Navigate

CCI-002316

CCI-002316 Definition

The organization authorizes access to security-relevant information via remote access only for organization-defined needs.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

The organization being inspected/assessed authorizes the access to security-relevant information via remote access only for needs defined in AC-17 (4), CCI 2318. The organization being inspected/assessed maintains an audit trail of authorizations.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the audit trail of authorizations to ensure the organization being inspected/assessed authorizes the access to security-relevant information via remote access only for needs defined in AC-17 (4), CCI 2318.

Compelling Evidence

1.) Signed and dated Access Control Policy 2.) Signed and dated system security plan (SSP) 3.) Signed and dated privileged user agreement. 4.) Site's audit trail of authorizations that shows/describes how the site authorizes the access to security-relevant information via remote access only for needs defined in AC-17 (4), CCI 2318.

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-002316.

Control	Description
AC-17 (4)	The organization: AC-17 (4)(a): Authorizes the execution of privileged commands and access to security-relevant information via remote access only for [Assignment: organization-defined needs]; and AC-17 (4)(b): Documents the rationale for such access in the security plan for the information system.