Guidance for NIST 800-171 Assessment & Compliance

Zoom Window Out
Larger Text | Smaller Text
Hide Page Header
Show Expanding Text
Printable Version
Save Permalink URL

Navigation: IA-FAMILY: IDENTIFICATION AND AUTHENTICATION

IA-2(11) IDENTIFICATION AND AUTHENTICATION | REMOTE ACCESS – SEPARATE DEVICE (FED)

Scroll Prev Top Next More

Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

(O)ther than satisfactory +##

###

ia-2(11)	identification and authentication \| remote access – separate device
	assessment objective: Determine if:
	ia-2(11)[1]	the information system implements multifactor authentication for remote access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access;
	ia-2(11)[2]	the information system implements multifactor authentication for remote access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access;
	ia-2(11)[3]	the organization defines strength of mechanism requirements to be enforced by a device separate from the system gaining remote access to privileged accounts;
	ia-2(11)[4]	the organization defines strength of mechanism requirements to be enforced by a device separate from the system gaining remote access to non-privileged accounts;
	ia-2(11)[5]	the information system implements multifactor authentication for remote access to privileged accounts such that a device, separate from the system gaining access, meets organization-defined strength of mechanism requirements; and
	ia-2(11)[6]	the information system implements multifactor authentication for remote access to non-privileged accounts such that a device, separate from the system gaining access, meets organization-defined strength of mechanism requirements.
	potential assessment methods and objects: Examine: [select from: Identification and authentication policy; procedures addressing user identification and authentication; information system design documentation; information system configuration settings and associated documentation; information system audit records; list of privileged and non-privileged information system accounts; other relevant documents or records]. Interview: [select from: Organizational personnel with information system operations responsibilities; organizational personnel with account management responsibilities; organizational personnel with information security responsibilities; system/network administrators; system developers]. Test: [select from: Automated mechanisms supporting and/or implementing identification and authentication capability].

Hosted by ABCI Consultants for Information Security Management Systems | Implementations, Training and Assessments for Compliance | (800) 644-2056