Remote Access Policy

Version: 1.00Issue Date: 9/8/2014

1.0 Purpose

This remote access policy is designed to allow authorized users to connect securely to organizational resources from locations that are not physically connected to the organizational network. The policy will define methods that may be used to remotely connect to the organizational network.

2.0 Scope

This remote access policy applies to any person who remotely connects to organizational resources whether they are permanent, temporary, or part time staff members and includes all external persons who access organizational resources including consultants, contractors, vendors, and any volunteers. The remote access policy applies to all systems and equipment on the organizational network which may allow remote connections or support remote connections in any manner. This policy is effective as of the issue date and does not expire unless superceded by another policy.

3.0 Terms

  • Remote access - Access to a network or system from a long distance connection, normally from another city or area. The access method may be through a dial up line or through a connection that connects to the internet.
  • VPN - Virtual Private Networking is a method used to connect to organizational networks from remote locations primarily over a high speed connection such as DSL or cable modem. The VPN connection is encrypted.
  • Dial-in - The person requesting remote access dials in to a bank of modems and connects to the organizational network using a telephone line through a computer controlled bank of modems.
  • Dial back - When a person dials in to the bank of modems, the system dials the person back to establish the connection. This helps prevent fraud since only approved numbers may be dialed back.

4.0 Remote Access Requirements

Remote access to the organizational network will be granted only under the following conditions:

  • Remote acess shall be granted only for authorized work and shall not be used for any personal use. Use of remote access will fall under the conditions of the IT Acceptable Use Policy. The immediate supervisor or a supervisor in the chain of command of the person who will use remote access must approve the request.
  • Services between the internet and the organizational network shall be controlled using firewalls to prevent unauthorized intrusion and help detect unauthorized access attempts.
  • A secure remote access method shall be used to remotely connect to any organizational resources or any part of the organizational network. Secure remote access methods include approved Virtual Private Network (VPN), Dial-in, and Dial back with strong approved authentication methods.
  • All computers used for remote access must be secured with system updates at least once per month or the system must be managed by the organization and the computer being used must operate updated anti-virus software, and a personal firewall.
  • Any use of remote access from privately owned computers shall require the user to ensure that their systems are secure as per organizational standards and the computer being used be updated for security patches at least once per month, and operate updated anti-virus software, and a personal firewall.
  • Any access to organizational resources that contain sensitive, confidential, or restricted information shall require a minimum of two factor authentication to secure the resource.
  • Approved strong user identification methods including public key cryptography, dynamic passwords, biometrics, multi-factor authentication, and challenge response are used to protect the organizational resources from unauthorized access.
  • Remote access is terminated when an authorized user transfers to another department or ends their employment with the organization.

5.0 Enforcement

Since organizational network access is critical to the security of the organization, employees that do not adhere to this policy may be subject to disciplinary action up to and including denial of access, legal penalties, and/or dismissal. Any employee aware of any violation of this policy is required to report it to their supervisor or other authorized representative.

6.0 Requirements

  • Define secure remote access methods.
  • Define security standards for computers connecting remotely.

Approval

Approved by:__________________________ Signature:_____________________ Date:_______________