2.5 KiB
| implementation-status | control-origination | |||||
|---|---|---|---|---|---|---|
|
|
ac-20.1 - [catalog] Limits on Authorized Use
Control Statement
Permit authorized individuals to use an external system to access the system or to process, store, or transmit organization-controlled information only after:
-
[a] Verification of the implementation of controls on the external system as specified in the organization’s security and privacy policies and security and privacy plans; or
-
[b] Retention of approved system connection or processing agreements with the organizational entity hosting the external system.
Control guidance
Limiting authorized use recognizes circumstances where individuals using external systems may need to access organizational systems. Organizations need assurance that the external systems contain the necessary controls so as not to compromise, damage, or otherwise harm organizational systems. Verification that the required controls have been implemented can be achieved by external, independent assessments, attestations, or other means, depending on the confidence level required by organizations.
Control assessment-objective
authorized individuals are permitted to use an external system to access the system or to process, store, or transmit organization-controlled information only after verification of the implementation of controls on the external system as specified in the organization’s security and privacy policies and security and privacy plans (if applicable); authorized individuals are permitted to use an external system to access the system or to process, store, or transmit organization-controlled information only after retention of approved system connection or processing agreements with the organizational entity hosting the external system (if applicable).
What is the solution and how is it implemented?
Implementation (a)
Add control implementation description here for item ac-20.1_smt.a
Implementation (b)
Add control implementation description here for item ac-20.1_smt.b