AC.L1-3.1.20—External Connections
>Control Description
Verify and control/limit connections to and use of external information systems.
>Cross-Framework Mappings
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What is your policy and procedure for approving external system connections?
- •How do you document and track all authorized external connections?
- •What governance process is in place for reviewing external connection agreements?
- •How often do you review and validate the necessity of external connections?
Technical Implementation:
- •What technical controls verify and limit external connections (firewalls, VPNs)?
- •How do you technically enforce connection restrictions to external systems?
- •What monitoring tools track external system connections?
- •How do you implement technical controls at connection points?
- •What logging captures external connection attempts and activities?
Evidence & Documentation:
- •What documentation demonstrates your access control policies and procedures?
- •What access control matrices or permissions documentation can you provide?
- •What access request and approval records can you show?
- •What access review documentation demonstrates periodic reviews?
- •What audit logs demonstrate access control enforcement?
- •What screenshots or configuration exports show access control settings?
Ask AI
Configure your API key to use AI features.