Media, Security Assessment and Authorization / Technology Risk Assessments
LOW, MOD, HIGH
P2
Yes
August 24, 2016
The information resource manager shall authorize any Agency-owned information resources that intend to be connected to the Agency trusted network prior to such resource being connected, and shall document the logical and physical characteristics, security requirements, and nature of the information communicated for each of the information resources to be connected.
Failure to establish formal authorization processes for restricting user access to internal system connections may result in unauthorized or unsecure connections to the network exposing sensitive or critical business applications.
The organization:
a. Authorizes internal connections of [Assignment: organization-defined information system components or classes of components] to the information system; and
b. Documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated.
The organization has a process for accepting internal interfaces between application systems.
The state organization has a procedure for authorizing internal information resource connections.
Obtain procedures addressing internal connections between organization-defined information system components (such as system connections with mobile devices, notebook/desktop computers, printers, copiers, facsimile machines, scanners, sensors, and servers) and ascertain if:
(i) the internal connections are authorized;
(ii) the documentation contains interface characteristics, security requirements and the nature of information communicated.