Remote Access Policy/Proposed revision June 2014

From Wikimedia UK
Jump to navigation Jump to search
A newspaper This page is still a draft and is not finalised. Feel free to edit it.

Introduction

This policy defines the use of mobile computers and remote access within WMUK. It defines:

  1. The process that mobile computers must meet to leave the Office Environment. Both the device and any sensitive data should be password protected.
  2. How mobile computers and devices will be protected while outside the organizational network.
  3. The process that mobile computers must meet to enter the corporate network when being brought into a building owned by the organization.
  4. Controls related to removable media
  5. Remote access controls

Key Principles

  • This policy is designed both to protect the confidentiality of any data that may be stored on a mobile computer, or accessed remotely, and to protect the organizational equipment and other networks devices from being infected by any hostile software when the mobile computer returns.
  • This policy applies to all computing devices brought into the organization or connected to the organizational network using any connection method. This includes but is not limited to desktop computers, laptops, and palm pilots/tablets. It also covers personal devices used to access WMUK systems remotely.

Responsibility

  • The user of the mobile computer or remote access will accept responsibility for taking reasonable safety precautions with the mobile computer and/or access and agrees to adhere to this policy. The computer user will not be allowed to have administrative rights unless granted special exception by the network administrator.

Personal devices within WMUK Offices

  • Personal devices, belonging to staff or otherwise, must not be allowed access to the WMUK network without adequate security review. At minimum it must have:
  • Anti-Virus
  • Firewall
  • Regular updates
  • Access to WMUK networks by non-staff members should be adequately supervised, and the user made aware of the organisation's acceptable use policies.

Remote Access to WMUK Software via personal devices

  • Some WMUK software is web-based, meaning it can be accessed outside of the office.
  • The device user is responsible for adequate security of the personal device, including malware and other unauthorised access.
  • In addition the user is responsible for ensuring that any other individuals are not granted access to prohibited system (either by leaving the personal device accessible, or saving password details).
  • If private data is accessed via a web browser then the user is responsible for clearing the browser cache at the end of their session.

WMUK devices removed from the office

  • WMUK devices removed from the office must be considered untrusted upon their return, unless adequately monitored by a competent staff member during their time away.
  • Where this is the case staff or volunteers will have to liaise with the Office and Development Manager to ensure that equipment is professionally checked for malware, viruses or spyware, before re-connection to any office networks or systems.

Removable media

  • Removable media includes USB pen drives, CD's, DVD's and other forms of portable memory.
  • Sensitive data should not be stored on removable media. In cases where this is unavoidable the data must be encrypted (see Data Encryption Policy). Any unused data of this sort must be securely wiped (e.g. using the "wipe free space" feature of TrueCrypt or PGP).
  • Removable media brought into the office should be scanned for viruses before being connected to WMUK computers/infrastructure.
  • Removable media should be securely stored in the office, in line with the Clear Screen and Desk Policy. If removable media, containing sensitive data, must be used away from the office a record should be kept by the individual responsible of the purpose of removal and the data held on the media. A brief email to a line manager is acceptable and could be referred to in case of theft or loss.