1.0 Overview
It is often necessary to provide access to corporate information resources to employees or others working outside the company's network. While this can lead to productivity improvements it can also create certain vulnerabilities if not implemented properly. The goal of this policy is to provide the framework for secure remote access implementation.
2.0 Purpose
This policy is provided to define standards for accessing corporate information technology resources from outside the network. This includes access for any reason from the employee's home, remote working locations, while traveling, etc. The purpose is to define how to protect information assets when using an insecure transmission medium.
3.0 Scope
The scope of this policy covers all employees, contractors, and external parties that access company resources over a
4.0Policy
4.1Prohibited Actions
Remote access to corporate systems is only to be offered through a
∙Installing a modem, router, or other remote access device on a company system without the approval of the IT Manager.
∙Use of
4.2Use of
Accessing the corporate network through home or public machines can present a security risk, as the company cannot completely control the security of the system accessing the network. Use of
permitted as long as this policy is adhered to, and as long as the machine meets the following criteria:
∙It has
∙Its software patch levels are current
∙It is protected by a firewall
When accessing the network remotely, users must not store confidential information on home or public machines.
4.3 Client Software
The company may or may not supply users with remote access client software, depending on the business need for accessing corporate systems remotely. Unless provided by default, users requiring remote access should document their needs in a request to the IT Manager, who will determine if the request is feasible from a business and technology perspective, and will be responsible for deploying any necessary remote access in such a manner that is consistent with the company's security strategy. At a minimum, the software will include data encryption with
4.4 Network Access
There are no restrictions on what information or network segments users can access when working remotely, however the level of access should not exceed the access a user receives when working in the office.
4.5 Idle Connections
Due to the security risks associated with remote network access, it is a good practice to dictate that idle connections be timed out periodically. The company may evaluate this in the future, but as of the date of this policy does not wish to impose a policy on timeouts.
4.6 Applicability of Other Policies
This document is part of the company's cohesive set of security policies. Other policies may apply to the topics covered in this document and as such the applicable policies should be reviewed as needed.
5.0 Enforcement
This policy will be enforced by the IT Manager and/or Executive Team. Violations may result in disciplinary action, which may include suspension, restriction of access, or more severe penalties up to and including termination of employment. Where illegal activities or theft of company property (physical or intellectual) are suspected, the company may report such activities to the applicable authorities.
6.0 Definitions
Modem A hardware device that allows a computer to send and receive digital information over a telephone line.
Remote Access The act of communicating with a computer or network from an
Timeout A technique that drops or closes a connection after a certain period of inactivity.
7.0 Revision History
Revision 1.0, 10/13/2012
Revision 2.0, 09/01/2014
Revision 3.0, 02/26/2015