Restrict access to internal services from external locations. a) Allow only organisation-managed devices to access critical internal services. b) Access to internal services from unmanaged and personal devices should only be permitted following a criticality assessment of the service. For instance, one may need to be able to access email and time sheets. If so, one should consider measures to reduce risk, e.g. by offering less functionality, shorter search history, an additional layer of authentication etc.
Control access to services based on knowledge of users and devices.
One example is if a user logs in via an unmanaged device (the organisation trusts the user but does not control the device) and gains access to fewer services than if the user logs in via an organisation-managed device (the organisation knows both the user and the device).
Endpoint security management system can be used to demand the desired security criteria from the devices before they are allowed to connect to the network resources. Devices can be laptops, smartphones, tablets or industry-specific hardware.
Criteria for the use of network resources may include e.g. approved operating system, VPN and antivirus systems, and the timeliness of these updates.
The organization shall ensure that the monitoring and management of remote connections is automated, that remote connections are encrypted to ensure their integrity and reliability, and that remote connections pass only through approved and managed Network Access Control (NAC).
The organization must also make possible for the remote connections to be closed within a specified time.