.png)
Protect your Internal Information Systems
If organizations have internal information systems that connect to any external systems in order to support business operations, these system interconnections need to be tracked and appropriately managed. This will help organizations protect against the misuse or loss of data belonging to the organization. This also protects any in-scope data belonging to customers or consumers of the organization’s services.
Connecting Systems from Within
Connections from systems within your organization to external systems should be authorized and protected using appropriate documentation containing security control requirements, such as an Interconnection Security Agreement (ISA). ISAs should be reviewed on a regular basis to ensure they remain accurate, appropriate, and continue to align with defined Security Program control requirements. This can be at a frequency defined by your organization, but typically this is an annual requirement.
For each system interconnection, the interface characteristics, security and privacy control requirements, along with the nature of the information being communicated should be documented. Your organization should follow a deny-all, permit-by-exception process or procedure for allowing your systems to connect to external systems.
Connecting Internal and External Systems
Internal system connections to external systems should always be authorized prior to the connections being implemented. This is recommended because once an interconnection has been established, you have effectively created a hole in your network to an outside entity, albeit an intentional one in most cases. Any interconnection should be protected with an appropriate level of security controls to prevent residual risk wherever possible.
If you are interesting in learning more about this pitfall, as well as others, read my book: 100 Security Program Pitfalls and Prescriptions to Avoid Them (available on Amazon here). Or register for a demo of the ASCENT Security and Compliance Portal and get a free synopsis of the 100 Security Program Pitfalls eBook today.
See the ASCENT Security and Compliance Portal and get a free synopsis of the 100 Security Program Pitfalls eBook today.
At ASCENT, we deliver the industry’s leading Software-as-a-Services (SaaS) platform for comprehensive security and compliance management. Enabling organizations of all sizes to automate and maintain a complete security and compliance program, ASCENT aligns processes with leading industry frameworks to increase efficiency, eliminate work duplication, ensure vendor compliance and provide deep visibility into compliance risk. Based on 50 years of compliance experience, ASCENT lowers compliance costs and risk while protecting companies from security exposure.