Remote Access and BYOD Policy
Remote Access Policy
What is Remote Access
Remote access refers to technology that enables you to connect users in separate physical locations. This access is typically over an internet connection. If not properly managed, remote access can represent a security risk to Martian Marketing and, as such, needs to be carefully managed.
The purpose of this policy is to define rules and requirements for connecting to Martian Marketing’s network remotely. These rules and requirements are designed to minimise the potential exposure to Martian Marketing from damages that may result from unauthorised use of Martian Marketing resources. Damages include the loss of sensitive or company confidential data, intellectual property, damage to public image, damage to critical Martian Marketing internal systems and fines or other financial liabilities incurred as a result of those losses.
The policy covers all types of remote access, including:
- Travelling users (e.g. staff working across sites or temporarily based at other locations)
- Home workers
- Non practice staff (e.g. contractors and other third party organisations)
- All other remote access means
The objectives of the company’s policy on remote access by staff are
- To provide secure and resilient remote access to the company’s information systems
- To preserve the integrity, availability and confidentiality of the company’s data and information systems
- To manage the risk of serious financial loss, a loss of client confidence or other serious business impact which may result from a failure in security
- To comply with all relevant regulatory and legislative requirements (including data protection laws) and to ensure that the company is adequately protected under computer misuse legislation
- Martian Marketing is ultimately responsible for ensuring that remote access by staff is managed securely
- The company will maintain policy, standards and procedures for remote access to ensure that risks are identified and appropriate controls implemented to reduce those risks
- The company is responsible for confirming whether remote access to business applications and systems is permitted
- The IT Security Manager is responsible for defining the process for authorising all remote access users and the level of access provided
- The IT Security Manager is responsible for defining the process to ensure that user profiles and logical access controls are implemented in accordance with agreed access levels
- The IT Security Manager will provide guidance and approval of controls
- The IT Security Manager is responsible for assessing risks and ensuring that controls are being applied effectively
- All remote access users are responsible for complying with this policy and associated standards. They must safeguard company equipment and information resources and notify the IT Security Manager immediately of any security incidents and breaches
- Users must return all relevant equipment on termination of the need to use remote access
The practice recognises that by providing staff with remote access to information systems, risks are introduced that may result in serious business impact, for example
- Unavailability of network, systems or target information
- Degraded performance of remote connections
- Loss or corruption of sensitive data
- Breach of confidentiality
- Loss of or damage to equipment
- Breach of legislation or non-compliance with regulatory or ethical standards
The security architecture is typically integrated into the existing company network and is dependant on the IT services that are offered through the network infrastructure. These security measures may include, but are not limited to:
- Password authentication, authorisation and accounting in accordance with the Information Security Policy of the company
- Strong authentication
- Security monitoring by intrusion detection and other related systems
- Conducting reviews of existing infrastructure where required
All remote users must be registered and authorised by the data controller. User identity will be confirmed by strong password/ user I.D authentication. The data controller is responsible for ensuring a log is kept of all user remote access.
The Data Controller or IT Security Manager will be responsible for ensuring perimeter security devices are in place and operating normally. Perimeter security solutions control access to critical network applications, data and services, so that only legitimate users and information can pass through the network. Complementary tools, including virus scanners and content filters, also help control network perimeters. Firewalls are generally the first security products that organisations deploy to improve their security postures.
The company will protect confidential information from loss, theft, corruption, eavesdropping or tampering during transmission.
Network vulnerability scanners and other appropriate technology will be used to identify areas of weakness, and intrusion detection systems will monitor, and reactively respond to, security events as they occur.
System Change Control
All changes to systems must be recorded on a system change control form and authorised by the IT Security Manager.
Reporting Security Incidents & Weaknesses
All security weaknesses and incidents must be reported to the IT Security Manager.
Guidelines and training
The IT Security Manager will produce written guidance and training materials for all remote access users. Training will be provided to all users as necessary.
Bring Your Own Device Policy
This policy provides policies, standards, and rules of behaviour for the use of personally owned smart phones and/or tablets, and other devices by Martian Marketing employees who access Martian Marketing’s systems, websites and social media sites. Access to and continued use of these services is granted on condition that each user reads, signs, respects and follows the Martian Marketing policies concerning the use of these devices and services.
Expectation of Privacy
Martian Marketing will respect the privacy of your personal device and will only request access to the device as required to implement security controls, as outlined below, or to respond to legitimate discovery requests arising out of administrative, civil, or criminal proceedings (applicable only if user downloads company email/attachments/documents to their personal device). This differs from policy for company provided equipment/services, where company employees do not have the right, nor should they have the expectation of, privacy while using company equipment or services.
In order to allow employees to access Martian Marketing resources on their own devices, it is important that these devices are secure. Certain rules are in place to ensure this. These include:
- Users will not download or transfer sensitive business data to their personal devices
- Users will password protect their devices in accordance with the Information Security Policy and any other password policies in place
- Users will agree to maintain the original devices’ operating system and keep their devices current with security patches and updates, as released by the manufacturer
- Users will not “jailbreak” (installing software that allows the user to bypass standard built-in security features and controls) their devices
- Users will agree that the device will not be shared with other individuals or family members, due to the business use of the device (potential access to company email etc.)
- Users will agree to delete any sensitive business files that may be inadvertently downloaded and stored on the device through the process of viewing email attachments
While the company will take every precaution to prevent the employee’s personal data from being lost; in the event it must remote wipe a device, it is the employee’s responsibility to take additional precautions, such as backing up email, apps, content, contacts etc. In addition:
- The company reserves the right to disconnect devices or disable services without notification
- Lost or stolen devices must be reported to the company within 24 hours. Employees are responsible for notifying their mobile carrier immediately upon loss of a device
- The employee is expected to use his or her devices in an ethical manner at all times and adhere to the company’s acceptable use policy as outlined above
- The employee is personally liable for all costs associated with his or her device
- The employee assumes full liability for risks including, but not limited to, the partial or complete loss of company and personal data due to an operating system crash, errors, bugs, viruses, malware, and/or other software or hardware failures or programming errors that render the device unusable
- The company reserves the right to take appropriate disciplinary action up to and including termination for non-compliance with this policy
- Where the device is used to capture audio, video, or photos, the employee must respect the rights of all data subjects as defined under the GDPR, in particular considering the need to have the consent of the data subject to capture, store, or process these images
- It is the employees responsibility to understand and abide by the GDPR and other applicable regulations
To this extent, Martian Marketing should ensure all users sign an appropriate agreement.
Example Suggested Text For User Agreement
It is the right of Martian Marketing to restrict or rescind computing privileges, or take other administrative or legal action due to failure to comply with the above referenced policy and rules of behaviour. Violation of these rules may be grounds for disciplinary action up to and including removal. I acknowledge, understand and will comply with the above referenced security policy and rules of behaviour, as applicable to my BYOD usage of Martian Marketing services. I understand that addition of company provided third party software may decrease the available memory or storage on my personal device and that Martian Marketing is not responsible for any loss or theft of, damage to, or failure in the device that may result from use of third party software and/or use of the device to access company sites, data, or other services.
I understand that contacting vendors for troubleshooting and support of third-party software is my responsibility, with limited configuration support and advice provided by Martian Marketing. I understand that business use may result in increases to my personal monthly usage costs. I further understand that company reimbursement of any business related data/voice plan usage of my personal device is not provided. Should I later decide to discontinue my participation in the BYOD programme, I will allow the company to remove and disable any company provided third party software and services from my personal device.
I understand it is my responsibility to understand the requirements of and abide by all applicable regulations including the GDPR and other Data Protection regulations.
%NAME OF EMPLOYEE%
BYOD device(s): %BYOD PRODUCT NAME%
Services to be used %SERVICES TO BE USED%
Antivirus and other security software: %ANTIVIRUS AND SECURITY SOFTWARE%
Validity Of This Policy
This policy should be reviewed regularly under the authority of the Appropriate Manager. Associated information and security standards should be subject to an ongoing development and review programme.
End of document.