Best Practices for ISO 27001-Compliant Remote Access Policy
- Home
- Blog
Categories
Latest Post
ISO 14001 Internal Auditor Course
ISO 14001 Lead Implementer Course
ISO 9001 Internal Auditor Course
Understanding Information Classification in ISO 27001
Managing and securing your data has become critical in the data-driven IT era. This guide will walk you through best practices for an ISO 27001-compliant remote access policy and effective implementation of information security controls.
What is a Remote Access Policy?
A remote access policy is a document designed to protect a company’s network from external access. It provides guidelines for connecting to the network from outside the office, securing corporate data, and supervising users logging in from unsecured locations like home networks.
Challenges for Remote Access Policy Controls
Teleworking, working from home, or while on business trips, is popular due to cost-saving and flexibility. Accessing IT infrastructure remotely is like accessing it from within the office network. A study indicates 70% of people globally work remotely at least once a week, making telecommuting more popular than ever.
Implementing a teleworking control policy and supporting security measures helps secure and protect information accessed, processed, or stored at teleworking sites.
Considerations for ISO 27001 Remote Access Policy
Physical Security: Ensure the teleworking site’s security, including the building and surrounding environment.
Password Protection: Users should never share their login or email passwords with anyone, including family members.
Policy Adherence: Users must not violate organizational policies, perform illegal activities, or use access for outside business interests.
Device Configuration: Disable unauthorized remote access and connections.
Information Sensitivity: Define the work, sensitivity, classification, and justification for accessing internal data or systems.
Data Encryption: Encrypt data transmitted during remote access and authorize access with multi-factor authentication.
Access Limitation: Restrict remote access abilities to certain operations, and have policies for removing access and returning equipment when teleworking ends.
Connection Logging: Log every connection to maintain traceability in case of an incident and protect logs from unauthorized access.
No Split Tunneling: Avoid split tunneling to ensure users do not bypass gateway-level security.
Firewall Policies: Plan and configure acceptance and rejection policies in the firewall. Use stateful rather than stateless operation mode for complete logs.
Purpose of an ISO 27001 Remote Access Policy
Remote access is vital for business functionality and productivity. However, external risks must be mitigated by designing a secure access policy and implementing ISO compliance controls. The purpose is to define rules and requirements for accessing the network, eliminating potential exposure to unauthorized use. This prevents data loss, intellectual property compromise, and harm to the company’s public image.
Key Guidelines for Eliminating Potential Exposure:
Secure and control remote access with encryption, firewalls, and secure 2FA Virtual Private Networks (VPNs).
For BYOD policies, ensure host devices meet company configuration requirements.
Keep host devices fully patched and updated with the latest anti-virus/malware signatures.
Avoid split VPN; ensure devices connected to the company’s network are not connected to another network simultaneously.
Users must not violate policies, perform illegal activities, or use access for outside business interests.
Configure devices in High Availability (HA) mode to prevent reliance on a single point of failure.
Why VPN? Is it Secure?
VPNs securely tunnel data between the remote user and the company network, ensuring transmitted data is accessible only to the two parties. VPNs use encryption and other authentication measures for secure data transmission, offering advantages like enhanced security, site-to-site tunneling, session restrictions, and multi-factor authentication.
Avoid Risks with Security Controls
Allowing employees to work from anywhere has advantages, but caution is necessary. Remote access should be interpreted as a risk, requiring appropriate controls. Allow it only when necessary and with adequate security controls as required by ISO 27001.
By implementing these best practices, you can ensure your remote access policy is ISO 27001-compliant, securing your corporate data and maintaining robust information security controls.
