Description

The university authorizes all dedicated connections from university information resources to other information resources outside of the university through the use of system connection agreements and monitors/controls the connections on an ongoing basis.

Applicability

  • The intended audience includes information resource owners and custodians. This control applies to dedicated connections between information systems (i.e., system interconnections) and does not apply to transitory, user-controlled connections such as email and website browsing.

    Tip

    Examples of dedicated networks that would require an Interconnection Agreement would be the LEARN Network or TTVN. Generally, connections are only in scope for CA-3 if they are dedicated, and (semi)-permanent. Connections that are user-controlled in any way (such as VPNs or VPCs that can be provisioned and deprovisioned via API) are not required to have Interconnection Agreements. Only cloud network products that act at the campus network level (such as AWS Direct Connect or Azure ExpressRoute) fall in scope for CA-3.

Implementation

  • 1

    The information resource owner or designee shall:

    • 1.1

      Authorize dedicated connections from an information resource to external information resources through the use of Interconnection Security Agreements.

    • 1.2

      Document, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated.

    • 1.3

      Review and update Interconnection Security Agreements annually.

    • 1.4

      Include Interconnection Security Agreements with annual risk assessments.