3.1.20 has a weight of -1 points

(Access Control Family) 20/22

Verify and control/limit connections to and use of external systems.

Video

Example of Sysytem Security Plan (SSP):

System Security Plan (SSP)
Organization: [Organization Name]
System Name: External Systems Connection Control
Date: [Date]

1. Introduction
This System Security Plan (SSP) delineates the measures taken by the organization to ensure that connections to and use of external systems are verified, controlled, or limited. This is crucial to ensure data integrity, confidentiality, and availability.

2. Defined System
Every system, software, and hardware component that is owned and administratively controlled by [Company Name] is recognized as our defined system. Any external connection or component not owned or under the administrative purview of our organization is considered outside this defined system.

3. Connection Management
In our effort to manage and control connections to these external systems, the following measures are detailed:

  • 3.1. Firewall Management:
    We employ robust firewalls to regulate data traffic that enters or exits the organization’s network. This ensures that only authorized data packets can traverse our network, acting as the first line of defense against potential security threats.

  • 3.2. USB Port Restrictions:
    To prevent potential threats from external devices, USB port blocking capabilities have been activated across our network. This restricts the connection of unauthorized devices, safeguarding against data breaches or malware intrusion.

  • 3.3. Domain Protection:
    We use DNS filtering to block access to malicious or unauthorized domains. This limits the potential exposure of our network to harmful content and ensures that users only access secure and approved websites.

4. Company Policy on External Systems
To ensure clarity and adherence to our security standards:

  • All employees are informed that the use of external systems not directly approved by the IT department is prohibited. This includes but is not limited to external drives, software, and unauthorized cloud services.

  • Any employee found using an unauthorized external system may face disciplinary action.

  • Should any employee require access to an external system for legitimate business purposes, they must first seek and obtain approval from the IT department.

5. Verification Protocols

  • 5.1. SIEM (Security Information and Event Management):
    The SIEM system collects and analyzes security alerts from various network hardware and software.

  • 5.2. SOC (Security Operations Center) Solution:
    This is the organization’s primary security monitoring unit, ensuring real-time surveillance and immediate response to any security threats or breaches.

Signatures:
IT Manager: ____________________ Date: _______
Security Officer: ____________________ Date: ______
Security Architect: ____________________ Date: ______

Note: Remember to fill in the placeholders like [Organization Name] and [Date] with the appropriate details.

 

Example of Plan of Action and Milestones ( POA & M):

Plan of Action & Milestones (POA&M) Organization: [Organization Name] System Name: External Systems Connection Control Date: [Date]

Objective: Ensure secure connections to and use of external systems by implementing and maintaining security measures to safeguard data integrity, confidentiality, and availability.

  1. Managed Firewall Implementation

    Milestone: Deploy and configure a state-of-the-art managed firewall.

    • Tasks:

      • Evaluate suitable firewall solutions.
      • Procure and install the chosen firewall.
      • Update firewall rules to best fit the organization’s needs.
      • Regularly review and modify rules based on threat landscape.

    • Target Completion Date: [Date]

  1. Endpoint Management Solution Deployment

    Milestone: Fully implement an endpoint management solution across the organization.

    • Tasks:

      • Assess existing endpoint security measures.
      • Select an appropriate endpoint management solution.
      • Deploy solution to all endpoints.
      • Monitor and report on endpoint security metrics.

    • Target Completion Date: [Date]

  1. External Systems Definition & Compliance

    Milestone: Define and catalog all external systems; ensure NIST SP 800-171 standards are met.

    • Tasks:

      • Identify and document all external systems.
      • Ensure all external systems meet compliance standards.
      • Develop a training program for staff to recognize compliant vs. non-compliant external systems.

    • Target Completion Date: [Date]

  1. SIEM Implementation & Maintenance

    Milestone: Implement a SIEM solution and ensure its effective operation.

    • Tasks:

      • Identify the right SIEM tool for organizational needs.
      • Deploy SIEM across the network.
      • Train IT staff on SIEM tool usage.
      • Review and analyze security alerts on a regular basis.

    • Target Completion Date: [Date]

  1. SOC Enhancement and Operation

    Milestone: Enhance the capabilities of the SOC and ensure it operates effectively.

    • Tasks:

      • Evaluate current SOC capabilities.
      • Implement necessary improvements based on evaluation.
      • Conduct regular threat hunting exercises.
      • Offer ongoing training for SOC personnel.

    • Target Completion Date: [Date]

Review and Approval:

IT Manager: ____________________ Date: _______

Security Officer: ____________________ Date: ______

Security Architect: ____________________ Date: ______



RELEVANT INFORMATION:

DISCUSSION:  External systems are systems or components of systems for which organizations typically have no direct supervision and authority over the application of security requirements and controls or the determination of the effectiveness of implemented controls on those systems. External systems include personally owned systems, components, or devices and privately-owned computing and communications devices resident in commercial or public facilities. This requirement also addresses the use of external systems for the processing, storage, or transmission of CUI, including accessing cloud services (e.g., infrastructure as a service, platform as a service, or software as a service) from organizational systems.  Organizations establish terms and conditions for the use of external systems in accordance with organizational security policies and procedures. Terms and conditions address as a minimum, the types of applications that can be accessed on organizational systems from external systems. If terms and conditions with the owners of external systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems.  This requirement recognizes that there are circumstances where individuals using external systems (e.g., contractors, coalition partners) need to access organizational systems. In those situations, organizations need confidence that the external systems contain the necessary controls so as not to compromise, damage, or otherwise harm organizational systems. Verification that the required controls have been effectively implemented can be achieved by third-party, independent assessments, attestations, or other means, depending on the assurance or confidence level required by organizations.  Note that while “external” typically refers to outside of the organization’s direct supervision and authority, that is not always the case. Regarding the protection of CUI across an organization, the organization may have systems that process CUI and others that do not. And among the systems that process CUI there are likely access restrictions for CUI that apply between systems. Therefore, from the perspective of a given system, other systems within the organization may be considered “external” to that system.

Resources to consider:

Security Policy Document:

This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.

Asset Inventory and Access Control Sheet:

Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.

User Account Management Log:

Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.

Password and Multi-Factor Authentication Policy:

Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.

Process and Script Accountability Log:

Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.

Device Access Control and VPN Policy:

Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.

Access Control Review and Monitoring Schedule:

Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.

User Training and Awareness Materials:

Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.