8.2.7 Accounts used by third parties to access, support, or maintain system components via remote access are managed as follows:

Defined Approach Requirements

8.2.7 Accounts used by third parties to access, support, or maintain system components via remote access are managed as follows:

• Enabled only during the time period needed and disabled when not in use.
• Use is monitored for unexpected activity.

Customized Approach Objective

Third-party remote access cannot be used except where specifically authorized and use is overseen by management.

Defined Approach Testing Procedures

8.2.7 Interview personnel, examine documentation for managing accounts, and examine evidence to verify that accounts used by third parties for remote access are managed according to all elements specified in this requirement.

Purpose

Allowing third parties to have 24/7 access into an entity's systems and networks in case they need to provide support increases the chances of unauthorized access. This access could result in an unauthorized user in the third party's environment or a malicious individual using the always-available external entry point into an entity's network. Where third parties do need access 24/7, it should be documented, justified, monitored, and tied to specific service reasons.

Good Practice

Enabling access only for the time periods needed and disabling it as soon as it is no longer required helps prevent misuse of these connections. Additionally, consider assigning third parties a start and stop date for their access in accordance with their service contract.

Monitoring third-party access helps ensure that third parties are accessing only the systems necessary and only during approved time frames. Any unusual activity using third-party accounts should be followed up and resolved.