CA-03-727 System Interconnections

System Interconnections

Control ID

CA-03-727

Control Name

System Interconnections

Control Category

Security Assessment and Authorization

Functional Areas

Identify

Sub-Areas

External Vendors and Third Party Providers, Privacy and Confidentiality, Security Assessment and Authorization / Technology Risk Assessments

NIST Baseline Level(s)

LOW, MOD, HIGH

NIST Priority

State Implementation Required

Yes

Agency Last Implemented Date

August 24, 2016

Agency Implementation

All system interconnections with external information resources shall be approved by the chief information security officer and documented. System connection agreements shall be established with all outside information providers/consumers for non-publicly accessible information prior to establishing a system interconnection. Firewall rules shall be implemented to limit access to internal, non-publicly accessible information resources and monitored by the chief information security officer.

Risk Statement

Security breaches occur due to risks related to external parties not being identified and controlled.

Control Description

The organization: a. Authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements; b. Documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated; and c. Reviews and updates Interconnection Security Agreements [Assignment: organization-defined frequency].

Control Example

Interconnections to application systems are defined; a dataflow of information is available.

State Implementation

The organization authorizes all connections from internal/organization information system to other information systems outside of organization through the use of system connection agreements and monitors/controls the system connections on an ongoing basis.

Testing Procedures

Obtain access control policy; procedures addressing information system connections; NIST Special Publication 800-47; system and communications protection policy; personnel security policy; information system connection agreements; security plan; information system design documentation; information system configuration management and control documentation; security assessment report; plan of action and milestones; other relevant documents or records and ascertain if: (I)the organization identifies all connections to external information systems (i.e., information systems outside of the accreditation boundary). (ii)the organization authorizes all connections from the information system to external information systems through the use of system connection agreements. (iii)the organization monitors/controls the system interconnections on an ongoing basis.