify that multifactor authentication is being consistently applied to nonlocal maintenance sessions. [Target Date]
    • Address any identified gaps or non-compliance issues to ensure adherence to the policy. [Target Date]
    RELEVANT INFORMATION:

    Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through an external network. The authentication techniques employed in the establishment of these nonlocal maintenance and diagnostic sessions reflect the network access requirements in 3.5.3.



    Resources to consider:

    Security Policy Document:

    This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.

    Asset Inventory and Access Control Sheet:

    Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.

    User Account Management Log:

    Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.

    Password and Multi-Factor Authentication Policy:

    Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.

    Process and Script Accountability Log:

    Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.

    Device Access Control and VPN Policy:

    Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.

    Access Control Review and Monitoring Schedule:

    Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.

    User Training and Awareness Materials:

    Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.