U09 Remote Access Policy

Transcription

1 Plymouth City Council U09 Remote Access Policy December 2008 This document is copyright to Plymouth City Council and should not be used or adapted for any purpose without the agreement of the Council. Target Audience: Manager

2 Contents Document Control 3 Document Amendment History 3 1 Purpose 4 2 Scope 4 3 Governance factors 4 4 Remote Access Methods 4 5 Use of Remote Access methods 5 6 Usage Restrictions 6 7 Netilla Remote Administration 7 8 Methods of compliance with the controls 8 Only current as an electronic version in the document library Page 2 of 8

3 Document Control Organisation Plymouth City Council Title Remote Access Policy Creator John Finch Source Approvals Distribution Filename Owner Information Security Manager Subject Protective Marking Review date October 2008 Document Amendment History Revision Originator of Date of Change Description No. change change 0.1 John Finch 1/10/2007 Initial release for comment to ICT Team Leaders 0.2 Simon Hurrell 19/10/2007 Addition of remote connections 0.3 Mel Gwynn 24/10/2007 Minor changes to whole document 0.4 Richard 18/11/2007 Major rewording of whole document. Woodfield 0.5 Damean Miller 12/2/2008 Minor changes to wording 1.0 Release 1.1 John Finch 18/7/2008 Integration of PIM devices 1.2 John Finch 7/06/2011 Change of ICT terminology Only current as an electronic version in the document library Page 3 of 8

4 1 Purpose Remote access is connecting to the corporate computer system by any computer that is not connected to the Corporate Network using the Council infrastructure. The provision of Remote Access must be controlled in order to protect Council systems. The controls determine who can access Council systems, how they can access and what can be accessed. 2 Scope Council systems can be accessed remotely by various people: 2.1 Councillors and Staff whilst out of the office. 2.2 Staff to provide support for systems 2.3 Suppliers to provide Remote Administration on systems 2.4 Third Parties requiring approved access to Council systems 3 Governance factors Controls on remote connections to the corporate network arise from the rules predefined in the Codes of Connections required to allow the Council to use secure networks. Examples of secure networks include, but are not limited to: 3.1 Government Connect 3.2 Payment Card Industry Data Security Standard (PCI DSS) 3.3 Contact Point 3.4 Criminal Justice Board Remote connections must not be allowed to compromise compliance with a secure network Code of Connection. 4 Remote Access Methods The following methods provide remote access: 4.1 Virtual Private Network (VPN) This uses an approved client installed on a computer which provides direct encrypted connectivity into the corporate network. 4.2 Netilla Netilla provides secure remote access via a council hosted web portal. It utilises two factor authentication to prevent unauthorised access. 4.3 Outlook Web Access (OWA) Council provided portal for remote access of Microsoft Outlook corporate and other services. Only current as an electronic version in the document library Page 4 of 8

5 4.4 Fixed link i.e. National Health Service (NHS), or Southern Electric Contracting (SEC), (always outside the firewall). 4.5 Site-to-site VPN i.e. Devon County Pensions system 4.6 Dial up Dial-up is only provided in limited circumstances to provide support when there is no other available option. 4.7 Third party remote support tools from the internet This option is not provided by the council; however they are used by some suppliers to provide support. 4.8 Personal Information Management (PIM) devices The council approved PIM device is the BlackBerry. 5 Use of Remote Access methods The methods of remote access are only to be used in the following circumstances. 5.1 VPN 5.2 Netilla Approved Councillors and Staff whilst out of the office using Council computers Suppliers to provide remote administration on systems Staff to provide support for systems Access to and files whilst out of the office Suppliers to provide remote administration on systems Third parties requiring access to Council systems. 5.3 Outlook Web Access Councillors and Staff whilst away from their dedicated computer. 5.4 Remote Access web tools Essential support for systems that cannot be provided by other means. 5.5 PIM Devices Only current as an electronic version in the document library Page 5 of 8

6 6 Usage Restrictions 6.1 VPN 6.2 Netilla Only Council provided devices that have the council security profile are to be used for Council business and service provision On Council computers, VPN must only be enabled using approved software installed by ISD On suppliers computers, used to provide remote administration on systems, VPN must only be enabled using approved software and must only give access to the system being supported Users must satisfy an approval process Each approved user will be given a token to provide two-factor authentication Tokens are not to be shared without permission Tokens assigned to suppliers providing remote support are to be kept with the Council Netilla Remote Administration procedures must be followed. See section Once the requirement for Netilla access has finished, the token must be returned to ICT. 6.3 Outlook Web Access (OWA) Provided to all individual Councillors and Council staff who have access to Removed from Council accounts with access to GCSx mail, generic, Application and non Council staff accounts All temporary files to be cleared after use Data accessed via OWA must not be saved onto non Council computers or other equipment. 6.4 Remote Access web support Access to Remote Web support websites must be individually approved. Only current as an electronic version in the document library Page 6 of 8

7 6.4.2 Remote access sessions initiated by the supplier must have the support session start logged by ICT before continuing Access must only be allowed when all applications apart from the supported application have been closed All files transferred to the corporate network in order to facilitate the connection must be removed when the session is finished The supplier must inform ICT when the session has finished. 6.5 Use of PIM devices The use of the device must be conducted in compliance with the council s health and safety policy The PIM device is only to be connected to the council system remotely The PIM device or any storage media used with it is not to be connected to any non-council equipment Internet browsing will be provided through the filtered service provided by the council The PIM device will be configured according to CESG security guidelines The PIM device must be protected by a password that is compliant with the CESG recommended password scheme All data stored on the PIM device or associated storage card must be encrypted Bluetooth will not be enabled on the PIM device by default. Bluetooth will be enabled on the device for use with a headset with a business case only The PIM device will not be enabled as a USB data storage device to prevent the transfer of data PIM devices will only be issued to staff who have undertaken an internal training session in their use within the Council. 7 Netilla Remote Administration by Third Parties 7.1 All Staff must be individually authorised. 7.2 Suppliers must name the individuals provided with access. 7.3 Each individual person must verify their identity. Only current as an electronic version in the document library Page 7 of 8

8 7.4 To verify their identity, each named individual will register the answers to secure questions, which will be asked before activation. 7.5 Suppliers must only have support sessions activated by ISD. 7.6 Suppliers must inform ICT when the session has finished. 8 Methods of compliance with the controls 8.1 ICT will provide procedures to control remote access which must be followed by all those using any method of remote access. 8.2 Councillors or Staff must initiate a security incident report if there is any actual or attempted remote access to the Council corporate system that has not been approved, or may compromise a code of connection to a secure network. Only current as an electronic version in the document library Page 8 of 8