What is a remote access policy and how do you develop it with ISO 27001?

Update 2022-03-11.

In this era of data-driven IT, managing and securing your data / information has become the most integral part of running your business. In the article below, we will take you through the best practices to consider for an ISO 27001-compliant remote access policy and effective implementation of information security controls.

A remote access policy is a document designed to protect the company’s network from external accessing it externally. It helps organizations secure corporate data and supervise users logging in from unsecured locations such as their home networks.

What is a remote access policy?

A remote access policy is a document designed to protect the company’s network from external access. This is a written file with guidelines for connecting to the company’s network from outside the office.

It helps organizations secure corporate data and supervise users logging in from unsecured locations such as their home networks.

Challenges for remote access policy controls

Teleworking, working while on a business trip or from your home, is becoming popular and vastly accepted by international companies due to many cost-saving factors and flexibility. Having access to your IT Infrastructure via various methods of remote access is as good as people sitting physically in your connected network and accessing your IT Infrastructure.

A study by one Switzerland-based service office provider says that 70% of people globally work remotely at least once a week, and so telecommuting is more popular than ever.

By implementing a teleworking control policy and supporting relevant security measures, the information accessed, processed, or stored at teleworking sites can be secured and protected.

To learn more about the information security controls in teleworking, read this article: How to apply information security controls in teleworking according to ISO 27001.


What to consider for your ISO 27001 remote access policy

Any entity or organization that allows teleworking must have a policy, an operational plan, and a procedure stating that the conditions and restrictions are in line with the applicable and allowed law. Here’s what should be taken into account for your ISO 27001 remote access policy:

  • The physical security of the teleworking site, including the building and its surrounding environment, is the first and very obvious issue to be looked into.
  • Users should never share their login or email password with anyone, not even family members.
  • Users should also be sure not to violate any of the organization’s policies, not to perform any activities that are illegal, and not to use the access for outside business interests while accessing the business network remotely.
  • As a part of your device configuration, unauthorized remote access and connections must be disabled.
  • A definition of the work, sensitivity, and classification of the information and the need for accessing the internal data or system must be justified.
  • Data transmitted during a remote access connection should be encrypted, and access must be authorized by multi-factor authentication. It should also prevent storage and processing of the accessed data.
  • The abilities of remote access users should be limited by allowing only certain operations to users, and there should be a policy for removal of authority and access, along with the return of equipment when the teleworking activities are terminated or no longer required.
  • Every connection must be logged in order to maintain the traceability in case of an incident. Unauthorized access to these logs must be taken care of. Tamper-proof logging of firewall and VPN devices enhances the reliability of the audit trail.
  • Not having split tunneling is a best practice, since users bypass gateway-level security that might be in place within the company infrastructure.
  • An acceptance and rejection policy in the firewall must be well-planned and configured.
  • The firewall operation mode should be configured as stateful rather than stateless, in order to have the complete logs.

Remote access policy: How to develop it according to ISO 27001

What is the purpose of an ISO 27001 remote access policy?

Remote access to your corporate IT infrastructure network is essential to the functioning of your business and the productivity of the working unit. There are external risks that must be mitigated to the best of your ability by designing a secure access policy and implementing ISO compliance controls. The purpose of the ISO 27001 remote access policy is to define and state the rules and requirements for accessing the company’s network. Rules must be defined to eliminate potential exposure due to unauthorized use, which could cause a loss of the company’s sensitive data and intellectual property, a dent in its public image, and the compromise of resources. Here are the guidelines for defining the rules to eliminate potential exposure due to unauthorized use:

  • Remote access must be secured and strictly controlled with encryption by using firewalls and secure 2FA Virtual Private Networks (VPNs).
  • If a bring your own device (BYOD) policy is applied by the company, the host device must meet the requirements as defined in the company’s software and hardware configuration policy and that of the organization-owned equipment for remote access.
  • Hosts that are used to connect to the company network must be fully patched and updated / pushed with the most up-to-date anti-virus / malware signature.
  • Split VPN should be avoided if the policy permits; i.e., users with remote access privileges must ensure that their organization-provided or personal device, which is remotely connected to the company’s network, shall not be simultaneously connected to another network.
  • The user should be completely responsible to ensure not to violate any of the organization’s policies, and that he does not perform illegal activities, and does not use the access for outside business interests while accessing the corporate network remotely.
  • Ensure that more than one device is configured in High Availability (HA) mode prevents you from relying on a single point of failure in the remote access of your network.

To learn more about handling access control, read this article: How to handle access control according to ISO 27001.

Why VPN? Is it secure?

In order to access your company’s private, internal network remotely from your host, you can use Virtual Private Network (VPN) connections. VPNs securely tunnel the data transmitted between the remote user and the company network, to ensure that the data and files you are sending are not accessible other than by the two parties.

Though VPNs are designed to securely access your organization’s network using encryption, other authentication measures and best practices must be followed to secure your data transmission in a better sense. Enhanced security, site-to-site tunneling, session restrictions, and multiple factor authentications are some of the advantages with VPN.

Avoid risks with security controls

Giving your employees the possibility to work from anywhere has myriad advantages, but measures of wariness need to be taken. This is why remote access to the organization’s network needs to be interpreted as a risk, and hence there is a need to have appropriate controls for it. Therefore, it should be allowed only in the cases where required and with adequate security controls required by ISO 27001.

To learn how to write teleworking and other security policies, see this free online training: ISO 27001:2013 Foundations Course.

Advisera Kishore Kumar
Author
Kishore Kumar
Kishore Kumar holds a Master’s degree in Information Systems, is certified in technologies like Microsoft, Sun, Oracle, and VMWare, and has 23 years of experience in Programming, Database Administration, Networking & Systems Administration, Data Center Implementation, ISO 27001 Information Security Management Systems, Information Technology Service Management Systems, Project Management for IT Applications & Infrastructure, Requirement Analysis, Infrastructure Building, Systems Administration, Database Design and Administration, IT Network Management, and ISMS Implementation. He is currently working as a CISO and IT Manager. He has attended many information security, auditing and IT management training courses.