Remote Access Policy
Remote Access Policy
| Field | Value |
|---|---|
| Document ID | POL-019 |
| Classification | Internal |
| Owner | CTO (interim CISO) |
| Effective Date | April 2026 |
| Review Cycle | Annual |
1. Overview
Remote access to organizational resources is required to support productivity; however, it introduces risks when users connect from external networks. The organization implements security controls to mitigate risks associated with Work From Remote Location (WFRL).
2. Purpose
This policy defines requirements for secure remote access to organizational systems and data to prevent unauthorized access and protect sensitive information.
3. Scope
This policy applies to all employees, contractors, and third-party users who access organizational resources remotely using company-owned devices.
4. Policy
4.1 Secure Remote Access
Access to critical organizational resources is permitted only through secure VPN connectivity. The organization uses Pritunl VPN for remote access, which provides encrypted communication channels.
4.2 Authentication and MFA
Users must authenticate to the VPN using organization-managed Google authentication logins. Multi-factor authentication (MFA) is enforced for VPN access and cloud services to ensure an additional layer of security.
4.3 Secure Network Requirement
Users accessing resources from remote locations must use secure networks protected with strong Wi-Fi passwords. Access from unsecured or public Wi-Fi networks is discouraged unless the VPN connection is active.
4.4 Password Security
Strong password practices are enforced for all systems. Passwords for organizational accounts and cloud services expire periodically and must be updated.
4.5 Endpoint Security
Devices used for remote access must:
- Keep operating systems updated
- Have screen lock enabled
- Apply security patches regularly
4.6 Access Control
- Only authorized users can access remote systems
- Access is restricted to approved personnel only
4.7 WFRL Risk Management
Remote work risks are managed through:
- VPN connection required for all access
- Multi-factor authentication enforced
- Secure networks and updated devices mandatory
5. Compliance
- Infosec team monitors policy compliance
- Exceptions require advance approval
- Violations may result in disciplinary action