Example of Remote Access Policy for Information security Management System

1. Purpose

The purpose of this policy is to define rules and requirements for connecting to XXX’s network from any host. These rules and requirements are designed to minimize the potential exposure to XXX from damages which may result from unauthorized use of XXX resources. Damages include the loss of sensitive or company confidential data, intellectual property, damage to public image, damage to critical XXX internal systems, and fines or other financial liabilities incurred as a result of those losses. It also defines the requirements for remote access tools used at XXX.

2. Scope

This policy applies to all XXX employees, contractors, vendors and agents with a XXX-owned or personally-owned computer or workstation used to connect to the XXX network. This policy applies to remote access connections used to do work on behalf of XXX, including reading or sending email and viewing intranet web resources. This policy covers any and all technical implementations of remote access used to connect to XXX networks.

3. Policy

Remote access to our corporate network is essential to maintain our Team’s productivity, but in many cases this remote access originates from networks that may already be compromised or are at a significantly lower security posture than our corporate network. While these remote networks are beyond the control of Hypergolic Reactions, LLC policy, we must mitigate these external risks the best of our ability. It is the responsibility of XXX employees, contractors, vendors and agents with remote access privileges to XXX’s corporate network to ensure that their remote access connection is given the same consideration as the user’s on-site connection to XXX. General access to the Internet for recreational use through the XXX network is strictly limited to XXX employees, contractors, vendors and agents (hereafter referred to as “Authorized Users”). When accessing the XXX network from a personal computer, Authorized Users are responsible for preventing access to any XXX computer resources or data by non-Authorized Users. Performance of illegal activities through the XXX network by any user (Authorized or otherwise) is prohibited. The Authorized User bears responsibility for and consequences of misuse of the Authorized User’s access. For further information and definitions, see the Acceptable Use Policy. Authorized Users will not use XXX networks to access the Internet for outside business interests. For additional information regarding XXX’s remote access connection options, including how to obtain a remote access login, free anti-virus software, troubleshooting, etc., go to the Remote Access Services website.

3.1 Requirements

  1. Secure remote access must be strictly controlled with encryption (i.e., Virtual Private Networks (VPNs)) and strong pass-phrases. For further information see the Acceptable Encryption Policy and the Password Policy.
  2. Authorized Users shall protect their login and password, even from family members.
  3. While using a XXX-owned computer to remotely connect to XXX’s corporate network, Authorized Users shall ensure the remote host is not connected to any other network at the same time, with the exception of personal networks that are under their complete control or under the complete control of an Authorized User or Third Party.
  4. Use of external resources to conduct XXX business must be approved in advance by IT and the appropriate business unit manager.
  5. All hosts that are connected to XXX internal networks via remote access technologies must use the most up-to-date anti-virus software, this includes personal computers. Third party connections must comply with requirements as stated in the Third Party Agreement.
  6. Personal equipment used to connect to XXX’s networks must meet the requirements of XXX-owned equipment for remote access as stated in the Hardware and Software Configuration Standards for Remote Access to XXX Networks.

3.2 Remote Access Tools

Remote desktop software, also known as remote access tools, provide a way for computer users and support staff alike to share screens, access work computer systems from home, and vice versa. Examples of such software include LogMeIn, GoToMyPC, and Windows Remote Desktop (RDP). While these tools can save significant time and money by eliminating travel and enabling collaboration, they also provide a back door into the XXX network that can be used for theft of, unauthorized access to, or destruction of assets. As a result, only approved, monitored, and properly controlled remote access tools may be used on XXX computer systems.All remote access tools used to communicate between XXX assets and other systems must comply with the following policy requirements.

  1. XXX provides mechanisms to collaborate between internal users, with external partners, and from non-XXX systems.  The approved software list can be obtained from <link-to-approved-remote-access-software-list>.  Because proper configuration is important for secure use of these tools, mandatory configuration procedures are provided for each of the approved tools.
  2. The approved software list may change at any time, but the following requirements will be used for selecting approved products:
    • All remote access tools or systems that allow communication to XXX resources from the Internet or external partner systems must require multi-factor authentication.  Examples include authentication tokens and smart cards that require an additional PIN or password.
    • The authentication database source must be Active Directory or LDAP, and the authentication protocol must involve a challenge-response protocol that is not susceptible to replay attacks such as OAuth 2.0.  The remote access tool must mutually authenticate both ends of the session.
    • Remote access tools must support the XXX application layer proxy rather than direct connections through the perimeter firewall(s).
    • Remote access tools must support strong, end-to-end encryption of the remote access communication channels as specified in the XXX network encryption protocols policy.
    • All XXX antivirus, data loss prevention, and other security systems must not be disabled, interfered with, or circumvented in any way.
  3. All remote access tools must be purchased through the standard XXX procurement process, and the information technology group must approve the purchase.

3.3 Dial-In Access Policy

  1. XXX employees and authorized third parties (customers, vendors, etc.) can use dial-in connections to gain access to the corporate network. Dial-in access should be strictly controlled, using one-time password authentication.
  2. It is the responsibility of employees with dial-in access privileges to ensure a dial-in connection to XXX is not used by non-employees to gain access to company information system resources. An employee who is granted dial-in access privileges must remain constantly aware that dial-in connections between their location and XXX are literal extensions of XXX’s corporate network, and that they provide a potential path to the company’s most sensitive information. The employee and/or authorized third party individual must take every reasonable measure to protect XXX’s assets.
  3. Analog and non-GSM digital cellular phones cannot be used to connect to XXX’s corporate network, as their signals can be readily scanned and/or hijacked by unauthorized individuals. Only GSM standard digital cellular phones are considered secure enough for connection to XXX’s network. For additional information on wireless access to the XXX network, consult the Wireless Communications Policy.
  4. Note: Dial-in accounts are considered ‘as needed’ accounts. Account activity is monitored, and if a dial-in account is not used for a period of six months the account will expire and no longer function. If dial-in access is subsequently required, the individual must request a new account as described above.

4. Policy Compliance

4.1 Compliance Measurement

The IT team will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.

4.2 Exceptions

Any exception to the policy must be approved by the IT team in advance.

4.3 Non-Compliance

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Leave a Reply