Remote Access Policy needs love too...
By: Scott McNeil
In these uncertain times, companies are scrambling to get as many employees set up to work from home as possible. In this mad teleworking rush to get remote access solutions in place, upgrade support networks and make things as secure as possible, has anyone stopped long enough to look at their remote access policies? Does your company even have one? If not, should the time be spent to develop one?
To work backwards a little bit, the answer to that last question is yes, absolutely. If your company does have a remote access/telework policy, when was the last time it was reviewed and updated? What needs to be covered in these policies?
According to the NIST SP 800-46, telework security policies need to address three main points:
· Define what remote access/telework means to the organization
· Define the means of remote access (how it works, what solution is used)
· End device requirements (company-owned and/or BYOD)
Let’s break these points down a little more for some clarity.
Telecommuting is the ability for an organization’s employees, contractors, business partners, vendors, and other users to perform work from locations other than the organization’s facilities. Defining telework/telecommuting is an important step as it set expectations of those employees who will be engaged in working remotely.
Is it available for emergency situations only or are employees expected to report onsite as per normal? Is it an option to work from home whenever it is needed, like to stay home with a sick child for example? It is a standard work flex option available to most employees as long as certain productivity criteria are met.
Finally, what level of access are the teleworkers allowed? Can they get to everything they would normally use during a regular workday? Or does their access get restricted down to just the bare necessities of what is needed to accomplish daily tasks? Is access to sensitive matter even allowed through remote access due to additional security risks? These points need to be addressed.
While the implementation may not be easy for the IT staff, for the person who writes the policy, defining the means of remote access is the easy part. Essentially, the policy needs to describe what method the organization is using for remote access.
For example, is the company using a specialized appliance like BeyondTrusts Bomgar Secure Remote Access? Could they be using standard firewall-based VPN technologies from Cisco, Fortinet or Palo Alto? If it is a smaller organization with a limited budget, is there a homegrown IPSEC connection combined with a secure Windows jump box? You get the idea.
Then there is authentication. Is the organization using single or multi-factor authentication? Will it be Active Directory, or is there some other user structure in place? Many times, the IT staff can help flush out the details for this part.
Lastly, what kinds of devices will be allowed to remotely connect to the network. Will the organization only allow company-owned assets that they control, maintain and secure to connect to the network? Does the company have a Bring Your Own Device (BYOD) policy that can allow for an employee or contractor-owned devices to connect? If yes for BYOD, what security measures are in place to protect the network from unknown contaminants the end device may have?
While this policy needs to cover a fair amount of material, it doesn’t need to be over complicated. Keep it as simple as you can, and this policy will serve the organization well.