You are on page 1of 3

1. Issue Control 1.1.

Changes Approval
This document is an approved policy by <COMPANY> senior management. This file shall be viewed and printed by authorised personnel only. Any changes to the policy shall be agreed upon with and approved by the Information Security Manager at <COMPANY>.

2. Purpose
The purpose of this policy is to establish the rules that govern tele-working activities and access to <COMPANY> networks and systems, from remote locations. This policy helps reduce the risks associated with such activities.

3. Scope
This policy applies to all users of information assets including temporary or permanent <COMPANY> employees, customers, consultants, vendors, business partners and contractors’ personnel and functional units regardless of geographic location. This policy covers all information systems environments operated by <COMPANY> or contracted with a third party by <COMPANY>.

4. Policy Statement
• A formal management approval shall be obtained (as per relevant procedures) and all the appropriate security controls shall be in place , before remote access rights are authorised. Remote access shall only be authorised when there’s a proven business need. Only minimum privileges that are strictly required should be granted. Remote access should be granted for a defined period of time that does not exceed one year. Business unit managers are responsible for reviewing remote access privileges as per the “Access Privilege Review Procedure”. All remote access sessions shall be authenticated through a secure and approved authentication protocol. Authentication protocols that send clear text credentials or use weak cryptographic algorithms shall never be used. When teleworking activities are completed, revocation of access rights and the return of equipment must be done immediately.

• • •


Information Security Manager shall ensure that <COMPANY> management and staff are aware of remote access risks. • • • Responsibilities Define and maintain the information security policy and the supporting policies. The use of privately owned computing equipment.1. without explicit permission from management. Only approved remote access software should be used to connect to <COMPANY> networks and systems. to ensure that organization-wide information security efforts are consistent across the group. implement and operate <COMPANY>’s networks and information systems according to the mandates of this policy. Conduct and maintain Risk Assessment.• If remote access ceases to be needed before the defined expiry date. their potential impact on the business and how to best eliminate or reduce them. • • • • • • 5. An accurate and up to date record of all teleworking activities shall be maintained. 2|Page . Furthermore. is strictly prohibited. PINs or access tokens) shall be kept secret and never be shared with others. Access credentials (usernames. Coordinate the information security efforts of all departments that have one or more information security-related responsibilities. Manage the security awareness program. users shall not use the automatic login (automatic storage of username and password) feature for remote access. Policy Structure 5. users shall follow the “Revocation and Modification of Remote Access Procedure” to have their access revoked. Information Security Department • IT Department • Design. or used to remotely access <COMPANY> networks shall not be left unattended. passwords. Mobile computing equipment carrying confidential or secret business information.

Information Owners • • Information owners are responsible for the protection of the information they “own”. Evaluate and either approve or disapprove remote access requests. Compliance Compliance with this policy is mandatory. implement and operate <COMPANY>’s technical security controls and solutions. Monitor and handle incidents related to information security in <COMPANY>.2. <COMPANY> directors and managers shall ensure continuous compliance monitoring within their respective business units. Any violation of the policy shall result in corrective. 5. possibly including punitive. 3|Page . Compliance with the statements of this policy is a matter of periodic review by Internal Audit Department. actions by the management.• • Design.