Sample Remote Access Standard:: Difference between revisions
No edit summary |
|||
Line 41: | Line 41: | ||
::4. Remote Users must receive Company-approved technical and security training prior to being granted privileges to remotely access Company information or systems.<br> | ::4. Remote Users must receive Company-approved technical and security training prior to being granted privileges to remotely access Company information or systems.<br> | ||
<br> | <br> | ||
::5. Remote Access Credentials should not be shared or used by anyone other | ::5. Remote Access Credentials should not be shared or used by anyone other than the Remote User to whom they are assigned. Remote Users shall be accountable for all activity associated with their assigned Remote Access Credentials.<br> | ||
<br> | <br> | ||
::6. Non-Company equipment or personal equipment used to remotely access Company information or systems must be configured to meet the protection objectives and requirements established in the [[Sample Asset Protection Policy:|'''Sample Asset Protection Policy''']] and its associated standards.<br> | ::6. Non-Company equipment or personal equipment used to remotely access Company information or systems must be configured to meet the protection objectives and requirements established in the [[Sample Asset Protection Policy:|'''Sample Asset Protection Policy''']] and its associated standards.<br> | ||
Line 102: | Line 102: | ||
::8. Remote Users with administrative responsibilities must not use a privileged account unless specifically performing actions that required an elevated privilege level.<br> | ::8. Remote Users with administrative responsibilities must not use a privileged account unless specifically performing actions that required an elevated privilege level.<br> | ||
<br> | <br> | ||
=='''III. Responsibilities'''== | =='''III. Responsibilities'''== | ||
<br> | <br> |
Revision as of 16:01, 3 November 2008
Remote Access Control Standard
The <Your Company Name> (the "Company") Sample Asset Protection Policy defines objectives for establishing specific standards for protecting the confidentiality, integrity, and availability of <Your Company Name> information assets.
This Sample Remote Access Standard builds on the objectives established in the Sample Asset Protection Policy, and provides specific instructions and requirements for the proper identification, authentication, and authorization controls necessary to remotely access Company information assets.
I. Scope
All employees, contractors, part-time and temporary workers, and those employed by others to perform work on Company premises or who have been granted remote access to Company information or systems, are covered by this standard and must comply with associated guidelines and procedures.
Authentication refers to the controls for providing Remote Users the means to verify or validate a claimed identity through the presentation of something they know (e.g., passwords), something they own (e.g., token), or something they are (e.g. fingerprint, biometrics, etc.).
Authorization refers to the controls for determining the resources that Remote Users are permitted to access based upon the permissions and privileges for which they have been authorized.
Encryption refers to a method of scrambling information to render it unreadable to anyone except the intended recipient, who must decrypt it to read it.
Identification refers to the controls for providing Remote Users the means to convey their identities through the use of pre-determined identifiers.
Information assets are defined in the Sample Asset Identification and Classification Policy.
Remote Access refers to the ability to access Company information and systems from a remote location such as branch offices, telecommuting, and mobile users. Types of remote access technologies and implementations include, but are not limited to, dial-in modems, cable modems, and virtual private networks (VPN), etc.
Remote Access Credentials refers to identification and authentication credentials/data such as User IDs, passwords, tokens, etc.
Remote Access Systems refers to the systems, networks, and applications that facilitate remote access to Company information and systems.
Sensitive information refers to information that is classified as Restricted or Confidential. Refer to the Sample Information Classification Standard for confidentiality classification categories.
Two-Factor Authentication refers to the method of authentication that requires two factors before a Remote User will gain access to a network or system: 1) a hardware or software token which produces a code that will change randomly at short time intervals and 2) a password which is unique and only valid for the token.
II. Requirements
- A. General
- 1. Remote access to Company information and systems shall be granted only to Users who require such remote access to meet an approved business need or perform prescribed job responsibilities.
- 1. Remote access to Company information and systems shall be granted only to Users who require such remote access to meet an approved business need or perform prescribed job responsibilities.
- 2. Users must follow the Company-approved remote access request process by submitting required forms that provide a description of the information and/or systems to be accessed, methods of access, and timeframe, as well as obtaining approval from their direct manager or supervisor and the Asset Owner.
- 2. Users must follow the Company-approved remote access request process by submitting required forms that provide a description of the information and/or systems to be accessed, methods of access, and timeframe, as well as obtaining approval from their direct manager or supervisor and the Asset Owner.
- 3. A Company sponsor is required to request remote access for non-Company personnel.
- 3. A Company sponsor is required to request remote access for non-Company personnel.
- 4. Remote Users must receive Company-approved technical and security training prior to being granted privileges to remotely access Company information or systems.
- 4. Remote Users must receive Company-approved technical and security training prior to being granted privileges to remotely access Company information or systems.
- 5. Remote Access Credentials should not be shared or used by anyone other than the Remote User to whom they are assigned. Remote Users shall be accountable for all activity associated with their assigned Remote Access Credentials.
- 5. Remote Access Credentials should not be shared or used by anyone other than the Remote User to whom they are assigned. Remote Users shall be accountable for all activity associated with their assigned Remote Access Credentials.
- 6. Non-Company equipment or personal equipment used to remotely access Company information or systems must be configured to meet the protection objectives and requirements established in the Sample Asset Protection Policy and its associated standards.
- 6. Non-Company equipment or personal equipment used to remotely access Company information or systems must be configured to meet the protection objectives and requirements established in the Sample Asset Protection Policy and its associated standards.
- 7. Non-standard remote access configurations or solutions must be approved by <INSERT DEPARTMENT> prior to remotely accessing Company information or systems.
- 7. Non-standard remote access configurations or solutions must be approved by <INSERT DEPARTMENT> prior to remotely accessing Company information or systems.
- 8. Remote Access Users must not connect to non-Company networks while simultaneously connected to the Company network.
- 8. Remote Access Users must not connect to non-Company networks while simultaneously connected to the Company network.
- B. Identification
- 1. Each Remote User must have unique Remote Access Credentials.
- 1. Each Remote User must have unique Remote Access Credentials.
- 2. User communities and working groups must not share Remote Access Credentials for remote system access to ensure accurate accounting of Remote User access and activities.
- 2. User communities and working groups must not share Remote Access Credentials for remote system access to ensure accurate accounting of Remote User access and activities.
- 3. Remote Access Credentials should be added, modified, and deleted in accordance with Company-approved account management processes.
- 3. Remote Access Credentials should be added, modified, and deleted in accordance with Company-approved account management processes.
- 4. Remote Access Credentials must be disabled within twenty-four (24) hours of notification of a status change (for example, termination or change in job).
- 5. Remote Access Credentials that are unused, dormant, or inactive for forty-five (45) days must be disabled.
- 4. Remote Access Credentials must be disabled within twenty-four (24) hours of notification of a status change (for example, termination or change in job).
- 6. Remote Access Credentials that are disabled for ninety (90) days must be deleted.
- 6. Remote Access Credentials that are disabled for ninety (90) days must be deleted.
- 7. Temporary Remote Access Credentials (for testing, contractors and temporary employees) should have an expiration date that coincides with the anticipated end of employment, testing, or contract.
- 7. Temporary Remote Access Credentials (for testing, contractors and temporary employees) should have an expiration date that coincides with the anticipated end of employment, testing, or contract.
- C. Authentication
- 1. Two-Factor Authentication is required to establish remote connections to Company Remote Access Systems and remotely access Company information and systems.
- 1. Two-Factor Authentication is required to establish remote connections to Company Remote Access Systems and remotely access Company information and systems.
- 2. Remote access passwords should conform to the requirements established in the Company Sample Access Control Standard.
- 2. Remote access passwords should conform to the requirements established in the Company Sample Access Control Standard.
- 3. Remote Access Systems, in accordance with the Sample Auditing Standard, must log the date and time for all failed and successful user attempts to remotely access the system.
- 3. Remote Access Systems, in accordance with the Sample Auditing Standard, must log the date and time for all failed and successful user attempts to remotely access the system.
- 4. Remote Access Systems, in accordance with the Sample Auditing Standard, must limit the number of failed remote access attempts to three (3) before disabling the Remote Access Credentials.
- 4. Remote Access Systems, in accordance with the Sample Auditing Standard, must limit the number of failed remote access attempts to three (3) before disabling the Remote Access Credentials.
- 5. Remote Access Credentials, as user IDs and passwords, must not be written down or stored in readable form in automatic login scripts, software macros, terminal function keys, in computers without access control, shortcuts, or in other locations where unauthorized persons might discover them.
- 5. Remote Access Credentials, as user IDs and passwords, must not be written down or stored in readable form in automatic login scripts, software macros, terminal function keys, in computers without access control, shortcuts, or in other locations where unauthorized persons might discover them.
- 6. Remote Access Credentials must be immediately changed if known or suspected of being disclosed.
- 6. Remote Access Credentials must be immediately changed if known or suspected of being disclosed.
- 7. Remote Access Credentials must be protected with strong encryption controls to prevent unauthorized individuals from obtaining the data.
- 7. Remote Access Credentials must be protected with strong encryption controls to prevent unauthorized individuals from obtaining the data.
- 8. Remote Access Credentials transmitted over a public or shared network must be encrypted in accordance with the Sample Encryption Standard and Sample Information Handling Standard.
- 8. Remote Access Credentials transmitted over a public or shared network must be encrypted in accordance with the Sample Encryption Standard and Sample Information Handling Standard.
- 9. Remote Access Systems connections that transmit sensitive information must encrypt such information in accordance with the Sample Encryption Standard and Sample Information Handling Standard.
- 9. Remote Access Systems connections that transmit sensitive information must encrypt such information in accordance with the Sample Encryption Standard and Sample Information Handling Standard.
- D. Authorization
- 1. Remote user access to information will be based on the confidentiality classification of the information asset.
- 1. Remote user access to information will be based on the confidentiality classification of the information asset.
- 2. Remote Users should be only authorized the level of remote access to information assets that is required to meet an approved business need or perform prescribed job responsibilities.
- 2. Remote Users should be only authorized the level of remote access to information assets that is required to meet an approved business need or perform prescribed job responsibilities.
- 3. Remote access to sensitive information must be provided on a need-to-know basis.
- 3. Remote access to sensitive information must be provided on a need-to-know basis.
- 4. Login time restrictions, whenever practical, should be set to limit the time of day when Remote Users can be logged into the system or network.
- 4. Login time restrictions, whenever practical, should be set to limit the time of day when Remote Users can be logged into the system or network.
- 5. Idle sessions should be disconnected after fifteen (15) minutes.
- 5. Idle sessions should be disconnected after fifteen (15) minutes.
- 6. The number of concurrent logins allowed per user ID should be restricted to the minimum number required to perform a given job function.
- 6. The number of concurrent logins allowed per user ID should be restricted to the minimum number required to perform a given job function.
- 7. Remote administrative access must be limited to only those Remote Users that explicitly require such privileged access.
- 7. Remote administrative access must be limited to only those Remote Users that explicitly require such privileged access.
- 8. Remote Users with administrative responsibilities must not use a privileged account unless specifically performing actions that required an elevated privilege level.
- 8. Remote Users with administrative responsibilities must not use a privileged account unless specifically performing actions that required an elevated privilege level.
III. Responsibilities
The Chief Information Security Officer (CISO) approves the Remote Access Control Standard. The CISO also is responsible for ensuring the development, implementation, and maintenance of the Remote Access Control Standard.
Company management, including senior management and department managers, is accountable for ensuring that the Remote Access Control Standard is properly communicated and understood within their respective organizational units. Company management also is responsible for defining, approving and implementing procedures in its organizational units and ensuring their consistency with the Remote Access Control Standard.
Asset Owners (Owners) are the managers of organizational units that have primary responsibility for information assets associated with their functional authority. When Owners are not clearly implied by organizational design, the CIO will make the designation. The Owner is responsible for defining processes and procedures that are consistent with the Remote Access Control Standard; defining the remote access control requirements for information assets associated with their functional authority; processing requests associated with Company-approved remote access request procedure; determining the level of remote access and authorizing remote access based on Company-approved criteria; ensuring the revocation of remote access for those who no longer have a business need to access information assets; and ensuring the remote access controls and privileges are reviewed at least annually.
Asset Custodians (Custodians) are the managers, administrators and those designated by the Owner to manage process or store information assets. Custodians are responsible for providing a secure processing environment that protects the confidentiality, integrity, and availability of information; administering remote access to information assets as authorized by the Owner; and implementing procedural safeguards and cost-effective controls that are consistent with the Sample Access Control Standard and the Remote Access Control Standard.
Remote Users are the individuals, groups, or organizations authorized by the Owner to access to information assets. Remote Users are responsible for familiarizing and complying with the Remote Access Control Standard and associated guidelines; following Company-approved processes and procedures to request and obtain remote access to information assets; ensuring Remote Access Credentials such as password and tokens are not written down or stored in a place where unauthorized persons might discover them; reporting immediately to <INSERT CONTACT> when Remote Access Credentials have been or may have been compromised; ensuring that connection to non-Company networks are not established while remotely connected to the Company network; and maintaining the confidentiality, integrity and availability of information accessed consistent with the Owner's approved safeguards while under the User's control.
IV. Enforcement and Exception Handling
Failure to comply with the Remote Access Control Standard and associated guidelines and procedures can result in disciplinary actions up to and including termination of employment for employees or termination of contracts for contractors, partners, consultants, and other entities. Legal actions also may be taken for violations of applicable regulations and laws.
Requests for exceptions to the Remote Access Control Standard should be submitted to <Insert Title> in accordance with theSample Information Security Standards Exception Procedure. Prior to official management approval of any exception request, the individuals, groups, or organizations identified in the scope of this standard will continue to observe the Remote Access Control Standard.
V. Review and Revision
The Remote Access Control Standard will be reviewed and revised in accordance with the Sample Information Security Program Charter.
Approved: _______________________________________________________
- Signature
- Signature
- <Insert Name>
- <Insert Name>
- Chief Information Security Officer
- Chief Information Security Officer