IAM-011 Remote Access Controls
Description
Remote access to internal systems and infrastructure is controlled through approved, documented access paths (e.g. VPN, zero-trust network access). Unapproved remote access methods are blocked. Remote access sessions require MFA and are logged. Access paths are reviewed and re-authorised periodically.
Rationale
Remote access bypasses perimeter controls and is a common attack vector. Formalised remote access paths with authentication and logging ensure that remote sessions are accountable and auditable.
Framework Mappings (3)
| 8.5 | Secure authentication | informative |
| AC-17 | Remote Access | full |
| CC6.6 | Security Measures Against Threats Outside System Boundaries | partial |
Evidence (2)
Remote access configuration showing that only approved access paths (VPN, ZTNA) are permitted and that MFA is enforced for all remote sessions.
Example: VPN gateway configuration export (e.g. Cisco AnyConnect, OpenVPN) or ZTNA policy export (e.g. Cloudflare Access, Zscaler ZPA) showing: approved access paths, MFA enforcement setting, session timeout, and network policy blocking unapproved remote methods.
Test: Request the VPN or ZTNA configuration. Verify: (1) remote access requires MFA at the gateway level, (2) session timeout is set per policy, (3) firewall or network policy explicitly blocks inbound SSH, RDP, or direct API access from the internet to internal systems except through the approved path, (4) the policy was reviewed and re-authorised within the last 12 months.
Remote access session logs showing all remote connections over the past 30 days with user identity, source IP, timestamp, and session duration.
Example: VPN gateway log export or ZTNA access log export covering the last 30 days, showing each session's authenticating user, source IP, destination system, start time, and end time.
Test: Export remote access session logs for the past 30 days. Verify: (1) every session has a named authenticated user — no anonymous or service-account sessions without documented justification, (2) all source IPs are within expected geographic/network ranges or have a corresponding approved exception, (3) log retention meets the policy-defined period.
Questions (2)
Is remote access to internal systems and infrastructure limited to approved, documented access paths (e.g. VPN or zero-trust network access)?
Direct SSH, RDP, or API access from the internet to internal resources without a sanctioned gateway should be blocked. All remote access paths must be reviewed and reauthorised periodically.
What remote access technology is in use for accessing internal systems?
ZTNA or MFA-enforced VPN are the expected approaches. Direct public internet access to internal systems without an authenticated gateway is a critical finding.