CCI-003756

Permit authorized individuals to use an external system to access the system or to process, store, or transmit organization-controlled information only after verification of the implementation of controls on the external system as specified in the organization's security policy and security plan.

Implementation Guidance

Determine if authorized individuals are permitted to use an external system to access the system or to process, store, or transmit organization-controlled information only after verification of the implementation of controls on the external system as specified in the organization's security and privacy policies and security and privacy plans (if applicable).

Validation Procedures

Examine: [SELECT FROM: Access control policy; procedures addressing the use of external systems; system connection or processing agreements; account management documents; system security plan; other relevant documents or records]. Interview: [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities]. Test: [SELECT FROM: Mechanisms implementing limits on use of external systems].

The controls below (if any) were marked by NIST as being related to CCI-003756.