External Vendors and Third Party Providers, Privacy and Confidentiality, Security Assessment and Authorization / Technology Risk Assessments
LOW, MOD, HIGH
P1
Yes
August 24, 2016
All system interconnections with external information resources shall be approved by the chief information security officer and documented. System connection agreements shall be established with all outside information providers/consumers for non-publicly accessible information prior to establishing a system interconnection. Firewall rules shall be implemented to limit access to internal, non-publicly accessible information resources and monitored by the chief information security officer.
Security breaches occur due to risks related to external parties not being identified and controlled.
The organization:
a. Authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements;
b. Documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated; and
c. Reviews and updates Interconnection Security Agreements [Assignment: organization-defined frequency].
Interconnections to application systems are defined; a dataflow of information is available.
The organization authorizes all connections from internal/organization information system to other information systems outside of organization through the use of system connection agreements and monitors/controls the system connections on an ongoing basis.
Obtain access control policy; procedures addressing information system connections; NIST Special Publication 800-47; system and communications protection policy; personnel security policy; information system connection agreements; security plan; information system design documentation; information system configuration management and control documentation; security assessment report; plan of action and milestones; other relevant documents or records and ascertain if:
(I)the organization identifies all connections to external information systems (i.e., information systems outside of the accreditation boundary).
(ii)the organization authorizes all connections from the information system to external information systems through the use of system connection agreements.
(iii)the organization monitors/controls the system interconnections on an ongoing basis.