UNCLASSIFIED. ICT Document No. WhoG-122. Version 1.3. Approved by Executive Director, Shared Services ICT. September 2014 UNCLASSIFIED

Transcription

1 Remote Access to the ACT Government Information and Communications Technology (ICT) Environment Policy Version 1.3 September 2014 Approved by Executive Director, Shared Services ICT September 2014 Shared Services ICT Quality Management System Security Management

2 Contents Purpose... 3 Scope... 3 Introduction... 3 Policy Access Individual ACT Government employees Remote sites Trusted third parties/vendors Approval process Dispute resolution Security Monitoring and logging Use of non-shared Services ICT equipment Support arrangements Technical support Documentation Evaluation measures... 5 Associated Documents... 6 Roles and Responsibilities... 6 Compliance... 7 Contact Officer... 7 Appendix A... 8 Glossary... 8 Metadata... 8 Amendment history... 8 Date issued: September 2014 Version: 1.3 Page 2 of 9

3 Purpose The intention of this policy is to ensure that the provision and use of remote access to the ACT Government ICT Environment is appropriately managed. Scope This policy: supplements the provisions of the ICT Security Policy references the Acceptable Use of ICT Resources Policy applies to all ACT Government Directorates, including contracted service providers applies to all ICT resources (see definitions below) and electronic information held on those assets. This policy does not address any human resource or personnel management issues associated with remote access. Information on these issues can be found in the Public Sector Management Best Practice Note 6.3 Management: Home Based Work and from the Directorate Personnel section. Introduction This policy is consistent with and must be implemented in accordance with the: ACT Government Purchasing Policy and Principles Guidelines Public Sector Management Best Practice Note 6.3 Management: Home Based Work ACT Government policies, guidelines and standards, in particular the: o ICT Security Policy and o Acceptable Use of ICT Resources Policy processes and procedures prepared by Shared Services ICT Directorate policies and guidelines in relation to particular ICT resources. Policy 1. Access Remote access can be granted to the ICT environment as follows: 1.1 Individual ACT Government employees A default level of access will be provided to a minimum subset of systems, e.g. to access Microsoft Office applications, Outlook and calendar and the file servers (G, H and W drives). Business Applications requests for remote access will be assessed on a case by case basis. Remote access will only be permitted where access controls can be implemented that are appropriate to address any identified threats and risks. Date issued: September 2014 Version: 1.3 Page 3 of 9

4 1.2 Remote sites For sites where a permanent WAN connection may not be viable or appropriate, requests for remote access to the ICT environment will be assessed on a case by case basis. Remote access by remote sites must be: controlled for time periods mutually agreeable to the directorate/business unit and Shared Services ICT configured so that work is performed with the minimum level of permissions. 1.3 Trusted third parties/vendors Requests for remote access to the ICT environment by trusted third parties/vendors will be assessed on a case by case basis where a demonstrated business need exists. Remote access by trusted third parties/vendors must be: Controlled. The default remote access for trusted third parties/ vendors must be for specific limited access, not for open access for time periods mutually agreeable to the Directorate, Shared Services ICT and the trusted third party/vendor contractually based, legally enforceable and in accordance with established ACT Government business processes approved by Shared Services ICT where the access, or work to be undertaken, affects the ICT environment domain configured so that the minimum level of permissions is granted for access to components and sub systems (e.g. database, file systems, applications) and work is performed with the minimum level of permissions Documented in the System Security Plan. 2. Approval process Approval is subject to: a demonstrated business need the availability of an appropriate technical solution a threat and risk assessment together with risk mitigation strategies agreed to by all stakeholders the completion of a Clearance and Approval Form any persons or parties receiving remote access signing a remote access acceptance agreement contractually based and legally enforceable arrangements are made with trusted third parties/vendors where appropriate All FORMS are signed with copies provided to Shared Services ICT Security PRIOR to the provision of the service. 3. Dispute resolution Where any involved parties (including Shared Services ICT) are unable to reach agreement, they may seek mediation by the Whole-of-Government IM/ICT Committee. Date issued: September 2014 Version: 1.3 Page 4 of 9

5 4. Security Remote access to the ICT environment must not compromise the security or integrity of the ICT environment; an ICT resource; or any information residing on an ICT resource in accordance with the provisions of the ICT Security Policy. Refer to paragraph 2 above. 5. Monitoring and logging All remote access activities are monitored and logged in accordance with the provisions of the ICT Security Policy and the Acceptable Use of ICT Resources Policy and in compliance with the ACT Workplace Privacy Act. 6. Use of non-shared Services ICT equipment Connections to ACTGOV should be initiated from computer hardware that is under the control or ownership of the individual or Directorate authorised to access the service. Where agencies allow the use of non-shared Services ICT computers for remote access Directorates must notify users: about issues of security, taxation, protection of network and occupational health and safety as detailed in the Public Sector Management Best Practice Note 6.3 Management: Home Based Work, and that the ACT government will not accept any liability for damage or failure to privately owned equipment used for remote access. 7. Support arrangements 7.1 Technical support Shared Services ICT will: develop the ACT Government Remote Access Standard develop, support and maintain the approved remote access solutions and associated infrastructure negotiate service level agreements and other support agreements with agencies specifying services, technical requirements and fees applicable to the remote access arrangements. 8. Documentation The documentation required to assist users of remote access services includes: user documentation developed and documented by Shared Services ICT a remote access acceptance agreement an acceptable use statement confidentiality and non-disclosure agreements for ALL 3 rd party staff or at contract level whichever is appropriate Police records checks for all 3 rd party personnel accessing systems that are deployed in an education environment involving minors. Date issued: September 2014 Version: 1.3 Page 5 of 9

6 The documentation required to assist directorates apply for remote access includes: a "Clearance and Approval" form and processes procedures developed and documented by Shared Services ICT 9. Evaluation measures This policy will be reviewed annually. Associated Documents ACT Government Purchasing Policy and Principles Guidelines ACT Government Remote Access Standard The Public Sector Management Best Practice Notes ACT Government Policies, Guidelines and Standards Processes and procedures prepared by Shared Services ICT Roles and Responsibilities Role Responsibilities Agencies Identify a business need; Develop an appropriate remote access technical solution in consultation with Shared Services ICT. Conduct an agency discrete assessment of specific or general threats and risks associated with remote access, and put in place risk mitigation steps or strategies. Ensure necessary arrangements have been implemented for the protection of sensitive information, security and privacy in compliance with ACT Government policies, standards and guidelines; Complete a clearance and approval or business case for determination by the Director General or the Director General's authorised delegate Ensure that trusted third parties/ vendors responsibilities and obligations regarding remote access are addressed in contracts and legally enforceable arrangements. Shared Services ICT Shared Services ICT s roles, deliverables and associated costs are defined contractually in the Service Level Agreements (SLAs) and other support agreements. Shared Services ICT will: Provide agencies with information about threats, risks and mitigation strategies that are relevant to the agency Threat and Risk Assessment. Provide minimum hardware specifications to all remote access users. Develop, in consultation with agencies, appropriate remote access technical solutions; Develop, in consultation with agencies, procedures and guidelines for accessing the Remote Access Infrastructure. Date issued: September 2014 Version: 1.3 Page 6 of 9

7 Role Responsibilities Distribute, review and revise this policy as necessary. Provide advice. Provide transitional policy support including Provide assistance with the completion of TRA and Risk Mitigation templates. Advise whether the TRA has identified all stakeholders and all major whole of government risks. Approve the satisfactorily completed Clearance and Approval Form with supporting TRA s and risk mitigation. Provide mediation when requested. Compliance If, as a result of an audit or other circumstance, an agency is found to have not complied with this Policy, the appropriate Director General will be informed with details of noncompliance in writing. Contact Officer For any queries about this Policy, contact the Shared Services ICT Policy Office. Date issued: September 2014 Version: 1.3 Page 7 of 9

8 Appendix A Glossary Term ICT Environment ICT Resources Remote Access Remote sites Definition The ICT technologies utilised to conduct ACT Government business. The ICT environment can be categorised as the operational, production or test domains. All ACT Government ICT networks, equipment, systems and applications (e.g. hardware and software), , the Internet and Internet . The ability to get access to a computer or a network from a remote distance A normal place of work for ACT Government employees that is not connected to the ACTGOV network. NOTE: Other terms may be found in the Shared Services ICT Glossary of Terms. Metadata Owner: Document location: Review cycle: Senior Manager, Shared Services ICT Security This policy should be reviewed every 24 months or when conditions significantly change, whichever is the shorter. Note: This is a CONTROLLED document. Any documents appearing in paper form are not controlled and should be checked against the intranet version prior to use. Amendment history Ver no. Issue date Amendment details Author Approval 1.0 Dec 2001 Initial release. ACTIM Supported by ISG & IMCC, endorsed by ACTIS Mgt Board, approved by CE CMD /11/2006 Minor revision Policy Office Endorsed by Policy Review Group - Oct May 2012 Revision due to restructure of Shared Services ICT. Minor changes to reflect Auditor general findings. 1.3 September Add Bolden Jame Privacy Act 1988 to Information Privacy Act Kerry Webb Peter Major, Greg Tankard Executive Director, Shared Services ICT Executive Director Shared Services ICT Executive Date issued: September 2014 Version: 1.3 Page 8 of 9

9 Ver no. Issue date Amendment details Author Approval Cosmetic changes responsible for ICT Security Date issued: September 2014 Version: 1.3 Page 9 of 9