Content library
NSM ICT Security Principles (Norway)
2.5.2: Restrict access to internal services from external locations

Requirement description

Restrict access to internal services from external locations. a) Allow only organisation-managed devices to access critical internal services. b) Access to internal services from unmanaged and personal devices should only be permitted following a criticality assessment of the service. For instance, one may need to be able to access email and time sheets. If so, one should consider measures to reduce risk, e.g. by offering less functionality, shorter search history, an additional layer of authentication etc.

How to fill the requirement

NSM ICT Security Principles (Norway)

2.5.2: Restrict access to internal services from external locations

Task name
Priority
Status
Theme
Policy
Other requirements
Using trust-based access control
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
3
requirements

Examples of other requirements this task affects

2.5.2: Restrict access to internal services from external locations
NSM ICT-SP
2.2.6: Control access to services based on knowledge of users and devices
NSM ICT-SP
Article 35: Data, system and network security
DORA simplified RMF
See all related requirements and other information from tasks own page.
Go to >
Using trust-based access control
1. Task description

Control access to services based on knowledge of users and devices.

One example is if a user logs in via an unmanaged device (the organisation trusts the user but does not control the device) and gains access to fewer services than if the user logs in via an organisation-managed device (the organisation knows both the user and the device).

Endpoint security management system
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Remote work and mobile devices
Mobile device management
16
requirements

Examples of other requirements this task affects

13.1.1: Network controls
ISO 27001
6.2.1: Mobile device policy
ISO 27001
PR.PT-4: Communications and control networks
NIST
HAL-19: Tietojen käsittely
Julkri
8.1: User endpoint devices
ISO 27001
See all related requirements and other information from tasks own page.
Go to >
Endpoint security management system
1. Task description

Endpoint security management system can be used to demand the desired security criteria from the devices before they are allowed to connect to the network resources. Devices can be laptops, smartphones, tablets or industry-specific hardware.

Criteria for the use of network resources may include e.g. approved operating system, VPN and antivirus systems, and the timeliness of these updates.

Remote connection management
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Network security
10
requirements

Examples of other requirements this task affects

PR.AC-3: Remote access management
NIST
I-18: TURVALLISUUSLUOKITELTUJEN TIETOJEN VÄLITYS JA KÄSITTELY FYYSISESTI SUOJATTUJEN ALUEIDEN VÄLILLÄ - ETÄKÄYTTÖ JA ETÄHALLINTA
Katakri 2020
5.1.2: Information transfer
TISAX
PR.MA-2: Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access.
CyberFundamentals
PR.AC-3: Remote access is managed.
CyberFundamentals
See all related requirements and other information from tasks own page.
Go to >
Remote connection management
1. Task description

The organization shall ensure that the monitoring and management of remote connections is automated, that remote connections are encrypted to ensure their integrity and reliability, and that remote connections pass only through approved and managed Network Access Control (NAC).

The organization must also make possible for the remote connections to be closed within a specified time.

Tasks included in the policy

Task name
Priority
Status
Theme
Policy
Other requirements
No items found.

Never duplicate effort. Do it once - improve compliance across frameworks.

Reach multi-framework compliance in the simplest possible way
Security frameworks tend to share the same core requirements - like risk management, backup, malware, personnel awareness or access management.
Cyberday maps all frameworks’ requirements into shared tasks - one single plan that improves all frameworks’ compliance.
Do it once - we automatically apply it to all current and future frameworks.
Get to know Cyberday
Start your free trial
Cyberday is your all-in-one solution for building a secure and compliant organization. Whether you're setting up a cyber security plan, evaluating policies, implementing tasks, or generating automated reports, Cyberday simplifies the entire process.
With AI-driven insights and a user-friendly interface, it's easier than ever to stay ahead of compliance requirements and focus on continuous improvement.
Clear framework compliance plans
Activate relevant frameworks and turn them into actionable policies tailored to your needs.
Credible reports to proof your compliance
Use guided tasks to ensure secure implementations and create professional reports with just a few clicks.
AI-powered improvement suggestions
Focus on the most impactful improvements in your compliance with help from Cyberday AI.