Remote Access Policy
It is often necessary to provide access to corporate information resources to employees or others working outside the company's network. While this can lead to productivity improvements it can also create certain vulnerabilities if not implemented properly. The goal of this policy is to provide the framework for secure remote access implementation.
This policy is provided to define standards for accessing corporate information technology resources from outside the network. This includes access for any reason from the employee's home, remote working locations, while traveling, etc. The purpose is to define how to protect information assets when using an insecure transmission medium.
The scope of this policy covers all employees, contractors, and external parties that access company resources over a third-party network, whether such access is performed with company-provided or non-company-provided equipment.
Remote access to corporate systems is only to be offered through a company-provided means of remote access in a secure fashion. The following are specifically prohibited:
Installing a modem, router, or other remote access device on a company system without the approval of the company or IT personnel.
Remotely accessing corporate systems with a remote desktop tool, such as VNC, Citrix, or GoToMyPC without the written approval from the company.
Use of non-company-provided remote access software.
Split Tunneling to connect to an insecure network in addition to the corporate network, or in order to bypass security restrictions.
Use of non-company-provided Machines
Accessing the corporate network through home or public machines can present a security risk, as the company cannot completely control the security of the system accessing the network. Use of non-company-provided machines to access the corporate network is permitted as long as this policy is adhered to, and as long as the machine meets the following criteria:
The accessing computer is company-owned, or has been reviewed and determined to be suitable for the purpose by IT personnel
It has up-to-date antivirus software installed
Its software patch levels are current
It is protected by a business-class firewall
When accessing the network remotely, users must not store confidential information on home or public machines.
The company will supply users with remote access software that allows for secure access and enforces the remote access policy. The software will provide traffic encryption in order to protect the data during transmission as well as a firewall that protects the machine from unauthorized access.
Publicly-facing computer systems are a common target for malicious actors looking to break in and cause damage or compromise information. All publicly-facing computer and network systems that provide remote access to company resources must have all logins secured with multi-factor authentication.
All company users who remotely access computer systems must agree to use a MFA token or one-time password mechanism (OTP).
The company will limit remote users' access privileges to only those information assets that are reasonable and necessary to perform his or her job function when working remotely (i.e., email). The entire network must not be exposed to remote access connections.
Due to the security risks associated with remote network access, it is a good practice to dictate that idle connections be timed out periodically. Remote connections to the company's network must be timed out after 1 hour of inactivity.
Applicability of Other Policies
This document is part of the company's cohesive set of security policies. Other policies may apply to the topics covered in this document and as such the applicable policies should be reviewed as needed.
This policy will be enforced by the IT Manager and/or Executive Team. Violations may result in disciplinary action, which may include suspension, restriction of access, or more severe penalties up to and including termination of employment. Where illegal activities or theft of company property (physical or intellectual) are suspected, the company may report such activities to the applicable authorities.
Modem A hardware device that allows a computer to send and receive digital information over a telephone line.
Multifactor Authentication An authentication scheme that requires the use of multiple factors for successful login to a computer system. The following are considered factors: 1) something a user knows (e.g. password); 2) something a user has (e.g. token); 3) something that identifies the user (e.g., biometrics)
Remote Access The act of communicating with a computer or network from an off-site location. Often performed by home-based or traveling users to access documents, email, or other resources at a main site.
Split Tunneling A method of accessing a local network and a public network, such as the Internet, using the same connection.
Timeout A technique that drops or closes a connection after a certain period of inactivity.