The purpose of this policy is to provide guidelines for Remote Access IPSec or Virtual Private



Similar documents
ADMINISTRATIVE POLICY # (2014) Remote Access. Policy Number: ADMINISTRATIVE POLICY # (2014) Remote Access

Consensus Policy Resource Community. Lab Security Policy

COLORADO DEPARTMENT OF LABOR AND EMPLOYMENT STANDARD POLICY AND PROCEDURE. Remote Access and Security I. PURPOSE.2 II. BACKGROUND.

EPA Classification No.: CIO P-09.1 CIO Approval Date: 08/06/2012 CIO Transmittal No.: Review Date: 08/06/2015

ICT USER ACCOUNT MANAGEMENT POLICY

Remote Access Procedure. e-governance

74% 96 Action Items. Compliance

PERSONAL COMPUTER SECURITY

Musina Local Municipality. Information and Communication Technology User Account Management Policy -Draft-

TABLE OF CONTENT. Page 2 of 9 INTERNET FIREWALL POLICY

INFORMATION GOVERNANCE POLICY: NETWORK SECURITY

1 Purpose Scope Roles and Responsibilities Physical & Environmental Security Access Control to the Network...

SUPPLIER SECURITY STANDARD

Department of Homeland Security Management Directive System MD Number: 4900 INDIVIDUAL USE AND OPERATION OF DHS INFORMATION SYSTEMS/ COMPUTERS

Second Line of Defense Virtual Private Network Guidance for Deployed and New CAS Systems

Security for. Industrial. Automation. Considering the PROFINET Security Guideline

Virtual Private Networks (VPN) Connectivity and Management Policy

STRATEGIC POLICY. Information Security Policy Documentation. Network Management Policy. 1. Introduction

FSIS DIRECTIVE

ICT SECURITY POLICY. Strategic Aim To continue to develop and ensure effective leadership, governance and management throughout the organisation

Introduction. PCI DSS Overview

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

CIT End User Device Policy

Achieving PCI-Compliance through Cyberoam

ABERDARE COMMUNITY SCHOOL

CAISO Information Security Requirements for the Energy Communication Network (ECN)

INTRUSION DETECTION SYSTEMS and Network Security

Network Security Policy

Access Control BUSINESS REQUIREMENTS FOR ACCESS CONTROL

Endpoint Security VPN for Mac

VPN Consortium Scenario 1: Gateway-to-Gateway with Preshared Secrets

NETWORK SECURITY POLICY

Secondary DMZ: DMZ (2)

ICANWK406A Install, configure and test network security

INFORMATION TECHNOLOGY SECURITY STANDARDS

Additional Security Considerations and Controls for Virtual Private Networks

Connecting an Android to a FortiGate with SSL VPN

Network Security Policy

Policy Document. Communications and Operation Management Policy

STRATEGIC POLICY REQUIRED HARDWARE, SOFTWARE AND CONFIGURATION STANDARDS

REVIEWED ICT CHANGE MANAGEMENT POLICY

Supplier Information Security Addendum for GE Restricted Data

COMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING

SECURITY ORGANISATION Security Awareness and the Five Aspects of Security

ehealth Ontario EMR Connectivity Guidelines

Best Practices For Department Server and Enterprise System Checklist

esnc ACCESS AGREEMENT

Decision on adequate information system management. (Official Gazette 37/2010)

REMOTE ACCESS POLICY OCIO TABLE OF CONTENTS

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD Effective Date: April 7, 2005

VPN Consortium Scenario 1: Gateway-to-Gateway with Preshared Secrets

Information Security Basic Concepts

ISO Controls and Objectives

Configuring a VPN for Dynamic IP Address Connections

Newcastle University Information Security Procedures Version 3

New River Community College. Information Technology Policy and Procedure Manual

INFORMATION SECURITY PROCEDURES

Information Shield Solution Matrix for CIP Security Standards

Cisco Advanced Services for Network Security

CHIS, Inc. Privacy General Guidelines

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

Student Halls Network. Connection Guide

Chapter 12. Security Policy Life Cycle. Network Security 8/19/2010. Network Security

ResNet Guide. Information & Learning Services. Here to support your study and research

Information security controls. Briefing for clients on Experian information security controls

MAXIMUM DATA SECURITY with ideals TM Virtual Data Room

INFORMATION SECURITY OVERVIEW

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Technology Services

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Executive Summary and Purpose

Introduction to Endpoint Security

IT Security Agency Policies and Procedures

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 2.0 to 3.0

Computer Use Policy Approved by the Ohio Wesleyan University Faculty: March 24, 2014

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

Access Control Policy

Best Practices for Secure Remote Access. Aventail Technical White Paper

Department of Information Technology Remote Access Audit Final Report. January promoting efficient & effective local government

Protecting the Home Network (Firewall)

Guide to Vulnerability Management for Small Companies

Document Type Doc ID Status Version Page/Pages. Policy LDMS_001_ Effective of 7 Title: Corporate Information Technology Usage Policy

Central Agency for Information Technology

Appendix C Network Planning for Dual WAN Ports

Section 12 MUST BE COMPLETED BY: 4/22

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

Rule 4-004G Payment Card Industry (PCI) Remote and Mobile Access Security (proposed)

Transcription:

1. Policy Overview The purpose of this policy is to provide guidelines for Remote Access IPSec or Virtual Private Network (VPN) connections to the University of Dammam network. 1.1. Purpose University VPN connection allows users to connect directly to the University network through the Internet. In order to allow this connectivity, secure connection issues, performance issues, and bandwidth utilization criteria must be addressed. 1.2. Scope The policy statements written in this document are applicable to all UoD s VPN Users at all levels of sensitivity; including: VPN Admins Executives Staff Contractors All other individuals and groups who have been granted access to UoD s ICT Network and information through VPN access.

1.3. Terms and Definitions Table 11 provides definitions of the common terms used in this document. Term Accountability Asset Availability Confidentiality Control Guideline Definition A security principle indicating that individuals shall be able to be identified and to be held responsible for their actions. Information that has value to the organization such as forms, media, networks, hardware, software and information system. The state of an asset or a service of being accessible and usable upon demand by an authorized entity. An asset or a service is not made available or disclosed to unauthorized individuals, entities or processes. A means of managing risk, including policies, procedures, and guidelines which can be of administrative, technical, management or legal nature. A description that clarifies what shall be done and how, to achieve the objectives set out in policies. The preservation of confidentiality, integrity, and availability of information. Information Security Additionally, other properties such as authenticity, accountability, nonrepudiation and reliability can also be involved. Integrity Maintaining and assuring the accuracy and consistency of asset over its entire life-cycle. Software designed to disrupt computer operation, gather sensitive Malware (Malicious) information, or gain access to private computer systems (e.g., virus or Trojan horse). A plan of action to guide decisions and actions. The policy process inclues Policy the identification of different alternatives such as programs or spending priorities, and choosing among them on the basis of the impact they will have. Risk A combination of the consequences of an event (including changes in circumstances) and the associated likelihood of occurrence. An equipment or interconnected system or subsystems of equipment that is System used in the acquisition, storage, manipulation, management, control, display, switching, interchange, transmission or reception of data and that inclues computer software, firmware and hardware. Table 1: Terms and Definitions

1.4. Change, Review and Update This policy shall be reviewed once every year unless the owner considers an earlier review necessary to ensure that the policy remains current. Changes of this policy shall be exclusively performed by the Information Security Officer and approved by management. A change log shall be kept current and be updated as soon as any change has been made. 1.5. Enforcement / Compliance Compliance with this policy is mandatory and it is to be reviewed periodically by the Information Security Officer. All UoD units (Deanship, Department, College, Section and Center) shall ensure continuous compliance monitoring within their area. In case of ignoring or infringing the information security directives, UoD s environment could be harmed (e.g., loss of trust and reputation, operational disruptions or legal violations), and the fallible persons will be made responsible resulting in disciplinary or corrective actions (e.g., dismissal) and could face legal investigations. A correct and fair treatment of employees who are under suspicion of violating security directives (e.g., disciplinary action) has to be ensured. For the treatment of policy violations, Management and Human Resources Department have to be informed and deal with the handling of policy violations. 1.6. Waiver Information security shall consider exceptions on an individual basis. For an exception to be approved, a business case outlining the logic behind the request shall accompany the request. Exceptions to the policy compliance requirement shall be authorized by the Information Security Officer and approved by the ICT Deanship. Each waiver request shall include justification and benefits attributed to the waiver. The policy waiver period has maximum period of 4 months, and shall be reassessed and re-approved, if necessary for maximum three consecutive terms. No policy shall be provided waiver for more than three consecutive terms.

1.7. Relevant Documents The following are all relevant policies and procedures to this policy: Information Security Policy Human Resource Security Policy Access Control Policy Compliance Policy Password Policy 1.8. Ownership This document is owned and maintained by the ICT Deanship of University of Dammam.

2. Policy Statements Approved University members and authorized third parties (Contractors, etc...) may utilize the benefits of VPNs, which are a "user managed" service. This means that the user is responsible for selecting an Internet Service Provider (ISP), coordinating installation, installing any required software, and paying associated fees. Additionally, 1. In order to obtain VPN Access, a change request must approved by DICT management board, filled with request justification, email and users contact details, resources to access (including IP addresses and Port no) and duration of access required 2. It is the responsibility of users with VPN privileges to ensure that unauthorized users are not allowed access to University internal networks. 3. VPN use is to be controlled using either a one-time password authentication such as a token device or a public/private key system with a strong passphrase. 4. When actively connected to the corporate network, VPNs will force all traffic to and from the PC over the VPN tunnel: all other traffic will be dropped. 5. Dual (split) tunnelling is not permitted; only one network connection is allowed. Exception must be through DICT board request and with Dean of DICT s approval. 6. VPN gateways will be set up and managed by University network and security teams. 7. All computers connected to University internal networks via VPN or any other technology must use the most up-to-date anti-virus software; this includes personal computers. 8. VPN users will be automatically disconnected from University s network after 15 minutes of inactivity. The user must then logon again to reconnect to the network. Pings or other artificial network processes are not to be used to keep the connection open. 9. The VPN concentrator is limited to connection time of 72 hours or time specified by DICT management board. 10. Users must configure their machines to comply with University's VPN and Network policies. 11. Users are required to download the VPN client software from University VPN gateway in order to activate their VPN account.

12. Any exception to the policy must be approved by the DICT Management Board in advance. 13. Support will only be provided for VPN clients approved by UoD University's Information Technology Services. 14. Users found to have violated the VPN Access Policy may be subject to loss of privileges of services and be subject to disciplinary action. 15. This policy is to be periodically reviewed and amended by DICT management board. If you have any questions related to the use of the UoD University VPN, please contact the DCIT Help Desk

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information