Remote Access and Network Security Statement For Apple



Similar documents
COMMERCIALISM INTEGRITY STEWARDSHIP. Security Breach and Weakness Policy & Guidance

COMMERCIALISM INTEGRITY STEWARDSHIP. Back-up Policy & Guidance

The purpose of this policy is to provide guidelines for Remote Access IPSec or Virtual Private

Records Management Policy & Guidance

ADMINISTRATIVE POLICY # (2014) Remote Access. Policy Number: ADMINISTRATIVE POLICY # (2014) Remote Access

COMMERCIALISM INTEGRITY STEWARDSHIP. Policy and Procedure for Remote Working

Blue Ridge Community College Information Technology Remote Access Policy

COLORADO DEPARTMENT OF LABOR AND EMPLOYMENT STANDARD POLICY AND PROCEDURE. Remote Access and Security I. PURPOSE.2 II. BACKGROUND.

Mobile Devices Policy

REMOTE WORKING POLICY

Mobile Security Standard

How To Protect Research Data From Being Compromised

1 Purpose Scope Roles and Responsibilities Physical & Environmental Security Access Control to the Network...

Ixion Group Policy & Procedure. Remote Working

Consensus Policy Resource Community. Lab Security Policy

SAO Remote Access POLICY

INFORMATION TECHNOLOGY SECURITY STANDARDS

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

ARTICLE 10. INFORMATION TECHNOLOGY

Dublin Institute of Technology IT Security Policy

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

ABERDARE COMMUNITY SCHOOL

Newcastle University Information Security Procedures Version 3

esnc ACCESS AGREEMENT

VPN Network Access. Principles and Restrictions

LAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY

University of Sunderland Business Assurance Information Security Policy

DHHS Information Technology (IT) Access Control Standard

How To Protect Decd Information From Harm

Information Services. The University of Kent Information Technology Security Policy

Remote Working and Portable Devices Policy

Musina Local Municipality. Information and Communication Technology User Account Management Policy -Draft-

CCG LAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY

Information Security Policy. Policy and Procedures

Tameside Metropolitan Borough Council ICT Security Policy for Schools. Adopted by:

University of Liverpool

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

[BRING YOUR OWN DEVICE POLICY]

Version: 2.0. Effective From: 28/11/2014

Remote Access Policy

Information Security Policy

University of Sunderland Business Assurance PCI Security Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Central Agency for Information Technology

NHSnet SyOP 9.2 NHSnet Portable Security Policy V1. NHSnet : PORTABLE COMPUTER SECURITY POLICY. 9.2 Introduction

Guidance on Bring Your Own Device (BYOD) Policy for Staff, Pupils and Visitors

Written Information Security Plan (WISP) for. HR Knowledge, Inc. This document has been approved for general distribution.

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Rotherham CCG Network Security Policy V2.0

LSE PCI-DSS Cardholder Data Environments Information Security Policy

Course: Information Security Management in e-governance

Remote Access and Mobile Working Policy. Document Status. Security Classification. Level 4 - PUBLIC. Version 1.1. Approval. Review By June 2012

Third Party Security Requirements Policy

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c

IM&T Infrastructure Security Policy. Document author Assured by Review cycle. 1. Introduction Policy Statement Purpose...

Appendix 1b. DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA. Review of Mobile Portable Devices Management

Accounting and Administrative Manual Section 100: Accounting and Finance

Cyber Self Assessment

Highland Council Information Security Policy

Hengtian Information Security White Paper

CITY OF BOULDER *** POLICIES AND PROCEDURES

Mike Casey Director of IT

How to Practice Safely in an era of Cybercrime and Privacy Fears

Department of Information Technology Remote Access Audit Final Report. January promoting efficient & effective local government

Virtual Private Networks (VPN) Connectivity and Management Policy

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

STRATEGIC POLICY. Information Security Policy Documentation. Network Management Policy. 1. Introduction

Acceptable Use Guidelines

Information Security Program Management Standard

A Rackspace White Paper Spring 2010

Washwood Heath Academy Use by staff of private communication devices policy

THE RICE MARKETING BOARD FOR THE STATE OF NEW SOUTH WALES RESPONSIBLE COMPUTING POLICY

Network Security Policy

ICT SECURITY POLICY. Strategic Aim To continue to develop and ensure effective leadership, governance and management throughout the organisation

Network & Information Security Policy

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

BARNSLEY CLINICAL COMMISSIONING GROUP S REMOTE WORKING AND PORTABLE DEVICES POLICY

Network Security Policy

ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

IT TECHNOLOGY ACCESS POLICY

St Hugh s School. Remote Access Policy

Huddersfield New College Further Education Corporation

MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP)

University of Kent Information Services Information Technology Security Policy

Use of tablet devices in NHS environments: Good Practice Guideline

Policy Document. Communications and Operation Management Policy

Information Security and Electronic Communications Acceptable Use Policy (AUP)

Ohio Supercomputer Center

Appendix 1c. DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA REVIEW OF NETWORK/INTERNET SECURITY

Access Control BUSINESS REQUIREMENTS FOR ACCESS CONTROL

APPROVED BY: DATE: NUMBER: PAGE: 1 of 9

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs)

Miami University. Payment Card Data Security Policy

Title: Data Security Policy Code: Date: rev Approved: WPL INTRODUCTION

ICANWK406A Install, configure and test network security

Internet Use Policy and Code of Conduct

Transcription:

Remote Access and Mobile Working Policy & Guidance

Document Control Document Details Author Adrian Last Company Name The Crown Estate Division Name Information Services Document Name Remote Access and Mobile Working Policy Version Date 11/08/11 Effective Date 1 November 2012 Issue THREE Review Date October 2013 Change Record Modified Date Author Version Description of Changes 12/05/2010 Clare Kelly 1.1 Incorporates amendments by TB, CK and NS 04/05/2011 R McCaughan 1.2 Incorporated VPN policy 06/07/2011 S Smith 1.3 Review on behalf of Service Desk 09/08/2011 S Smith 1.4 References made to Edge and Direct Access 15/10/2012 S Smith 1.5 Removed references soley to Smartphones and replaced with mobile devices. Add statement for Apple s Common Criteria Certification Security Statement 17/10/2012 A R Last 1.6 Annual review Stakeholder Sign off Name Position Signature Date Nigel Spencer Information Services Manager July 2011 Clare Kelly IT Support Manager July 2011 Nigel Spencer Head of IS October 2012 Security Sign-off Name Position Signature Date Adrian Last Business Support Manager August 2011 Adrian Last ISMS Manager October 2012 1

Table of Contents 1. Purpose 3 2. Scope 3 3. Policy 3 3.1. Policy Statement 3 3.2. Policy Objectives 3 3.3. Policy Overview 3 3.4. Policy Maintenance 4 4. Policy Requirements 4 4.1. General 4 4.2. Documentation and Data 4 4.3. Working Remotely 5 4.4. General Rules & Principles of VPN s (Virtual Private Networks) 5 4.5. Telephone 6 4.6. Direct Access 6 4.7. Edge devices (Homeworker solution) 6 4.8. Reporting Security Incidents 6 4.9. Business Continuity 6 4.10. User Awareness 6 5. Disciplinary Process 6 6. Deviations from Policy 7 7. Glossary of Terms 7 Appendix A List of related documents, procedures and processes 8 2

1. Purpose The purpose of this policy is to protect the confidentiality, integrity and availability of The Crown Estate s information by controlling remote access to its IT systems and to define standards for connecting to The Crown Estate s network from any host. 2. Scope The scope of this policy applies to: The Crown Estate s personnel, temporary staff, contractors and service providers utilising The Crown Estate s information system resources from a remote location; and Information system resources, including data networks, LAN servers and personal computers (stand-alone or network-enabled) located on The Crown Estate and non-crown Estate locations, where these systems are under the jurisdiction and/or ownership of The Crown Estate, and any personal computers and/ or servers authorised to access The Crown Estate s data networks. Third parties shall also adhere to this policy. Remote access connections used to do work on behalf of The Crown Estate, including reading, sending email and viewing intranet web resources from all types of equipment. 3. Policy 3.1. Policy Statement The Crown Estate s information system resources are assets important to The Crown Estate s business and stakeholders and its dependency on these assets demands that appropriate levels of information security be instituted and maintained. It is The Crown Estate s policy that appropriate remote access control measures are implemented to protect its information system resources against accidental or malicious destruction, damage, modification or disclosure, and to maintain appropriate levels of confidentiality, integrity and availability of such information system resources. 3.2. Policy Objectives The objectives of this policy with regard to the protection of information system resources against unauthorised access from remote locations are to: Minimise the threat of accidental, unauthorised or inappropriate access to either electronic or paper-based information owned by The Crown Estate or temporarily entrusted to it; Minimise The Crown Estate s network exposure, which may result in a compromise of network integrity, availability and confidentiality of information system resources; and Minimise reputation exposure, which may result in loss, disclosure or corruption of sensitive information and breach of confidentiality. 3.3. Policy Overview The Crown Estate information system resources are important business assets that are vulnerable to access by unauthorised individuals or unauthorised remote electronic processes. Sufficient precautions are required to prevent and detect unwanted access from unauthorised users in remote locations. Users should be made aware of the dangers of unauthorised remote access, and managers should, where appropriate, introduce special controls to detect or prevent such access. 3

3.4. Policy Maintenance Supporting standards, guidelines and procedures will be issued on an ongoing basis by The Crown Estate. Users will be informed of any subsequent changes or updated versions of such standards, guidelines and procedures by way of e-mail or other relevant communication media. Users shall then have the obligation to obtain the current information systems policies from The Crown Estate intranet (i-site) or other relevant communication media on an ongoing basis and accept the terms and conditions contained therein. 4. Policy Requirements The Crown Estate s information system resources shall be appropriately protected to prevent unauthorised remote access. 4.1. General It is the responsibility of The Crown Estate s employees, contractors, vendors and agents with remote access privileges to The Crown Estate s corporate network to ensure that their remote access connection is given the same consideration as their on-site connection to The Crown Estate. IT equipment provided to the employee to support working from home is for the exclusive use of that employee alone The only permitted remote access method for non Crown Estate computers is via terminal services or The Crown Estate Extranet or the Guest Wireless Network if at one of The Crown Estate Office s offering that facility. Mobile devices e.g Blackberrys, smartphones, iphones and ipads are managed and supported by The Crown Estate IT Service Desk. Users are permitted to connect their personal mobile devices to The Crown Estate email system. However, the IT Service Desk will only provide support for this method of connection on a goodwill basis. Furthermore, it is the responsibility of the user to ensure that their personal mobile device is protected by a password. If that device is lost or stolen then it is the responsibility of the user to advise their mobile provider and arrange for the device to be removed from the service. If the IT Service Desk believes that access to The Crown Estate email systems is occurring without adequate security provisions, this facility will be withdrawn immediately and a request for the mobile device to be wiped will be issued. The use of external email accounts (i.e. Hotmail, Yahoo, AOL), or other external resources to conduct The Crown Estate business is forbidden. The ISMS Committee will be the final arbiter for methods of connection to The Crown Estate corporate IT network. 4.2. Documentation and Data All sensitive and business critical documentation belonging to The Crown Estate and being used at a remote location must be securely stored and not displayed in a manner which allows its content to be viewed by unauthorised persons. Data and documents belonging to The Crown Estate must not be stored on personal equipment unless permission from the Line Manager has been obtained. Any data stored on personal equipment must be encrypted, using advice obtained from the IT Service Desk. iphones and ipads are managed and supported using Apple s Common Criteria Certification 4

Security Statement. 4.3. Working Remotely Employees wishing to work away from the office occasionally must secure the agreement of their Line Manager prior to the actual date of working remotely. When approving requests, Line Managers are responsible for ensuring that there is a clear business requirement for the employee to undertake work remotely rather than attending the office. Retrospective requests will not normally be agreed and any absence may be considered as unauthorised, which may lead to disciplinary action being taken. Employees wishing to work from their own equipment should ensure that their hardware and software configuration complies with The Crown Estate s minimum requirements. This check should be done before the date on which they have booked to work remotely May to 2007 ensure that any necessary patches or updates can be implemented. See Remote Access Via Terminal Services User Guide on I-Site. It is the responsibility of the user to ensure their own equipment is patched accordingly. The IT Service Desk will advise the user only on suggested actions but they will not action any changes to non-crown Estate equipment. Subject to line management approval and hardware availability a laptop or other equipment may be provided if the employee intends to work remotely on a more frequent basis. The Crown Estate will retain ownership of the equipment and also insure and maintain the equipment. The employee must take good care of the equipment and ensure that it be used in accordance with The Crown Estate s full range of policies. Alternatively, the employee has access to pool laptops which, subject to availability, can be used when required. When working in a public area, for instance on a train, the employee must take all reasonable steps to ensure that The Crown Estate s information remains confidential and secure. The employee must ensure that any documents/laptop screens are, as much as possible, not readily visible to members of the public. 4.4. General Rules & Principles of Virtual Private Networks (VPNs) It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to The Crown Estate internal networks. VPN use is to be controlled using either a one-time password authentication such as a token device or a public/private key system with a strong passphrase. When actively connected to the corporate network, VPNs will force all traffic to and from the PC over the VPN tunnel: all other traffic will be dropped. Dual (split) tunnelling is NOT permitted; only one network connection is allowed. VPN gateways will be set up and managed by The Crown Estate network operational groups. All computers connected to The Crown Estate internal networks via VPN or any other technology must use the most up-to-date anti-virus software that is the corporate standard (provide URL to this software); this includes personal computers. VPN users will be automatically disconnected from The Crown Estate s network after thirty minutes of inactivity. The user must then logon again to reconnect to the network. Pings or other artificial network processes are not to be used to keep the connection open. Users of computers that are not The Crown Estate-owned equipment must configure the 5

equipment to comply with The Crown Estate s Network related policies. Only Crown Estate approved VPN clients may be used. By using VPN technology with personal equipment, users must understand that their machines are a de facto extension of The Crown Estate s network, and as such are subject to the same rules and regulations that apply to The Crown Estate-owned equipment, i.e., their machines must be configured to comply with The Crown Estate s information security policies. 4.5. Telephone The Crown Estate will provide external access to voicemail (via Outlook Web Access via the extranet) which the employee will be required to check on a regular basis when working away from the office. Any application for a mobile phone will need to be agreed by the employee s Line Manager and reviewed by the IT Service Desk on a case-by-case basis. 4.6. Direct Access The Crown Estate will provide external access to members of the business who use a laptop via the Microsoft Direct Access method. See 4.4 General Rules & Principles of Virtual Private Networks (VPNs) for expectations and responsibilities. 4.7. Edge devices (Homeworker solution) Where The Crown Estate provides exceptionally a full Homeworker solution it is expected that that all equipment provided will be used solely for work on behalf of The Crown Estate. See 4.4 General Rules & Principles of VPN s (Virutal Private Networks) Management and HR approval is required for the above solution. 4.8. Reporting Security Incidents All security incidents, including actual or potential unauthorised access to The Crown Estate s information systems via remote access, should be reported immediately to the ISMS Manager or Head of IS. 4.9. Business Continuity Business continuity plans may include provision for working from home or other remote locations in the event of The Crown Estate s corporate headquarters or other premises being unavailable for a significant period of time. 4.10. User Awareness Users commencing remote working will be made aware by their Line Manager of this policy and all its provisions. 5. Disciplinary Process The Crown Estate reserves the right to audit compliance with this policy from time to time. Any disciplinary action, arising from breach of this policy, shall be taken in accordance with The Crown Estate s Rules and Disciplinary Code as amended from time to time. Disciplinary action may ultimately lead to dismissal. 6

7

6. Deviations from Policy Unless specifically approved, any deviation from this policy is strictly prohibited. Any deviation from or non-compliance with this policy will be reported to the ISMS Manager & Head of IS. 7. Glossary of Terms The terms used in this policy document are to be found in ISMS Glossary of Terms. In particular, Remote Access and Mobile Working is defined as the means of using The Crown Estate s electronic information resources from a remote location in a way which ensures that they are available only to persons authorised to view or process that information in accordance with predetermined rules. 8

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information