Providing remote access is a commonplace business practice, with the percentage of people working remotely at an all-time high. Between 2005 and 2015, the amount of people telecommuting increased by 115%, and now nearly a quarter of the U.S. workforce works remotely on a regular basis. The opportunity to work from home has become an integral part of work/life balance at many companies. While this shift is welcomed by many, it requires extra security precautions to manage users’ network access from outside company walls.
Today, every organization should have a robust remote access policy that provides employees with clear direction on how to connect securely when at home or on the road. As remote work opportunities increase and travel remains a big part of corporate life, it’s more important than ever for organizations to ensure their employees have a secure means of accessing critical corporate data from any location.
Below, we’ve outlined some strong practices for implementing remote access policies and processes at your organization and included a remote access policy template that can serve as a solid foundation for your own.
Strong Practices for Implementing a Remote Access Policy
Remote access policies will vary depending on your organization and risk profile. In many cases, the remote access policy can be tied into larger access management policies. Regardless, all remote access policies should adhere to the following:
- Virtual Private Networks (VPNs). It sounds obvious, but it must be said: all access to company data when outside of company-affiliated locations needs to be facilitated through a secure VPN connection. The home networks of most remote employees lack the security provided by a large corporate network, making them sitting ducks for hackers. A VPN puts a strong hedge of protection around their connection, keeping the interactions they have with your internal network – from emails to confidential data access – secure. And to make it even stronger, we recommend multi-factor authentication as a requirement for VPN access.
- Restricted use. Remote access privileges shouldn’t be given out in the office like candy, but rather on an as-needed basis. Only users who require remote access when traveling or working away from the office should be granted remote access. Remote access should be revoked when no longer needed.
- Vendor access. Complete control of who has access to company data is critical, and third parties should be provided the privilege of remote access on a strict as-needed basis. Third-party member access should be logged, strictly monitored, and promptly revoked when that access is no longer required. If possible, vendor remote access should be systematically restricted.
- Monitoring. Remote access and VPN usage should be logged and monitored in a central database and reviewed regularly to detect anomalies and make changes to remote access privileges.
Template: Remote Access Policy
Overview
The intent of this policy is to establish guidelines specifically pertaining to remote access to [COMPANY NAME]’s internal network. Preventing unauthorized access to company data from insecure networks is of utmost importance to [COMPANY NAME]. This policy is designed to ensure remote and/or traveling employees have the ability to securely connect to the corporate network without fear of threat and to provide the Company with an additional means of monitoring and controlling access to the internal network.
Scope
This policy shall apply to all employees, contractors, and affiliates of [COMPANY NAME], and shall govern remote network access for all authorized users. Remote access is defined as any connection to [COMPANY NAME]’s internal network from a location outside of any affiliated company offices.
Policy
General
- Authorized users must protect their login credentials and must not share them with anyone for any reason.
- All inbound connections to [COMPANY NAME] internal networks must pass through an access control point before the user can reach a login banner.
- Remote users must be required to authenticate before being granted access to company information.
- Remote access must be logged in a central database and kept for a period of at least 30 days. Access logs must be reviewed regularly.
Hosts
- All hosts connected to [COMPANY NAME] internal networks must be equipped with the most up-to-date anti-malware software. Third-party hosts must comply with this requirement before connecting to the network.
- All hosts connected to [COMPANY NAME] internal networks via remote access must be company-issued or approved third-party devices.
VPN
- Restricted company information must only be accessible via the [COMPANY NAME] internal network or VPN. Access to the VPN must require multi-factor authentication.
- Authorized users shall not connect to the [COMPANY NAME] VPN while the host is connected to a network that is not the user’s personal home network or a trusted third-party network. Users shall not connect to the [COMPANY NAME] VPN while also using another VPN.
- Users must exercise caution when connecting to networks in public venues like airports, coffee shops, etc., and must not connect to the Company’s internal network (even via VPN) if on an unsecured, public network.
Third-parties
- Access accounts used by remote vendors must only be enabled during the required time period and must be disabled immediately thereafter. Vendor accounts must be closely monitored and approved by [RELEVANT CONTACT].
- Authorized third-party users must be required to authenticate before being allowed to access restricted information.
Enforcement
It is the responsibility of the end user to ensure compliance with the policies above.
Any exceptions to the policy must be approved by the [RELEVANT CONTACT]. Questions regarding remote access should be directed to [RELEVANT CONTACT].
If you believe your connection may have been compromised, please immediately report the incident to [RELEVANT CONTACT].
Want more awesome templates like this?
Subscribe to Focal Point's Risk Rundown below - a once-a-month newsletter with templates, webinars, interesting white papers, and news you may have missed. Thousands of your colleagues and competitors have signed up! You can unsubscribe at any time.