CIS Control 13.5: Manage Access Control for Remote Assets
Remote work expands your attack surface. CIS Control 13.5 requires you to enforce granular access policies for any device connecting to enterprise resources—ensuring only compliant, patched, and protected systems get meaningful access. This control is foundational to modern hybrid work security.
What this means
Control 13.5 mandates a zero-trust approach to remote connectivity. Before granting access to enterprise resources, you must verify three conditions: up-to-date anti-malware protection is active, the device meets your secure configuration baseline, and the operating system and all applications are current with security patches. Access should scale with compliance status—non-compliant devices receive restricted or no access.
How to comply
- 1.Establish a secure baseline configuration for remote devices (OS, critical applications, security tools)
- 2.Deploy anti-malware software mandatory on all remote assets, with real-time monitoring and centralized visibility
- 3.Implement automated patch management to keep OS and applications current across all remote devices
- 4.Create a device inventory that tracks compliance status for every remote asset
- 5.Define access tiers: full, restricted, or denied based on anti-malware status, configuration compliance, and patch currency
- 6.Enforce conditional access policies that dynamically adjust permissions based on device health checks
- 7.Audit remote device compliance monthly and revoke access for non-compliant systems
Evidence auditors look for
- Anti-malware software deployment logs showing 100% coverage on remote devices
- Configuration management reports confirming baseline adherence across remote assets
- Patch management dashboards displaying OS and application update status by device
- Conditional access policy logs showing permission grants/denials based on compliance checks
- Device inventory records with compliance status tags and last audit dates
- Access control decisions tied to device health metrics from the past 90 days
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
See how GRCWatch handles this control automatically.
See how GRCWatch handles this control automatically
Start free trial