Category: Security Architecture
Applicability: Applies to all state agencies, boards, and commissions, excluding higher education institutions
History: Adopted on June 27, 2007. Amended on March 4, 2008 (by NITC 1-103).
It is the responsibility of all State of Nebraska agencies to strictly control remote access from any device that connects from inside the State of Nebraska network to a desktop, server or network device elsewhere within the State of Nebraska net work (e.g. from a 10.x.x.x device to a 10.x.x.x device) and ensure that employees, contractors, vendors and any other agent granted remote access privileges adhere to common methods of secure remote administration which shall include but are not limited to:
As employees utilize remote access connectivity to conduct business within and amongst the State of Nebraska networks, security becomes increasingly at risk. These standards are designed to minimize the potential exposure from damages which may result from unauthorized use of resources; which include loss of sensitive or confidential data, intellectual property, damage to public image or damage to critical internal systems, etc. The purpose of this document is to define standards for agencies that connect from any State of Nebraska network or device to any State of Nebraska network or device.
All State agencies, boards, and commissions are required to comply with the standard listed in Section 1. All existing Agencies utilizing non-standard remote access applications must convert to the standard listed in Section 1 as soon as fiscally prudent, unless the application is exempt.
The NITC shall be responsible for adopting minimum technical standards, guidelines, and architectures upon recommendation by the technical panel. (Neb. Rev. Stat. § 86-516(6))
Each state agency will be responsible for developing a process that ensures that secure remote access to internal State resources is maintained, and/or implemented, including but not limited to following appropriate best practices in a manner consistent with this standard and other state agency security policies.
Principle of Least Privilege: The principle of least privilege requires that a user be given no more privilege (authority) than necessary to perform a job.