Remote Access Tools Policy
1.0 Purpose
Remote access tools and remote desktop software,software also(e.g., knownRDP, asVNC, LogMeIn, GoToMyPC) offer significant benefits for productivity, collaboration, and IT support by enabling screen sharing and remote accesssystem tools,control. provideHowever, ainsecure wayor forunmanaged computer users and support staff alike to share screens, access work computer systems from home, and vice versa. Examplesuse of such software include LogMeIn, GoToMyPC, VNC (Virtual Network Computing), and Windows Remote Desktop (RDP). While these tools cancreates savesubstantial significantsecurity timerisks, andpotentially moneyproviding byunauthorized eliminating travel and enabling collaboration, they also provide a back doorpathways into the <Companyorganization's Name>network, networkleading thatto candata betheft, usedunauthorized access, or system compromise. The purpose of this policy is to define the mandatory requirements for theftthe of,selection, unauthorized access to, or destruction of assets. As a result, only approved, monitored,configuration, and properlyuse controlledof remote access tools mayto beensure usedthat onall <Companysuch Name>access computerto systems.organizational assets is secure, monitored, and controlled.
2.0 Scope
This policy defines the requirements for remote access tools used at <Company Name
This policy applies to all employees, contractors, consultants, temporary staff, vendors, agents, and other personnel utilizing any remote access tool or technology where eitherat endleast one endpoint of the communication session terminates aton aan <Company Name>organizational computer asset (e.g., server, desktop, laptop managed by the organization or connected to its network).
All3.0 Policy Statements
3.1 Use of Approved Tools Only
* Only remote access tools usedexplicitly to communicate between <Company Name> assetsapproved and otherprovided systemsor mustsanctioned comply withby the followingorganization's policydesignated requirements.
authority
(e.g.,4.1Precision RemoteComputer AccessTeam) Tools
<Companypermitted Name>for providesaccessing mechanismsorganizational toresources collaborateremotely betweenor internalfor users,allowing withremote externalaccess partners,*to* organizational assets.
* An official list of approved remote access tools and from non-<Company Name> systems. The approved software list can be obtained from <link-to-approved-remote-access-software-list>. Because proper configuration is important for secure use of these tools,corresponding mandatory configuration procedures are provided for each of the approved tools.
The approved software list may change at any time, but the following requirements will be usedmaintained by the designated IT authority and made available through internal resources. Using unapproved tools for selectingorganizational approvedbusiness products:is strictly prohibited.
All3.2 Security Requirements for Approved Tools
The selection and approval of remote access tools orwill systemsbe thatbased allowon communicationadherence to <Companythe Name>following resourcesminimum security requirements:
* **Multi-Factor Authentication (MFA):** All remote access originating from theexternal Internetnetworks or external(Internet, partner systemssystems) into the organization's network *must* require MFA (e.g., using tokens, smart cards, authenticator apps) in addition to standard credentials.
* **Strong Authentication Source & Protocol:** Authentication must requireideally multi-factorleverage authentication.the organization's Examplescentral includeidentity authenticationstores tokens(e.g., andActive smartDirectory, cardsLDAP). thatAuthentication require an additional PIN or password.
The authentication database sourceprotocols must be Activesecure, Directory or LDAP, and the authentication protocol must involve a challenge-response protocol that is not susceptibleresistant to replay attacks.attacks (e.g., Theusing remotechallenge-response accessmechanisms), tooland mustshould mutually authenticate both endsendpoints of the session.
Remotewhere accesstechnically toolsfeasible.
* must**Proxy Compatibility:** Tools should support therouting <Companythrough Name>organization-approved security infrastructure, such as application layer proxyproxies or VPN gateways, rather than requiring direct inbound connections through the perimeter firewall(s).
Remoteunless explicitly approved as part of a secure architecture.
* **Strong Encryption:** All remote access toolscommunication channels must supportutilize strong, end-to-end encryption ofthat meets or exceeds the standards defined in the organization's Acceptable Encryption Policy and relevant network security protocols.
* **Compatibility with Security Tools:** Remote access tools must not interfere with, disable, or circumvent mandatory organizational security controls deployed on endpoints or networks (e.g., antivirus/anti-malware, Data Loss Prevention (DLP), endpoint detection and response (EDR)).
3.3 Procurement and Configuration
* Any procurement of remote access communicationtools channelsmust asfollow specifiedstandard inorganizational procurement processes and requires explicit approval from the <Companydesignated Name>IT networkauthority encryption(e.g., protocolsInformation policy.
group).
* All <Company Name> antivirus, data loss prevention, and other security systems must not be disabled, interfered with, or circumvented in any way.
Allapproved remote access tools must be purchasedconfigured throughstrictly according to the standardmandatory <Companyprocedures Name>provided procurement process, andby the informationdesignated technologyIT groupauthority mustto approveensure thesecure purchase.operation.
4.0 Compliance
4.1 Compliance Measurement
The designated IT authority (e.g., Precision Computer teamteam, Information Security) will verify compliance towith this policy through various methods, including but not limited to, periodic walk-thrus, videonetwork monitoring, businessreview toolof reports,approved internalsoftware lists, configuration audits of endpoints and servers, security assessments of remote access infrastructure, internal/external audits, and feedbackanalysis toof theaccess policy owner. logs.
4.2 Exceptions
Any exception to thethis policy must(e.g., beuse approvedof bya non-standard tool for a specific, justified business need with a partner) requires formal, documented justification, thorough risk assessment including compensating controls, and advance approval from the designated IT authority (e.g., Precision Computer Team inor advance.Information Security).
An4.3 employeeEnforcement
None.5.0 Definitions
The* following**Remote definitionAccess Tool:** Software or hardware that allows a user to connect to and termscontrol cana becomputer foundor network resource from a remote location (e.g., RDP, VNC, VPN clients with remote control features, commercial tools like LogMeIn/GoToMyPC).
* **Multi-Factor Authentication (MFA):** An authentication method requiring more than one verification factor (e.g., password + token code).
* **Application Layer Proxy:** A server that acts as an intermediary for requests from clients seeking resources from other servers, specifically filtering traffic at the application layer.
* **Mutual Authentication:** A process where both parties in thea SANScommunication Glossarysession locatedauthenticate at:each other's identity.
Application* layerRemote proxyAccess Policy (Overall VPN/Network Access)
* Acceptable Use Policy (AUP)
* Password Policy
* Acceptable Encryption Policy
* Information Security Policy (Overall)
* Procurement Policy
* Third-Party Connection Policy