Remote Access Procedure. e-governance

Transcription

1 for e-governance Draft

2 DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India. Document Control S/L Type of Information Document Data 1. Document Title 2. Document Code 3. Date of Release 4. Next Review Date 5. Document Revision Number 6. Document Owner 7. Document Author(s) 8. Document Reference Document Approval For Internal Use Only Page 2 of 13

3 Sr. No. Document Approver Approver Designation Approver ID Document Change History Version Revision Date Nature of Change Date of Approval No. For Internal Use Only Page 3 of 13

4 Table of Contents 1. INTRODUCTION SCOPE PURPOSE DEFINITIONS... Error! Bookmark not defined. 5. PARCH MANAGEMENT PROCESS... Error! Bookmark not defined. 5.1 PATCH MANAGEMENT PROCESS FLOW... Error! Bookmark not defined. 6. REMOTE ACCESS PROCEDURE FOR IT DEVICE AD MINISTRATION REMOTE ACCESS MANAGEMENT PROCEDURE FOR END USERS CONTROLS FOR REMOTE ACCESS KEY MEASURING PARAMETER PROCESS DEPENDENCY AND REFERENCE For Internal Use Only Page 4 of 13

5 1. INTRODUCTION access is the ability to get access to a computer or a network from a remote distance. The purpose of this document is to provide guidance on how remote access over network should take place in e-gov service delivery environment and ensure that e-gov service delivery environment remains secure during such access. 2. SCOPE The procedure is applicable to all system administration tasks performed remotely. This procedure is also applicable to all employees, contractors and third party staff with e-gov service delivery or personally-owned computer or workstation used to connect to the e-gov service delivery. 3. PURPOSE The objective of this document is to ensure data security when accessing the E-Gov service delivery network from remote locations outside E-Gov service delivery network or while using mobile devices. For Internal Use Only Page 5 of 13

6 4. REMOTE ACCESS PROCEDURE FOR IT DEVICE ADMINISTRATION Logon banner shall be set to notify that all activities performed in the server shall be monitored. IP and Port based access control shall be employed on the remote server. Firewall ingress filtering shall be deployed for ports used by respective tools for remote administration of the information system. The port shall be opened exclusively during the times, when remote administration needs to be done. The ID used by the tools for remote administration shall be separate from the Administrator s local system account. An audit log shall be enabled to ensure that there is an accurate record of IP addresses and users accessing devices. 5. REMOTE ACCESS MANAGEMENT PROCEDURE FOR END USERS For Internal Use Only Page 6 of 13

7 For Internal Use Only Page 7 of 13

8 S.N o 0. Start Activity (What) Role (Who) Entry Criteria (Begins When) Exit Criteria (Ends When) Input Source Output Destination Tasks to be Performed (How) 1. Raise the Request for 2. Take appropriate( CISO) approval 3. Forward the request to IT HelpDesk 4. Log a ticket for the request 5. Provide the user to User Need for User Request for User IT HelpDesk IT Operation s team Approved Request for Approved request forwarded to the IT HelpDesk Approved Request for User Request for User User IT HelpDesk IT Operation s team Approved request for remote access Approved request forwarded to the IT HelpDesk Ticket number of the request User provided with remote access User IT HelpDesk IT HelpDesk User User will raise the request for getting remote access User will take appropriate from CISO for getting remote access. The details for approval is given in the next section of this document User will forward the approved request to the IT HelpDesk IT HelpDesk will log a ticket for the approved request forwarded to it and will forward the request to the IT Operations team for execution IT Operations team will take actions to provide the to the user IT Operations team will note the time for which is requested and will disconnect the For Internal Use Only Page 8 of 13

9 S.N o Activity (What) Role (Who) Entry Criteria (Begins When) Exit Criteria (Ends When) Input Source Output Destination Tasks to be Performed (How) after that time 6. End 6. CONTROLS FOR REMOTE ACCESS service shall be provided to authorized users of E-Gov service delivery after due approval. Restricted (Services other than and web enabled intranet services) through service to the E-Gov service delivery network shall be provided only after due authorization for business purposes. Any service for troubleshooting purposes required by Vendors for E-Gov service delivery should be allowed through the service after due approval from the CISO. Authorized dial-in user s access shall be authenticated using authentication mechanisms like Cisco Control (TACACS+). Users accessing critical E-Gov service delivery intranet applications shall use appropriate encrypted channel for communication over the Internet. For Internal Use Only Page 9 of 13

10 Users should not connect to the access service of E-Gov service delivery from public places or Meeting rooms. E-Gov service delivery employees, contractors and third party staff with remote access privileges must ensure that their E-Gov service delivery owned or personal computer or workstation, which is remotely connected to E-Gov service delivery s network, is not connected to any other network at the same time, with the exception of personal networks that are under the complete control of the user. Authorized access users shall not share his or her login or password with anyone, not even with family members/colleagues. / VPN access needs to be removed after approved activation period or as and when the user s Id is removed. 7. GENERAL GUIDELINES FOR REMOTE ACCESS access shall be provided based on business justification and the approval of CISO. access for all third party employees/ contractors shall be based on business needs and justified by the respective business before approval of CISO. Non-disclosure agreement including agreement not to misuse the remote access facility shall be established with the concerned third party before provisioning the access. All remote access shall be considered as a privilege and shall not be misused in any way that can cause harm to the information assets. For Internal Use Only Page 10 of 13

11 Dial up VPN IPSec and/ or SSL VPN protocol shall be used for remote access. Client VPN software shall be installed on approved client systems only. All VPN sessions shall be monitored annually. Logs, configuration and access rules shall be backed up on a periodic basis. Logs shall be reviewed on a regular basis. Time synchronization shall be configured with the time-server. access shall be time bound between start and end date of the project and access shall be revoked based on the time bound. Application level access control shall be implemented in addition to the remote access authentication. VPN shall be placed in a secured area with restricted access with both Client-to-Site and Site-to-Site VPN s shall be supported. Firewall rule shall be in place to allow only specific/ mentioned VPN traffic. All rules shall be documented and versioned and shall be approved by the CISO. Recommended security settings shall be applied as per the vendor specifications. Users/employees with VPN privilege shall ensure that their systems are not used by unauthorized users to access the internal network. VPN connection shall be controlled using password authentication and token device. For Internal Use Only Page 11 of 13

12 VPN users shall be automatically disconnected from the network after approved time limit. The user shall log on again to reconnect to the network. Usage of pings or other artificial network processes shall not to be used to keep the connection open. 8. KEY MEASURING PARAMETER Management Compliance KPIs S. No. KPI Description Measurement Criteria Frequency Benchmark Supporting Evidence 1. Reconciliation of users Scope: All remote users with access to e-gov service delivery's network and applications. 100-{Modulus (No. of remote user IDs active on the systems No. of approved remote user IDs requests)} Monthly 100.0% user reconciliation reports 9. REFERENCE For Internal Use Only Page 12 of 13

13 Network Security Guidelines For Internal Use Only Page 13 of 13