Greater Saskatoon Catholic Schools

I.T. Remote Access Standards

 

1.0 Overview

It is often necessary to provide access to corporate information resources to employees or others working outside GSCS's network. While this can lead to productivity improvements, it can also create certain vulnerabilities if not implemented properly. The goal of this document is to provide the framework for secure remote access implementation.


2.0 Purpose

This document defines standards for accessing corporate information technology resources from outside the network. This includes access for any reason from the employee's home, remote working locations, while traveling, etc. The purpose is to define how to protect information assets when using an insecure transmission medium.


3.0 Scope

The scope of these standards covers all employees, contractors, and external parties that access GSCS resources over a third-party network, whether such access is performed with GSCS-provided or non-GSCS-provided equipment.


4.0 Policy

 

4.1 Prohibited Actions

Remote access to corporate systems is only to be offered through a GSCS-provided means of remote access in a secure fashion. The following are specifically prohibited:

         Installing a modem, router, or other remote access device inside the GSCS network

         Remotely accessing corporate systems with a remote desktop tool, such as VNC, Citrix, or GoToMyPC

         Use of non-GSCS-approved remote access software.

         Split Tunneling to connect to an insecure network in addition to the corporate network, or in order to bypass security restrictions.


4.2 Use of non-GSCS-provided Machines

Accessing the corporate network through home or public machines can present a security risk, as GSCS cannot completely control the security of the system accessing the network. Use of non-GSCS-provided machines to access the corporate network is permitted as long as this policy is adhered to, and as long as the machine meets the following criteria:


         It has up-to-date antivirus software installed

         Its software patch levels are current

         It is protected by a firewall

 

When accessing the network remotely, users must not store confidential information on home or public machines.


4.3 Client Software

GSCS will supply users with remote access software that allows for secure access and enforces the remote access policy. The software will provide traffic encryption in order to protect the data during transmission. The user is responsible for maintaining a secure system, free of viruses and backdoors.


4.4 Network Access

There are no restrictions on what information or network segments users can access when working remotely, however the level of access should not exceed the access a user receives when working in the office.


4.5 Idle Connections

Due to the security risks associated with remote network access, it is a good practice to dictate that idle connections be timed out periodically. Remote connections to GSCS's network must be timed out after 1 hour of inactivity.



5.0 Enforcement

This policy will be enforced by Superintendents of Education. Violations may result in disciplinary action, which may include suspension, restriction of access, or more severe penalties up to and including termination of employment. Where illegal activities or theft of GSCS property (physical or intellectual) are suspected, GSCS may report such activities to the applicable authorities.


6.0 Definitions

Modem-A hardware device that allows a computer to send and receive digital information over a telephone line.

Remote Access-The act of communicating with a computer or network from an off-site location. Often performed by home-based or traveling users to access documents, email, or other resources at a main site.

Split Tunneling-A method of accessing a local network and a public network, such as the Internet, using the same connection.

Timeout-A technique that drops or closes a connection after a certain period of inactivity.

Two Factor Authentication-A means of authenticating a user that utilizes two methods: something the user has, and something the user knows. Examples are smart cards, tokens, or biometrics, in combination with a password.

7.0 Revision History

Revision 1.0, 8/9/2011

Revision 2.0, 8/13/2012