Internet Content Filtering, Portable and Remote Computing
LOW, MOD, HIGH
P1
Yes
August 17, 2016
All remote access to Agency-owned information resources shall be conducted using the Microsoft Remote Desktop Protocol (RDP) or Secure Shell (SSH) service. RDP and SSH shall be configured to enforce TLS connections; insecure connection requests shall be denied. No public access to RDP or SSH shall be permitted; all connections must either initiate within the Agency's protected network or via a secure gateway. Users must be explicitly authorized for remote access to a workstation with the approval of the information resource owner.
Users of corporate information systems expose business information to exploitable vulnerabilities when using teleworking solutions.
The organization:
a. Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and
b. Authorizes remote access to the information system prior to allowing such connections.
a. Remote access is not permitted without explicit approval.
b. Access to corporate network is only provided when using VPN while working remotely.
The state organization establishes, documents, and reviews usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed.
All remote access connections must be authorizes prior to allowing such connections.
Obtain access control policy; procedures addressing remote access to the information system; information system configuration settings and associated documentation; information system audit records; other relevant documents or records and ascertain if
(I) the organization authorizes, monitors, and controls remote access to the information system for all allowed methods of remote access to include both establishment of the remote connection and subsequent user actions across that connection.
(ii) the information system employs automated mechanisms to facilitate the monitoring and control of remote access methods.
(iii) the information system employs cryptography to protect the confidentiality and integrity of remote access sessions.