AC.L1-B.1.III
External Connections

FCI Data

Security Requirement

Verify and control/limit connections to and use of external information systems.

USU Policy, Procedures, and Standards

University Policy 5200: Information Security and Appropriate Use

Vendors must adhere to access controls and contractual data protection rules; access to external systems must follow the Vendor Management Plan.

NIST Cybersecurity Framework v2

  • Protect (PR): PR.AA-05 - Network integrity is protected, and use of external systems is controlled.

Implementation Details

Documentation should include details to meet the Security Requirement for this control. Complete this list for each system or systems that process or access FCI data:

  • List processes and controls used to limit and monitor access between internal USU systems and external systems (e.g., internet, cloud services).
  • List rules governing the approval and documentation of external connections, including when and how they are reviewed.
  • List any additional process or procedures you have that helps meet the control’s security requirement.

Document How

  • connections to external systems are identified
  • the use of external systems is identified
  • connections to external systems are verified
  • the use of external systems is verified
  • connections to external systems are controlled/limited
  • the use of external systems is controlled/limited

Example

quote block

Internal systems are configured with private IP addresses managed by USU IT and are separated from the internet using USU Firewalls. Public IP access is not allowed unless explicitly authorized and logged. Remote users are required to use the institutional VPN from university-managed devices.

quote block

USU Firewall

What it does:
  • Enforces network segmentation and limits unauthorized connections to internal systems.
  • Blocks all traffic except from authorized sources (e.g., campus IP, VPN, or specific subnet).
How it helps a researcher:
  • Departmental systems storing FCI are placed behind firewalls that block all traffic except from authorized sources.
  • Firewall logs can be reviewed to verify access patterns and detect/alert on anomalies.
Example:
  • A research server storing FCI is on a segmented VLAN only accessible through the institutional VPN. Firewall rules restrict traffic to only required services, users, and IPs.

Institutional VPN Solution

What it does:
  • Provides encrypted remote access to USU’s internal network.
  • Restricts access to university-managed devices.
How it helps a researcher:
  • VPN access is restricted to approved USU accounts and compliant devices.
  • Access to internal systems containing FCI is only available once connected through VPN.
  • Ensures encrypted data-in-transit for off-campus researchers or collaborators.
Example:
  • A researcher uses their USU-issued laptop to connect via VPN. The system checks for endpoint protection and updates before allowing access to the lab network.

Private IP Address Management

What it does:
  • Assigns private IP addresses to internal systems.
  • Separates systems from public internet exposure.
How it helps a researcher:
  • Ensures internal systems are not directly visible from the internet.
  • Only authorized devices or VPN users can access these systems.
Example:
  • A research database is assigned a private IP and is only accessible to specific users through the institutional VPN.

Intrusion Prevention System (IPS)

What it does:
  • Monitors network traffic for suspicious or unexpected activity.
  • Blocks, logs, and alerts on potential threats.
How it helps a researcher:
  • Detects and prevents unauthorized access attempts.
  • Helps maintain research data integrity by blocking malicious traffic.
Example:
  • An IPS detects an unusual login attempt to a research server and blocks the connection, preventing a potential data breach.

Endpoint Detection and Response Solution

What it does:
  • Provides advanced threat detection and response for endpoints.
How it helps a researcher:
  • Protects devices accessing research data from malware and threats.
  • Automatically scans for and mitigates threats.
Example:
  • A researcher’s laptop is protected by the USU EDR solution, which automatically scans for and mitigates threats, ensuring research systems are secure.

USU Services that could be leveraged to meet control requirements include*:

*List of services may not be complete or applicable for a given configuration. The use of a given service does not necessarily satisfy control requirements or may require specific configuration to meet control requirements. Documentation should include how the service is implemented to meet the control requirements.
Back to content

How might an auditor assess this control?

Method

  • Examine:
    • Review firewall rules, VPN configurations, and network architecture diagrams to ensure external access is controlled.
  • Interview:
    • Ask administrators how external connections are approved, configured, and monitored.
  • Test:
    • Attempt remote access using an unauthorized method or device to confirm enforcement of connection restrictions.

Objects (examples of items you could present to the auditor)

  • Firewall Rule Sets: Documentation or exports showing rules for controlling external access.
  • Network Diagrams: Visual representation showing how external systems are segmented from internal systems.
  • VPN Configuration: Details showing how the Institutional VPN solution is configured to restrict access.
  • Access Logs: Logs showing attempted and successful external connections.
  • External Connection Approvals: Records of who approved external system access and for what purpose.
  • IPS Reports: Alerts or findings that demonstrate active monitoring of inbound/outbound traffic.