The next IT expert to offer insight for our how to rethink remote access series is Evan Francen. Evan, an experienced Information Security leader, is a managing partner at FRSecure LLC. FRSecure is a full-service information security consulting company dedicated to information security education, awareness, application, and improvement. Evan shares his thoughts on remote access policy with us.
How would I go about creating my remote access policy?
1) Understand how the business uses remote access
2) Perform a simple risk assessment
3) Write a draft policy with input from management and business units
4) Edit the remote access policy until there is agreement and approval from senior management
What would I include?
Functionally, I would include Approval(s), Version History, Purpose, Audience, and Policy sections at a minimum.
- Approval(s) (Required) – If you expect people to do what the policy tells them to do, they need to know who’s telling them. Management approval gives the information security professional authority to carry out functional control.
- Version History (Required) – Information security policies need to be reviewed on a regular basis. A version history allows reviews and changes to be tracked.
- Purpose (Required) – A simple sentence or two that communicates why the policy exists.
- Audience (Required) – A sentence or two that communicates who must read and comply with the policy. Not all of your users will be remote access users, so not all users need to read the policy.
- Policy (Required) – The meat of the remote access policy. These are the rules that govern remote access. Each rule should be concise and cover a single aspect of your remote access protection.
How else do you plan on documenting and communicating management’s rules to manage the risks involved with remote access? I know you’re not supposed to answer a question with a question, but I couldn’t resist.
The approach you take to enforce your remote access policy is largely dependent upon the culture of your company. Enforcement = Compliance (sort of). Understand that 90% of your users will never read your policy, so you will probably need to be creative in how you approach employee compliance and use your policy as a reference document. Policy compliance is increased through a mix of communication, training, awareness, monitoring and corrections/sanctions.