Verify and control connections to external information systems
Organizations frequently connect to external systems such as contractor portals, cloud services, partner networks, and personal devices. Each external connection is a potential path for FCI to leak or for attackers to enter your environment. You must have visibility into what external connections exist, establish terms of use or agreements for each, and apply technical controls that prevent unauthorized or unmanaged systems from accessing FCI.
Implementation steps
- 1
Inventory all connections to external systems
Document every external system your organization connects to that touches FCI: cloud providers, contractor portals, partner integrations, remote access solutions, and personal device access. Include both inbound connections (external systems connecting to yours) and outbound connections (your systems connecting out).
confluence excel - 2
Establish terms and approval for external connections
Create a process requiring approval before establishing new external connections. For each approved connection, document the business purpose, what data can flow over it, and who is responsible for managing it. Establish contractual terms with external parties defining their security obligations when they connect to your systems.
servicenow jira - 3
Implement technical controls on external connections
Restrict access from external systems using firewall rules, VPN requirements, or zero-trust network access controls. Require managed or compliant devices for remote access to FCI systems. Block connections from unmanaged personal devices to FCI unless a specific exception is approved.
palo-alto cisco-asa zscaler cloudflare-access intune - 4
Review and terminate unused external connections
Periodically review the inventory of external connections and terminate those no longer needed. When a project ends or a vendor relationship concludes, remove their access the same day. Check firewall rules and VPN configurations for stale entries.
palo-alto aws-security-groups
Evidence required
External connection inventory
A current list of all external systems connected to your environment, the purpose, and the owner.
- - External connection register
- - Network diagram with external connections labeled
Connection approval records
Evidence that external connections were reviewed and approved before being established.
- - Change request approvals
- - Security review sign-offs for external connections
Technical control configuration
Evidence of firewall rules, VPN configs, or ZTNA policies that restrict external access.
- - Firewall rule export
- - VPN access policy
- - Conditional access policy configuration
Related controls
Monitor, control, and protect communications at network boundaries
Boundary Protection
Implement subnetworks for publicly accessible system components
Network Segmentation
Limit system access to authorized users, processes, and devices
Authorized Access
Limit system access to permitted transactions and functions
Authorized Access