Remote Access Policy

Transcription

1 Document Title: Version: ISP6.0 Approval Dates: This policy was originally approved on: [02 Apr 2009] This version was approved on: [27 January 2016] This version takes effect from: [27 January 2016] This policy will be reviewed by: [15 Mar 2017] Approved By: Prepared By: Nicola Wittman Alan Mose Contact: IT Support Desk (ext.412) Service Delivery Manager (ext 520)

2 Contents Document Control 3 Document Amendment History 3 1 Purpose 4 2 Scope 4 3 Governance factors 4 4 Remote Access Methods 4 5 Use of Remote Access methods 5 6 Usage Restrictions 5 7 Methods of compliance with the controls 6 8 PSN Code of Connection 6 Page 2 of 6

3 Document Control Organisation Title Creator Review date Uttlesford District Council Nicola Wittman Document Amendment History Revision Originator of Date of Change Description No. change change 1 Nicola Wittman 15/4/09 Updates 2 Nicola Wittman 22/3/10 Updates 3 Nicola Wittman 6/9/11 Updates 4 Nicola Wittman 5/11/12 Updates 5 Nicola Wittman 30/11/13 Updates 6 Nicola Wittman 10/3/15 Updates 7 Nicola Wittman 13/1/2016 Updates Page 3 of 6

4 1 Purpose Remote access is connecting to the corporate computer system by Council owned equipment. The provision of Remote Access must be controlled in order to protect Council systems. The controls determine who can access Council systems, how they can access and what can be accessed. 2 Scope Council systems can be accessed remotely by various people: Councillors and Staff whilst out of the office. Staff to provide support for systems Suppliers to provide Remote Administration on systems Third Parties requiring access to Council systems 3 Governance factors Controls on remote connections to the corporate network arise from the rules predefined in the Codes of Connections required to allow Councils to use secure networks. Examples of secure networks include, but are not limited to: Public Sector Network (PSN) Payment Card Industry Data Security Standard (PCI DSS) Remote connections must not be allowed to compromise compliance with a secure network Code of Connection. It is therefore a council requirement that remote access to secure networks such as Government Connect and PCI meet the following: Only officially owned council equipment is used. Only Uttlesford ICT approved software will be installed. Whilst connected access to the internet is restricted to Citrix only and not through the remote users broadband. Commercial anti-virus software will be installed on the council equipment with the virus database updated at least daily. The operating systems (Windows) will be kept patched in accordance with the council s patch management policy. Removable media, such as CD/DVD drives and USB ports will be disabled. 4 Remote Access Methods The following methods provide remote access Virtual private Network (VPN) o This uses an approved client installed on a computer which provides direct encrypted connectivity into the corporate network. Page 4 of 6

5 Aventail o Aventail provides secure remote access and uses Citrix Zenapps to present the applications. Third party remote support tools from the internet (logmein123). 5 Use of Remote Access methods The methods of remote access are only to be used in the following circumstances. VPN o The connections between Great Dunmow, Newport and Saffron Walden offices. Aventail o Staff to provide support for systems. o Access to and files whilst out of the office. o Suppliers to provide remote administration on systems. o Approved third parties requiring access to Council systems. Remote Access web tools o Essential support for systems that cannot be provided by other means. 6 Usage Restrictions VPN o On Council computers, VPN must only be enabled using approved software installed by ICT. o On Suppliers computers, used to provide remote administration on systems, VPN must only be enabled using approved software and must only give access to the system being supported. Remote Access web support o Access to Remote Web support websites must be individually approved. o Remote access sessions initiated by the supplier must have the support session start logged. o Access must only be allowed when all applications apart from the supported application have been closed. o All files transferred to the corporate network in order to facilitate the connection must be removed when the session is finished. o The supplier must inform ICT when the session has finished. Aventail o Each approved user will be given a SMS passcode via a text to their mobile phone. Page 5 of 6

6 o Passcodes are not to be shared. o Once the requirement for Aventail access has finished, the ICT section must be notified. 7 Methods of compliance with the controls Councillors or Staff must initiate a security incident report if there is any actual or attempted remote access to the Council corporate system that has not been approved, or may compromise a code of connection to a secure network. 8 PSN Code of Connection This policy has been prepared in accordance with the new PSN Code of Connection. Page 6 of 6