Remote access is managed from Cybersecurity Fundamentals framework

SAMMY UI is optimized for resolutions with a width 1024px and higher.

Maturity Level 1

Maturity Level 2

Maturity Level 3

PR.AC-3.1

PR.AC-3.1: The organisation's wireless access points shall be secured.

Consider the following when wireless networking is used:
Change the administrative password upon installation of a wireless access points.
Set the wireless access point so that it does not broadcast its Service Set Identifier (SSID).
Set your router to use at least WiFi Protected Access (WPA-2 or WPA-3 where possible), with the Advanced Encryption Standard (AES) for encryption.
Ensure that wireless internet access to customers is separated from your business network.
Connecting to unknown or unsecured / guest wireless access points, should be avoided, and if unavoidable done through an encrypted virtual private network (VPN) capability.
Manage all endpoint devices (fixed and mobile) according to the organization's security policies.

Description

The organisation's wireless access points shall be secured.

PR.AC-3.2

PR.AC-3.2: The organization's networks when accessed remotely shall be secured, including through multi-factor authentication (MFA).

Enforce MFA (e.g. 2FA) on Internet-facing systems, such as email, remote desktop, and Virtual Private Network (VPNs).

Description

The organization's networks when accessed remotely shall be secured, including through multi-factor authentication (MFA).

PR.AC-3.3

PR.AC-3.3: Usage restrictions, connection requirements, implementation guidance, and authorizations for remote access to the organization’s critical systems environment shall be identified, documented and implemented.

Consider the following:
Remote access methods include, for example, wireless, broadband, Virtual Private Network (VPN) connections, mobile device connections, and communications through external networks.
Login credentials should be in line with company's user authentication policies.
Remote access for support activities or maintenance of organizational assets should be approved, logged, and performed in a manner that prevents unauthorized access.
The user should be made aware of any remote connection to its device by a visual indication.

Description

Usage restrictions, connection requirements, implementation guidance, and authorizations for remote access to the organization’s critical systems environment shall be identified, documented and implemented.

PR.AC-3.4

PR.AC-3.4: Remote access to the organization’s critical systems shall be monitored and cryptographic mechanisms shall be implemented where determined necessary.

This should include that only authorized use of privileged functions from remote access is allowed.

Description

Remote access to the organization’s critical systems shall be monitored and cryptographic mechanisms shall be implemented where determined necessary.

PR.AC-3.5

PR.AC-3.5: The security for connections with external systems shall be verified and framed by documented agreements.

Access from pre-defined IP addresses could be considered.

Description

The security for connections with external systems shall be verified and framed by documented agreements.