This topic contains 4 replies, has 3 voices, and was last updated by 
wkastorff 1 year, 7 months ago.
-
Topic
-
IA-2(3) states the following –
The information system implements multifactor authentication for network access to non-privileged accounts. (3) IDENTIFICATION AND AUTHENTICATION | LOCAL ACCESS TO PRIVILEGED ACCOUNTSWith this in mind I assume the control makes no distinction between Local Area Access (local network access from within the same IS system) or network access coming in from external networks. Is the assumption correct that you would apply the same measure of Multifactor Authentication to either scenario?
Thank You!
-
Replies
-
I believe that your assumption is correct. But, your explanation that this is internal comms within the IS makes me second guess myself. Not sure you would classify internal comms within the IS as “network access” since these controls relate to access to the IS, not within.
-
Yes,
I should have been clearer I mean local network access, networks that are directly connected to the IS.
-
In that case I am not as conflicted. I believe the multifactor measure would definitely apply.
-
The engineering team that I work with have gone round-and-round over over this topic. We concur with the multifactor response. We don’t believe their is a specific solution for all technologies, e.g. local physical access to a router. Physical security measures with specific processes may be the correct solution for certain problems.
You must be logged in to reply to this topic.
