U 09 Remote Access Policy






Full text


U 09

Remote Access Policy

June 2010

This document is copyright to Dartmoor National Park Authority and should not be used or adapted for any purpose without the agreement of the Authority.

Target Audience:


Only current as an electronic version on Parknet Page 2 of 7


Document Control 2 

Document Amendment History 2 

1  Purpose 3 

2  Scope 3 

3  Governance factors 3 

4  Remote Access Methods 3 

5  Use of Remote Access methods 4 

6  Usage Restrictions 5 

7  Remote Administration and Support by Third Parties 6  8  Methods of compliance with the controls 7 

Document Control

Organisation Dartmoor National Park Authority

Title U09 Remote Access policy

Creator Devon Information Security Partnership

Source Approvals Distribution

Filename 4-U09-DNPA Remote Access Policy.docx

Owner Head of ICT Service

Subject Information Security

Protective Marking None

Review date

Document Amendment History Revision No. Originator of change Date of change Change Description

2 Ali Bright June 2010 Adapted for DNPA Use


Only current as an electronic version on Parknet Page 3 of 7 Remote access is connecting to the corporate computer system by any computer that is not connected to the Corporate Network using the Authority’s ICT


The provision of Remote Access must be controlled in order to protect Authority systems. The controls determine who can access Authority systems, how they can access and what can be accessed.

2 Scope

Authority systems can be accessed remotely by various people: • Members and Staff whilst out of the office.

• Staff to provide support for systems

• Suppliers to provide Remote Administration on systems • Third Parties requiring approved access to Authority systems

3 Governance factors

The controls on remote connections to the corporate network arise from the rules predefined in the Codes of Connections which other Local Authority’s are required to comply with in order to use secure networks. Whilst Dartmoor National Park

Authority does not currently connect to any separate secure networks, the controls that would be required are considered to be examples of best practice.

Examples of secure networks include, but are not limited to: • Government Connect

• Payment Card Industry Data Security Standard (PCI DSS)

4 Remote Access Methods

The following methods provide remote access:

4.1 Virtual Private Network (VPN) provided through Microsoft ISA Server 2006.

4.1.1 This is restricted to third parties via their specific gateway IP addresses which must be provided in advance.

4.2 Virtual Private Network (VPN) provided via Juniper Netscreen 25 secure access gateway.

4.2.1 This is restricted to staff using Authority provided computers with an approved client installed on a computer which provides direct encrypted connectivity into the corporate network.


Only current as an electronic version on Parknet Page 4 of 7 4.3.1 Authority provided portal for remote access of Microsoft Outlook

corporate email and other services. 4.4 Juniper Secure Access 700

4.4.1 Restricted to occasional homeworkers, and provides a secure web based interface which enables access to files stored on the corporate network when working away from the office.

4.5 Dial up

4.5.1 Dial-up is only provided in limited circumstances to provide support when there is no other available option.

4.6 Third party remote support tools from the internet.

4.6.1 This option is occasionally used with some suppliers to provide support, where they don’t already have access via any of the options above, (WebEx, GotoMeeting, etc)

4.7 Personal Information Management (PIM) devices

4.7.1 Authority approved PIM devices include any such device operating the Windows Mobile operating system.

5 Use of Remote Access methods

The methods of remote access are only to be used in the following circumstances. 5.1 VPN

5.1.1 Approved Members and Staff whilst out of the office using Authority computers.

5.1.2 Suppliers to provide remote administration on systems. 5.2 Outlook Web Access

5.2.1 All staff whilst away from their dedicated computer. 5.3 Juniper Secure Access 700

5.3.1 Occasional homeworkers who need to access files stored on the corporate network whilst out of the office.

5.4 Third party remote support tools from the internet

5.4.1 Essential support for systems that cannot be provided by other means.


Only current as an electronic version on Parknet Page 5 of 7 are to be used for Authority business and service provision.

6 Usage Restrictions

6.1 VPN

6.1.1 On Authority computers, VPN must only be enabled using approved client software installed by the ICT Service.

6.1.2 On suppliers computers, used to provide remote administration and/or support for systems, VPN must only be enabled

following a request from a supplier on the approved suppliers list, and should be enabled for no longer than one 24 period. Any request for a change to the list of suppliers permitted IP addresses must be received in writing, (either on headed paper or email from the appropriate organisations domain), before the change will be allowed.

6.2 Outlook Web Access (OWA)

6.2.1 Provided to all individual Members and staff who have access to email their own named mailbox.

6.2.2 Removed from generic, Application and non Authority staff accounts.

6.2.3 All temporary files to be cleared after use.

6.2.4 Data accessed via OWA must not be saved onto non Authority computers or other equipment.

6.2.5 Security controls provided via Active Directory Authentication to a named user account.

6.3 Juniper Secure Access 700

6.3.1 Provided to all Members and staff.

6.3.2 Security controls provided via Active Directory Authentication to a named user account.

6.4 Remote Access web support

6.4.1 Access to Remote Web support websites must be individually approved.

6.4.2 Remote access sessions initiated by the supplier must have the support session start acknowledged by the ICT Service, before access to systems is provided.


Only current as an electronic version on Parknet Page 6 of 7 6.4.3 Access must only be allowed when all applications apart from

the supported application have been closed.

6.4.4 All files transferred to the corporate network in order to facilitate the connection must be removed when the session is finished. 6.4.5 The supplier must inform the ICT Service when the session has


6.4.6 The ICT Service must be able to terminate the remote session at any time.

6.5 Use of PIM devices

6.5.1 The use of the device must be conducted in compliance with the Authority’s health and safety policy.

6.5.2 The PIM device is only to be connected to the Authority email system remotely.

6.5.3 The PIM device or any storage media used with it is not to be connected to any non-Authority equipment.

6.5.4 The PIM device must be protected by a password that is compliant with the standard Authority password scheme. 6.5.7 All personal data stored on the PIM device or associated

storage card must be encrypted.

6.5.8 Bluetooth will not be enabled on the PIM device by default. Bluetooth will be enabled on the device for use with a headset with a business case only.

6.5.9 The PIM device will not be enabled as a USB data storage device to prevent the transfer of data.

6.5.10 PIM devices will only be issued to staff who have undertaken an internal training session in their use within the Authority

7 Remote Administration and Support by Third Parties

7.1 All Staff must be individually authorised.

7.2 Suppliers must name the individuals provided with access. 7.3 Each individual person must verify their identity.

7.4 To verify their identity, each named individual will register the answers to secure questions, which will be asked before activation.

7.5 Suppliers must only have support sessions activated by the ICT Service.


Only current as an electronic version on Parknet Page 7 of 7 7.6 Suppliers must inform the ICT Service when the session has finished.

8 Methods of compliance with the controls

8.1 The ICT Service will provide procedures to control remote access which must be followed by all those using any method of remote access.

8.2 Members or Staff must initiate a security incident report if there is any actual or attempted remote access to the Authority corporate system that has not been approved, or may compromise a code of connection to a secure network.





Related subjects :