Greater Saskatoon Catholic Schools
I.T. Remote Access Standards
It is often necessary to provide access to corporate information resources to employees or others working outside GSCS's network. While this can lead to productivity improvements, it can also create certain vulnerabilities if not implemented properly. The goal of this document is to provide the framework for secure remote access implementation.
This document defines standards for accessing corporate information technology resources from outside the network. This includes access for any reason from the employee's home, remote working locations, while traveling, etc. The purpose is to define how to protect information assets when using an insecure transmission medium.
The scope of these standards covers all employees, contractors, and external parties that access GSCS resources over a third-party network, whether such access is performed with GSCS-provided or non-GSCS-provided equipment.
4.1 Prohibited Actions
Remote access to corporate systems is only to
be offered through a GSCS-provided means of remote access in a secure
fashion. The following are specifically
· Installing a modem, router, or other remote access device inside the GSCS network
· Remotely accessing corporate systems with a remote desktop tool, such as VNC, Citrix, or GoToMyPC
· Use of non-GSCS-approved remote access software.
· Split Tunneling to connect to an insecure network in addition to the corporate network, or in order to bypass security restrictions.
4.2 Use of non-GSCS-provided Machines
Accessing the corporate network through home
or public machines can present a security risk, as GSCS cannot completely
control the security of the system accessing the network. Use of non-GSCS-provided machines to access
the corporate network is permitted as long as this policy is adhered to, and as
long as the machine meets the following criteria:
· It has up-to-date antivirus software installed
· Its software patch levels are current
· It is protected by a firewall
When accessing the network remotely, users must not store confidential information on home or public machines.
4.3 Client Software
GSCS will supply users with remote access software that allows for secure access and enforces the remote access policy. The software will provide traffic encryption in order to protect the data during transmission. The user is responsible for maintaining a secure system, free of viruses and backdoors.
4.4 Network Access
There are no restrictions on what information or network segments users can access when working remotely, however the level of access should not exceed the access a user receives when working in the office.
4.5 Idle Connections
Due to the security risks associated with remote network access, it is a good practice to dictate that idle connections be timed out periodically. Remote connections to GSCS's network must be timed out after 1 hour of inactivity.
This policy will be enforced by Superintendents of Education. Violations may result in disciplinary action, which may include suspension, restriction of access, or more severe penalties up to and including termination of employment. Where illegal activities or theft of GSCS property (physical or intellectual) are suspected, GSCS may report such activities to the applicable authorities.
Modem-A hardware device that allows a computer to send and receive digital information over a telephone line.
Remote Access-The act of communicating with a computer or network from an off-site location. Often performed by home-based or traveling users to access documents, email, or other resources at a main site.
Split Tunneling-A method of accessing a local network and a public network, such as the Internet, using the same connection.
Timeout-A technique that drops or closes a connection after a certain period of inactivity.
Two Factor Authentication-A means of authenticating a user that utilizes two methods: something the user has, and something the user knows. Examples are smart cards, tokens, or biometrics, in combination with a password.
Revision 1.0, 8/9/2011
Revision 2.0, 8/13/2012