CA-9 Internal System Connections

Description

This Control applies to connections between organizational information systems and (separate) constituent system components (i.e., intra-system connections) including, for example, system connections with mobile devices, notebook/desktop computers, printers, copiers, facsimile machines, scanners, sensors, and servers.

Instead of authorizing each individual internal connection, organizations can authorize internal connections for a class of components with common characteristics and/or configurations, for example, all digital printers, scanners, and copiers with a specified processing, storage, and transmission capability or all smart phones with a specific baseline configuration.

Applicability

The intended audience includes information resource owners and custodians.

This Control applies to dedicated internal connections between information systems (i.e., intra-system connections) and does not apply to transitory, user-controlled connections such as email and website browsing.

Implementation

TAMU-CC shall:

  1. TAMU-CC has a procedure for authorizing internal information resource connections to:
    1. Attach a device to a TAMU-CC network only if that device complies with all applicable policy (see especially CM-06);
    2. Attach only TAMU-CC-owned or -managed devices to a privileged TAMU-CC network;
    3. Attach non-TAMU-CC-owned or -managed devices only to an unprivileged TAMU-CC network;
    4. Attach a device to a privileged TAMU-CC network only if the device is recorded in the Inventory;
    5. Make a device directly accessible from the Internet (e.g., by NAT'ing a publicly routable IP address to the server's private address), only if:
      1. The devices are in a DMZ designated for Internet-accessible devices, and
      2. OIS approves.
  2. Documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated.

Revision History

Last Updated: February 21, 2025

Previous Versions:

  • June 29, 2023
  • May 31, 2022
  • March 25, 2021
  • September 16, 2019

Chief Information Security and Privacy Officer

Submit a Ticket