Copyright(c), 1995 - Management Analytics and Others - All Rights Reserved
(A) General network controls.
(i) Network resources participating in the access of confidential
information shall assume the confidentiality level of that
information for the duration of the session. Controls shall
be implemented commensurate with the highest risk.
(ii) All network components under state control must be
identifiable and restricted to their intended use.
(B) Distributed network access security. Owners of distributed
information resources served by distributed networks shall
prescribe sufficient controls to ensure that access to those
resources is restricted to authorized users and uses only. These
controls shall selectively limit services based on:
(i) user identification and authentication (e.g., password, smart
card/token), or
(ii) designation of other users, including the public where
authorized, as a class (e.g., public access through dial-up
or public switched networks), for the duration of a session,
or
(iii) physical access controls.
(C) Application security. Network access to an application containing
confidential or sensitive data, and data sharing between
applications, shall be as authorized by the application owners and
shall require authentication.
(D) Alternate procedures. If the agency utilizes a communication
network to process critical applications or functions, it shall, as
part of its contingency plan, provide for an alternate means of
accomplishing its program objectives in case the system or its
communication network becomes unavailable. Alternative procedures
shall be established that enable agency personnel to continue
critical day-to-day governmental operations in spite of the loss of
the communication network.
(E) Dial-up access. For services other than those authorized for the
public, users of dial-up terminals shall be positively and uniquely
identifiable and their identity authenticated (e.g., by password)
to the systems being accessed.
(F) Warning statements. System identification screens shall include the
following warning statements:
(i) unauthorized use is prohibited;
(ii) usage may be subject to security testing and monitoring; and