Skip Main Navigation
Official Nebraska Government Website
Skip Side Navigation
Standards and Guidelines Icon

NITC 8-304: Remote Administration of Internal Devices Standard

Category: Security Architecture
Applicability: Applies to all state agencies, boards, and commissions, excluding higher education institutions
History: Adopted on June 27, 2007. Amended on March 4, 2008 (by NITC 1-103).

1. Standard

It is the responsibility of all State of Nebraska agencies to strictly control remote access from any device that connects from inside the State of Nebraska network to a desktop, server or network device elsewhere within the State of Nebraska net work (e.g. from a 10.x.x.x device to a 10.x.x.x device) and ensure that employees, contractors, vendors and any other agent granted remote access privileges adhere to common methods of secure remote administration which shall include but are not limited to:

  • Use of strong authentication mechanisms (e.g., strong passwords, public/private key pair, two factor authentication, etc.)
  • Utilize device host access (by IP address) lists to restrict remote access
  • Use of secure protocols that provide en cryption of both passwords and data (e.g., SSL, HTTPS) when reasonable and appropriate, rather than insecure protocols (e.g., Telnet, FTP).
  • Grant permissions to only those with a job related need.
  • Implement the 'Principle of Least Privilege' to those who are granted permissions.
  • Reset factory default device passwords and regularly change any default accounts or passwords for the remote administration utility or application.
  • Disable remote capabilities of devices or device accounts if remote access is not employed by the agency.

2. Purpose and Objectives

As employees utilize remote access connectivity to conduct business within and amongst the State of Nebraska networks, security becomes increasingly at risk. These standards are designed to minimize the potential exposure from damages which may result from unauthorized use of resources; which include loss of sensitive or confidential data, intellectual property, damage to public image or damage to critical internal systems, etc. The purpose of this document is to define standards for agencies that connect from any State of Nebraska network or device to any State of Nebraska network or device.

Objectives include:

  • Provide guidance to State of Nebraska agencies employees, contractors, vendors and any other agent that access any State of Nebraska network or device.
  • Provide a high level of security through industry standards and best practices.
  • Ensure a solution that is scalable to meet the current and future needs of state agencies, their employees, clients and customers, and business partners.
  • Meet federal security requirements for remote access control.

3. Applicability

3.1 State Government Agencies

All State agencies, boards, and commissions are required to comply with the standard listed in Section 1. All existing Agencies utilizing non-standard remote access applications must convert to the standard listed in Section 1 as soon as fiscally prudent, unless the application is exempt.

4. Responsibility

4.1 NITC

The NITC shall be responsible for adopting minimum technical standards, guidelines, and architectures upon recommendation by the technical panel. (Neb. Rev. Stat. ยง 86-516(6))

4.2 State Agencies

Each state agency will be responsible for developing a process that ensures that secure remote access to internal State resources is maintained, and/or implemented, including but not limited to following appropriate best practices in a manner consistent with this standard and other state agency security policies.

5. Definitions

Principle of Least Privilege: The principle of least privilege requires that a user be given no more privilege (authority) than necessary to perform a job.

6. References