CA-9 Internal System Connections
Last Review: 10/1/22
Statement
Connections between any two internal resources must be authorized and documented with the information security office.
Applicability
The intended audience includes information resource owners and custodians. This control applies to dedicated internal connections between information systems (i.e., intra-system connections) and does not apply to transitory, user-controlled connections such as email and website browsing.
Implementation
- All internal connections between systems shall be reviewed and documented appropriately. Documentation shall be reviewed and updated periodically.
- The documentation shall include interface characteristics included at a minimum:
- System Name and purpose
- Data Elements included in the transfer
- Data Transfer method
- Data Transfer frequency
- Data Transfer components
- System connections not actively in use or used for scheduling of critical business processes shall terminate automatically.
- System connectivity shall be reviewed by custodians during upgrades or major system changes to ensure they are still appropriate and needed.