Guidelines in Setting Up Remote Access Control Policy

Get Now Free!

Remote access is increasingly common across businesses. It can provide significant benefits to end users and opportunities for their service providers. However, as end users receive more remote access requests, they should be increasingly mindful of the security implications. And for good reason, it is better to have a remote access control policy to manage all of this.

The remote access control policy must provide protection of IT systems and data that corresponds to data risks and sensitivity. The development of such policies requires balance between interests of security against the operational requirements, convenience, and costs.

Remote Access Control Policy

Account Management in remote access control policy

An effective access management like Comodo ONE is vital in providing remote access control policy in line with data sensitivity and risk profile. It consists of the process of requesting, authorizing, administering, and terminating accounts which access IT systems and data.

System and Data owners establish the requirements for identification, authorization, and authentication to access an IT system according to the sensitivity and risk of the IT system and data. Passwords are specifically required for access to all susceptible IT systems.

Authentication method in remote access control policy

Other authentication method should be considered according to risk and sensitivity in creating a remote access control policy. In determining sensitivity level for customer-facing systems, organizations should consider:

  • If it needs to allow customer access to the data
  • If it needs customers have access only to data regarding themselves
  • If they have access to data regarding others and the appropriate corresponding sensitivity level

Besides, organizations should document policies and procedures that require user acknowledgment of Access Agreement prior to receiving access to an IT system. The nature of this agreement will vary depending on the role of the specific user.

Different Access Levels In Remote Access Control Policy

Organizations must establish remote access control policies and procedures for requests and authorization for access to IT systems and data. The policies and procedures must require that access is authorized using the principle of least privilege. Access to IT systems and data may only be granted with the approval of the user's supervisor and the System Owner.

Furthermore, organizations may, at their discretion, wish to allow approval of access requests for low sensitivity systems by the System Owner in order to reduce the administrative burden of these low sensitivity systems on the System Owner.

Least Privilege

Access to IT systems and data must be granted on the basis of least privilege. The principle of least privilege allows organizations to provide access only to those systems that users require for performing tasks. Organizations must authorize the most restrictive access level necessary for users to perform these functions in establishing a remote access control policy.

Role-based Access Control

Role-based access control grants access to IT systems and data to users based on their roles within the institution or as customer of the organization, rather than as individual users. Organizations should adopt role-based access control as part of their account management in their remote access control policy.

This is recommended because it simplifies the administration of user access rights by associating these rights with a limited number of standardised roles. This association of access rights with standardised roles also assists in maintaining the principle of least privilege.

Approval

Before granting access to IT systems and data, organizations must have documentation of each access request. For IT systems with sensitivity of medium and higher, the request must be approved by the System Owner or by the supervisor. The supervisor may also approve requests based on the job requirements.

Shared Accounts

Individual accountability is essential for IT systems security. Organizations must not authorize the creation of accounts that can be used anonymously or by more than one person. A guest account enables anonymous access to an IT system, while a shared account hides individual accountability within a group. Both types of accounts, and the sharing of passwords are forbidden.

Account Maintenance in Remote Access Control Policy

Established accounts would require maintenance on a continuous basis to strengthen IT security. Accounts must be validated periodically to determine if the access is still necessary and meets the requirements of least privilege.

If you want a complete, scalable IT management platform that is 100% free, Try Comodo ONE now and get your free copy today!

Sign Up Here