CA-09 Internal System Connections
a. Authorize internal connections of ca-09_odp.01 to the system;
b. Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated;
c. Terminate internal system connections after ca-09_odp.02 ; and
d. Review ca-09_odp.03 the continued need for each internal connection.
Internal system connections are connections between organizational systems and separate constituent system components (i.e., connections between components that are part of the same system) including components used for system development. Intra-system connections include connections with mobile devices, notebook and desktop computers, tablets, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each internal system connection individually, organizations can authorize internal connections for a class of system components with common characteristics and/or configurations, including printers, scanners, and copiers with a specified processing, transmission, and storage capability or smart phones and tablets with a specific baseline configuration. The continued need for an internal system connection is reviewed from the perspective of whether it provides support for organizational missions or business functions.
- SP 800-124 Souppaya MP, Scarfone KA (2013) Guidelines for Managing the Security of Mobile Devices in the Enterprise. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-124, Rev. 1.
- IR 8023 Dempsey KL, Paulsen C (2015) Risk Management for Replication Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8023.
Control Enhancements 1
- CA-09(01) Compliance Checks L M H P
Related controls 8
- AC-03 Access Enforcement L M H P
- AC-04 Information Flow Enforcement L M H P
- AC-18 Wireless Access L M H P
- AC-19 Access Control for Mobile Devices L M H P
- CM-02 Baseline Configuration L M H P
- IA-03 Device Identification and Authentication L M H P
- SC-07 Boundary Protection L M H P
- SI-12 Information Management and Retention L M H P