Northeastern University Access Control Standard
Document Metadata
Related Policy: Northeastern University Information Security Policy, Northeastern University Configuration Management Standard
Responsible Office: Office of Information Security (OIS)
Purpose and Scope
Northeastern University is committed to securing its data and providing clear and concise guidance on protecting the many information technology (IT) systems we use. Given the widespread use and diversity of the types of IT systems employed within Northeastern University, it is paramount that a technology-agnostic set of standards are in place and uniformly applied across all IT systems.
This standard establishes the minimum access control criteria to carry out and meet the intent of the directives within Northeastern University’s Information Security Policy. This standard applies to all organizations (e.g., academic entities, entities other than Colleges and Departments, legally separate but wholly owned entities) of Northeastern University.
IT systems are considered in the scope of this standard if they utilize any of the following: Northeaster’s Network, ITS troubleshooting or administration, OIS incident response or investigation, or a Northeastern Microsoft account (e.g., @northeastern.edu).
Access Control Overview
This domain focuses on Access Control (AC). AC seeks to establish Northeastern University’s system access requirements, manage access to Northeastern University systems, and implement mechanisms to limit access to Northeastern University data.
Roles and Responsibilities
The following high-level functional roles support the access control processes for IT systems. In some cases, there may be more than one functional role associated with a specific process or task; similarly, more than one person may perform some roles. The following describe the roles and responsibilities associated with access control within the Northeastern University environment.
Chief Information Security Officer (CISO)
Individual responsible for the overall Northeastern University information security program.
Privileged User
Individuals with elevated permissions that allow them to update, modify, change, or otherwise control a system, application, or appliance within the Northeastern University IT system.
System Administrator
An organization or individual responsible for setting up and maintaining a system, appliance, or specific system elements. This role revolves around hands on management of the system, usually more technical in nature than the System Owner. They are also responsible for implementing approved secure baseline configurations, incorporating secure configuration settings for IT products, and conducting/assisting with configuration monitoring activities as needed.
Depending on the size of the system, these responsibilities can be split across multiple skill-based domains listed below. These domains can be managed by separate teams across Northeastern University depending on the skills necessary to carry out the listed responsibilities.
- Infrastructure: manages any servers that are not aligned to a specific skill-based domain listed below.
- Network: manages all hardware and systems related to managing network communications.
- Security: manages all systems that ensure and confirm security of the environment, Sentinel, Defender, Tenable, Azure, Intune, Windows Cloud PC, etc.
- Desktop: manages the physical workstations and the software installed on them.
- Identity: manages systems that control identity-based access, like Entra ID.
System Owner
An individual or organization responsible for the development, procurement, integration, modification, operation, and maintenance, and/or final disposition of an information system.
Also responsible for establishing, tracking, and maintaining the inventory of IT products and information systems which process, transmit, or store sensitive information; to include hardware, software, and firmware. Depending on the size of the system, these responsibilities can be assigned to someone with a role closely aligned to that of an Asset Manager.
Also responsible for maintaining the appropriate operational security posture for an information system or enclave and for ensuring the information assurance of a program or organization. Depending on the size of the system, these responsibilities can be assigned to someone with a role closely aligned to that of an Information System Security Officer (ISSO).
Also responsible for identification, investigation, and tracking of organizational IT risks, and coordinating with OIS and relevant stakeholders for remediation. Depending on the size of the system, these responsibilities can be assigned to someone with a role closely aligned to that of a Security Analyst.
Also responsible for monitoring and granting system access privileges for other authorized individuals. Depending on the size of the system, these responsibilities can be assigned to someone with a role closely aligned to that of a System Access Authority.
Standard
This standard is scoped primarily around a subset of the National Institute of Standards and Technology (NIST) 800-171 controls to protect the confidentiality, integrity, and availability of information. The related NIST controls have been tagged (e.g., 3.1.1) in the text below to identify where each listed responsibility inherits its requirements from.
As the access control capability is matured over time, additional controls may be considered to augment confidentiality and address the availability and integrity of Northeastern University data. Additionally, when implementing the criterion of this document, organizations may choose to implement stricter criteria; however, the criterion cannot be lessened without formal exception by the Northeastern University Chief Information Security Officer (CISO) as described in the Compliance section of this standard.
Establish System Access Requirements
(3.1.1) System Inventory and User Management
The System Owner is responsible for maintaining an updated system inventory in accordance with the Northeastern University Configuration Management Standard.
The System Owner is also responsible for developing, approving, and maintaining a list of authorized users with access to IT systems. They will also review all user accounts in those systems and confirm they are active and still require access on a quarterly basis.
The System Owner is responsible for submitting a request to provision any incoming user’s account.
(3.1.9) Privacy and Security Notices
The System Owner is responsible for developing privacy and security notices for Northeastern University IT systems in accordance with applicable laws and requirements.
The System Administrator is responsible for configuring applicable Northeastern University IT systems to display data privacy and security notices. The notices must be configured to:
- Be displayed prior to logon (e.g., splash screen, banner)
- Displayed until the user acknowledges the usage conditions and takes explicit actions to log on to or further access the system.
At a minimum, an authorized user should be informed of the following prior to logon to an information system containing Northeastern University Data:
- Information system usage may be monitored or recorded and is subject to audit.
- Unauthorized use of the information systems is prohibited.
- Unauthorized use is subject to criminal and civil penalties.
- Use of the information system affirms consent to monitoring and recording.
- The information system contains Northeastern University Data with specific protections requirements.
- Use of the information system may be subject to other specified requirements associated with certain types of Northeastern University data.
The following standard language may be used for IT systems containing Northeastern University Data:
Privacy and Security Notice
This system is the property of Northeastern University and is intended for authorized use only. By accessing this system, you acknowledge and agree to the following:
- You must comply with all applicable Northeastern University policies and procedures, including those regarding acceptable use, data protection, and privacy.
- Unauthorized access or use of this system is prohibited and may result in disciplinary action, civil liability, and/or criminal penalties.
- Your activities on this system may be monitored, recorded, and audited to ensure compliance with Northeastern University policies and applicable laws. There is no expectation of privacy when using this system.
- Any data or information you create, store, or transmit on this system is the sole property of Northeastern University and may be accessed and disclosed by Northeastern University for legitimate business purposes.
By continuing to use this system, you consent to these terms and conditions. LOG OFF IMMEDIATELY if you do not agree to the conditions stated in this notice.
(3.1.21) Portable Storage Devices
The System Owner is responsible for limiting the use of portable storage devices for use on Northeastern University IT systems and implementing the protections specified in the Northeastern University Configuration Management Standard.
The System Owner is responsible for reviewing portable storage device usage requests and approving the issuance of the storage device. All users are required to submit a portable device request form via ServiceNow, for review by the System Owner. Users must justify and demonstrate the need for a portable storage device for the performance of their legitimate job duties.
Control Internal System Access
(3.1.2) User Roles and Permissions
The System Owner is responsible for defining user roles (e.g., privileged, non-privileged) and related permissions (e.g., create, read, update, delete), aligning user roles to the types of transactions/functions permitted using the principle of least privilege, documenting user’s system roles, and reviewing this list quarterly for any system roles that may have changed or been realigned to another user.
The System Administrator is responsible for configuring authorized user access to IT systems as specified by their assigned user role.
The System Administrator is responsible for assigning user permissions in accordance with the user system roles document created by the System Owner.
(3.1.6) Privileged Account Usage
Privileged Users are responsible for utilizing a non-privileged account when not performing privileged functions.
(3.1.8) Unsuccessful Logon Attempts
Unsuccessful logon attempts must be limited in accordance with the following criterion:
Password Requirements for Third-Party Providers
Access to University data when provided through a third-party application should have established access controls using credentials and password synchronized through the University’s LDAP or AD systems, to ensure an appropriate strength of password complexity and adherence to the University Password Standards. Where access to third-party applications cannot be established through the use of LDAP or AD systems, the vendor will establish password controls which meet the University password complexity standards, except where technically infeasible. Appropriate controls will be implemented as are technically, operationally and financially feasible to ensure data is safeguarded consistent with university policy, law and regulation.
| Category | Required Settings |
|---|---|
| Failed Logon Attempts | The number of unsuccessful logons attempts before an account is locked: 8 failed attempts within 10 minutes |
| Lockout Response | Lockout duration upon exceeding the logon failure threshold: General User — 10 minutes Privileged User — 30 minutes |
(3.1.10) Session Lock
A session lock (e.g., screen saver with password, device lock) with pattern-hiding (e.g., asterisks) must be enabled by the endpoint (e.g., user workstation) after 15 minutes of inactivity.
(3.1.7) Privileged Functions
The System Administrator is responsible for configuring user permissions to privileged functions specified by their assigned user role (e.g., privileged, non-privileged) and reviewing Privileged User permissions quarterly to confirm a continued need for access permissions.
(3.1.11) Remote Session Termination
Remote user sessions (e.g., virtual private network [VPN] and Remote Desktop Protocol [RDP]) must be terminated after 8 hours of inactivity. The System Administrator is responsible for configuring remote access methods to automatically terminate user sessions based on all defined termination conditions.
Control Remote System Access
(3.1.12) Multifactor Authentication
Multifactor authentication (MFA) (e.g., Duo) is required for all remote connections to NU IT systems.
(3.1.14) Managed Access Control Points
The System Administrator is responsible for ensuring remote access is routed through defined managed access control points.
(3.1.13) Cryptographic Protection
The System Owner is responsible for identifying and approving a remote access capability utilizing up to date cryptography (e.g., Advanced Encryption Standard [AES]).
The Security Administrator is responsible for implementing the approved remote access capability.
(3.1.20) External System Connections
The System Owner is responsible for defining allowable external IT system (i.e., outside of the organization’s direct supervision and authority) connections into the NU environment, defining the allowable use (e.g., authorized users, services, processes) of external information systems, defining external information system verification (e.g., certificate) and control measures, and documenting external information system connections in an interconnection security agreement (ISA).
The System Administrator is responsible for configuring technical measures as defined by the System Owner (e.g., VPN, access from approved IP addresses, ports, protocols, or APIs) to verify and control external system connections.
(3.1.22) Publicly Accessible Systems
The System Owner is responsible for developing procedures to ensure sensitive Northeastern University data is not posted or processed on publicly accessible systems, identifying and maintaining a list of individuals authorized to post or process information on publicly accessible systems (e.g., webpages), reviewing all content prior to its posting to publicly accessible systems, providing training on acceptable information to post on publicly accessible systems to authorized individuals, and developing a process to receive reports of potential sensitive Northeastern University data posted on publicly accessible systems.
Additionally, the System Owner is responsible for receiving reports of potential sensitive Northeastern University data found on publicly accessible systems, reviewing those reported issues to determine and confirm whether sensitive Northeastern University data was posted on publicly accessible systems within ten (10) business day of receipt, removing sensitive Northeastern University data within ten (10) business day of confirmation, and reporting the data leakage to OIS and other appropriate authorities, if necessary, as well as reviewing all of the information posted on publicly available systems every quarter for any sensitive Northeastern University data that may have been inadvertently posted.
(3.1.3) Information Flow Controls
The System Owner is responsible for defining information flow (i.e., information pathways) controls for IT systems, monitoring information flows of data within, and between, the IT system, and defining approved sources and destinations (e.g., networks, applications, devices) of data within, and between, IT systems.
Additionally, the System Owner is responsible for defining enforcement mechanisms (e.g., firewall) to control the flow of information between designated sources and destinations and authorizing the flow of sensitive Northeastern University data within, and between, IT systems.
The System Administrator is responsible for configuring boundary protection devices (e.g., gateways, router) to enforce defined flow controls.
(3.1.19) Mobile Device Encryption
Mobile devices and mobile computing platforms owned by Northeastern University must use full-device encryption. The System Administrator is responsible for requiring and managing the encryption on mobile devices and mobile computing platforms owned by Northeastern University.
Definitions
The following definitions have been derived from industry standard definitions provided by the National Institute of Standards and Technology (NIST) Computer Security Resource Center Glossary and, where appropriate, tailored for Northeastern University’s IT environment.
- Access Control
- Process of granting access to information system resources only to authorized users, programs, processes, or other systems.
- Cryptographic Mechanism
- Application, process, module, or device that provides a cryptographic service, such as confidentiality, integrity, source authentication, and access control (e.g., encryption and decryption, and digital signature generation and verification).
- Encryption
- Any procedure used to convert plain text into cipher text to prevent anyone but the intended recipient from reading that data.
- External Information System
- An information system or component of an information system that is outside of the authorization boundary established by the organization as defined in the System Security Plan, for which the organization typically has no direct control over the application of required security controls or the assessment of security control effectiveness.
- Flow Control
- Procedure to ensure that information transfers within a system are not made in violation of the security policy.
- Information System
- A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.
- Information Technology (IT)
- Computing and/or communications hardware and/or software components and related resources that can collect, store, process, maintain, share, transmit, or dispose of data. IT components include computers and associated peripheral devices, computer operating systems, utility/support software, and communications hardware and software.
- Interconnection Security Agreement (ISA)
- A document that regulates security-relevant aspects of an intended connection between an organization and an external information system. It regulates the security interface between any two systems operating under two different distinct authorities. It includes a variety of descriptive, technical, procedural, and planning information.
- Organization
- An entity of any size, complexity, or positioning within an organizational structure (e.g., school, department, lab, operational elements).
- Portable Storage Device
- A system component that can be inserted into and removed from a system, and that is used to store data or information (e.g., text, video, audio, image data). Such components are typically implemented on magnetic, optical, or solid-state devices (e.g., floppy disks, compact/digital video disks, flash/thumb drives, external hard disk drives, flash memory cards/drives that contain nonvolatile memory).
- Principle of Least Privilege
- A security architecture is designed so that each entity is granted the minimum system authorizations and resources that the entity needs to perform its function.
- Privileged Account
- An information system account with authorizations of a privileged user.
- Privileged User
- A user that is authorized (and therefore, trusted) to perform security-relevant functions that ordinary users are not authorized to perform.
- Process
- Set of interrelated or interacting activities which transforms inputs into outputs. A program in execution.
- User
- Individual, or (system) process acting on behalf of an individual, authorized to access an IT (IT) system for performing a legitimate purpose.
- Remote Access
- Remote access is access to organizationally owned systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the internet).
Examples of Remote Access Include:
- A Northeastern University user physically located in New Hampshire while attempting to connect to a Northeastern University IT system physically located in Boston through an unmanaged connection.
- This connection is usually through a user owned internet service provider and network.
- A Northeastern University user physically located in Oregon while attempting to connect to a Northeastern University IT system physically located in California through a Northeastern University managed connection.
- This connection is usually a Northeastern University owned VDI or VPN.
Examples of Non-Remote Access Include:
- A Northeastern University user physically located in New Hampshire while attempting to connect to a Northeastern University owned IT system not physically located in any Northeastern University campus, lab, office, or facility.
- This IT system is generally considered in the “cloud” and hosted by a third party, like Microsoft.
- Both managed and unmanaged connections to these cloud systems are still considered non-remote access.
Compliance
This standard complies with the directives defined in the Northeastern University Information Security Policy. The university recognizes that on rare occasions there might be compelling reasons to consider allowing an organization to operate outside of the criterion defined in this standard, as derived from the Northeastern University Information Security Policy. To facilitate this consideration the System Owner must submit a petition for a risk-based policy exception in writing, including supporting rationale, and forward it to the Northeastern University CISO for review and approval. All approved risk-based policy exceptions must be formally documented by the Northeastern University CISO and indicate the exception duration (e.g., temporary, long-term). The Northeastern University CISO is responsible for disseminating and communicating all risk-based exception approvals and rescissions to the relevant stakeholders in a timely manner.
Change and Review Log
| Date | Description | Version | Editor |
|---|---|---|---|
| 1/6/2025 | Initial draft for Stakeholder Review | 0.1 | Akwasi Appiah |
| 1/24/2025 | Manager review before stakeholder 0.2 review | 0.2 | Brad Wing |
| 9/3/2025 | Final draft approved by CISO | 1.0 | Brad Wing |
Appendix A. Access Control Standard Summary
The table below summarizes the Northeastern University IT system environment minimum criteria for enabling access control capabilities within the Northeastern University IT system environments.
- The first column “Northeastern University Practice ID” identifies the related Northeastern University practice ID as defined in the NIST 800-171.
- The “Northeastern University Practice Statement” column includes the Northeastern University practices required to be met for that control.
- The third column, “Derived Requirement”, provides a description of the requirement derived from the high-level Northeastern University practice statement. Derived requirements were developed from analysis of the intent of the practice and the logical components required to satisfy the practice. In some instances, a Northeastern University practice statement may be derived into several requirements to be addressed to satisfy the Northeastern University practice.
- The final column, “Northeastern University IT system environment Criteria”, defines the minimum criteria (e.g., configurations, actions, responsibilities, practices, etc.) which the university will implement to satisfy the related Northeastern University practice.
| NU Practice ID | NU Practice Statement | Derived Requirement | Northeastern University Environment Criteria |
|---|---|---|---|
| 3.1.1 | Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems). | Identify Information Systems | The System Owner is responsible for: Maintaining an updated system inventory in accordance with the NU Configuration Management Standard. |
| Identify Authorized Users | The System Administrator is responsible for: Configuring authorized user access to IT systems as specified by their assigned user role. Submitting a request to provision the incoming user’s account. | ||
| 3.1.2 | Limit information system access to the types of transactions and functions that authorized users are permitted to execute. | Define Roles | The System Owner is responsible for: Defining user roles (e.g., privileged, non-privileged) and related permissions (e.g., create, read, update, delete). Aligning user roles to the types of transactions/functions permitted using the principle of least privilege. Documenting user’s system roles. Reviewing this list quarterly for any system roles that may have changed or been realigned to another user. |
| Limit System Access | The System Administrator is responsible for: Configuring authorized user access to NU IT systems as specified by their assigned user role. Assigning user permissions in accordance with the user system roles document created by the System Owner. | ||
| 3.1.20 | Verify and control/limit connections to and use of external information systems. | Define External Interconnections | The System Owner is responsible for: Defining allowable external IT system (i.e., outside of the organization’s direct supervision and authority) connections into the NU environment. Defining the allowable use (e.g., authorized users, services, processes) of external information systems. Defining external information system verification (e.g., certificate) and control measures. Documenting external information system connections in an interconnection security agreement (ISA). |
| Verify & Control Interconnections | The System Administrator is responsible for: Configuring technical measures as defined by the System Owner (e.g., VPN, access from approved IP addresses, ports, protocols, or APIs) to verify and control external system connections. | ||
| 3.1.22 | Control information posted or processed on publicly accessible information systems. | Identify Authorized Individuals | The System Administrator is responsible for: Identifying and maintaining a list of individuals authorized to post or process information on publicly accessible systems (e.g., webpages). Providing training on acceptable information to post on publicly accessible systems to authorized individuals. |
| Content Review | The System Administrator is responsible for: Developing procedures to ensure NU Data is not posted or processed on publicly accessible systems. Reviewing all content prior to its posting to publicly accessible systems. Developing a process to receive reports of potential NU Data posted on publicly accessible systems. | ||
| Content Removal | The System Administrator is responsible for: Receiving reports of potential sensitive NU Data found on publicly accessible systems. Reviewing those reported issues to determine and confirm whether sensitive NU data was posted on publicly accessible systems within ten (10) business day of receipt. Removing sensitive NU data within ten (10) business day of confirmation. Reporting the data leakage to OIS and other appropriate authorities. Reviewing all of the information posted on publicly available systems every quarter for any sensitive NU data that may have been inadvertently posted. | ||
| 3.1.9 | Provide privacy and security notices consistent with applicable NU rules. | Develop Notices | The System Owner is responsible for: Developing privacy and security notices for NU IT systems in accordance with applicable laws and requirements. At a minimum, an authorized user should be informed of the following prior to logon to an information system containing NU Data: Information system usage may be monitored or recorded and is subject to audit. Unauthorized use of the information systems is prohibited. Unauthorized use is subject to criminal and civil penalties. Use of the information system affirms consent to monitoring and recording. The information system contains NU Data with specific protections requirements. Use of the information system may be subject to other specified requirements associated with certain types of NU data. |
| Display Notices | The System Administrator is responsible for: Configuring applicable NU IT systems to display data privacy and security notices. The notices must be configured to: Be displayed prior to logon (e.g., splash screen, banner). Displayed until the user acknowledges the usage conditions and takes explicit actions to log on to or further access the system. | ||
| 3.1.21 | Limit use of portable storage devices on external systems. | Limit Storage Device Use | The System Owner is responsible for: Limiting the use of portable storage devices for use on NU IT systems. Implementing the protections specified in the NU Configuration Management Standard. Reviewing portable storage device usage requests and approving the issuance of the storage device. All users are required to: Submit a portable device request form via ServiceNow, for review by the System Owner. |
| Define Approved Storage Devices | Users must: Justify and demonstrate the need for a portable storage device for the performance of their legitimate job duties. | ||
| 3.1.6 | Use non-privileged accounts or roles when accessing Non security functions. | Limit Account Use | Privileged Users are responsible for: Utilizing a non-privileged account when not performing privileged functions. |
| 3.1.8 | Limit unsuccessful logon attempts. | Failed Logon Attempts | The number of unsuccessful logon attempts before an account is locked: 8 failed attempts within 10 minutes. |
| Lockout Response | Lockout duration upon exceeding the logon failure threshold: General User — 10 minutes. Privileged User — 30 minutes. | ||
| 3.1.10 | Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity. | Session Lock | A session lock (e.g., screen saver with password, device lock) with pattern-hiding (e.g., asterisks) is enabled by the endpoint (e.g., user workstation) after 15 minutes of inactivity. |
| 3.1.12 | Monitor and control remote access sessions. | Multifactor | Multifactor authentication (MFA) (e.g., Duo) is required for all remote connections to NU IT systems. |
| 3.1.14 | Route remote access via managed access control points. | Route Remote Access | The System Administrator is responsible for: Ensuring remote access is routed through defined managed access control points. |
| 3.1.3 | Control the flow of NU Data in accordance with approved authorizations. | Define Flow Controls | The System Owner is responsible for: Defining information flow (i.e., information pathways) controls for IT systems. Monitoring information flows of data within, and between, the IT system. Defining approved sources and destinations (e.g., networks, applications, devices) of data within, and between, IT systems. |
| Enforcement Mechanisms | The System Owner is responsible for: Defining enforcement mechanisms (e.g., firewall) to control the flow of information between designated sources and destinations. Authorizing the flow of sensitive NU data within, and between, IT systems. | ||
| Enforce Authorizations | The System Administrator is responsible for: Configuring boundary protection devices (e.g., gateways, router) to enforce defined flow controls. | ||
| 3.1.13 | Employ cryptographic mechanisms to protect the confidentiality of remote access sessions. | Identify Mechanisms | The System Owner is responsible for: Identifying and approving a remote access capability utilizing up to date cryptography (e.g., Advanced Encryption Standard [AES]). |
| Implement Protections | The System Administrators are responsible for: Implementing the approved remote access capability. | ||
| 3.1.7 | Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs. | Privileged Function Use | The System Administrator is responsible for: Configuring user permissions to privileged functions specified by their assigned user role (e.g., privileged, non-privileged). Reviewing Privileged User permissions quarterly to confirm a continued need for access permissions. |
| 3.1.11 | Terminate (automatically) user sessions after a defined condition. | Termination Conditions | Remote user sessions (e.g., virtual private network [VPN] and Remote Desktop Protocol [RDP]) must be terminated after 8 hours of inactivity. |
| Session Termination | The System Administrator is responsible for: Configuring remote access methods to automatically terminate user sessions based on all defined termination conditions. | ||
| 3.1.19 | Encrypt NU Data on mobile devices and mobile computing platforms. | Encryption Type | Mobile devices and mobile computing platforms owned by NU must use full-device encryption. |
| Manage Encryption | The System Administrator is responsible for: Requiring and managing the encryption on mobile devices and mobile computing platforms owned by NU. |
Appendix B. Access Control References
The following list of references are common industry standards used to carry out the access control criterion defined within this standard.
- NIST Special Publication (SP) 800-46, Revision 2, Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security. https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-46r2.pdf
- NIST SP 800-77 Rev. 1, Guide to IPsec VPNs. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-77r1.pdf
- NIST SP 800-113, Guide to SSL VPNs. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-113.pdf
- NIST SP 800-124 Rev. 2 (Draft), Guidelines for Managing the Security of Mobile Devices in the Enterprise. https://csrc.nist.gov/publications/detail/sp/800-124/rev-2/final