INFORMATION ASSET CONNECTIONS - 5315.8

Policy: Each state entity shall carefully consider the risks that may be introduced when information assets are connected to other systems with different security requirements and security controls, both within the state entity and external to the state entity.

Each state entity shall identify and maintain an inventory of its authorized information system connections with other state entities which establish authorized connections from information assets as defined by their authorization boundary, to other information systems. Each state entity shall document, for each connection, the interface characteristics, security requirements, the nature of the information communicated, and ensure written agreements are established and maintained which include the minimum provisions for agreements with state and non-state entities as outlined in SAM Section 5305.8.

This policy applies to dedicated connections between information assets and does not apply to transitory, user-controlled connections such as email and website browsing.

Implementation Controls:  NIST SP 800-53: Access Control (AC)