|
Article 15
|
(Remote Connection)
- An organization shall set forth remote connection regulations, restrictions on use, configurations, and requirements for connection, create documentation, develop a secure remote connection mechanism, including multi-factor authentication (employee account passwords, dynamic passwords, one-time passwords), encrypt connection, adopt the least privilege principle, retain complete audit trails of user operations, monitor and alert anomalies, update security vulnerabilities, and take other security measures, and also retain relevant records for re-examination by a competent supervisor.
- An organization must limit login allowing connection only by personnel within the organization, keep complete records of the trails of operation of equipment, and prescribe the time of availability of connection according to the operating hours in regard to duties.
- An organization must prevent malicious or unauthorized connection through a secure connection mechanism, set forth rules in accordance with the least privilege principle, close unnecessary ports, and monitor network traffic and the anomaly alert and disconnection mechanism.
- An organization must adopt differential management for users with regard to access privileges in accordance with the least privilege principle, allowing only access necessary for the conduct of business and disabling access to unnecessary system functions.
|