Remote Access and Mobile Working Policy & Guidance COMMERCIALISM INTEGRITY STEWARDSHIP COMMERCIALISM INTEGRITY STEWARDSHIP Document Control Document Details Author Adrian Last Company Name The Crown Estate Division Name Information Services Document Name Remote Access and Mobile Working Policy Version Date 11/08/11 Effective Date 1 November 2012 Issue THREE Review Date October 2013 May 2007 Change Record Modified Date Author Version Description of Changes 12/05/2010 Clare Kelly 1.1 Incorporates amendments by TB, CK and NS 04/05/2011 R McCaughan 1.2 Incorporated VPN policy 06/07/2011 S Smith 1.3 Review on behalf of Service Desk 09/08/2011 S Smith 1.4 References made to Edge and Direct Access 15/10/2012 S Smith 1.5 Removed references soley to Smartphones and replaced with mobile devices. Add statement for Apple’s Common Criteria Certification Security Statement 17/10/2012 A R Last 1.6 Annual review Stakeholder Sign–off Name Position Nigel Spencer Information Services Manager Signature Date July 2011 Clare Kelly IT Support Manager July 2011 Nigel Spencer Head of IS October 2012 Security Sign-off Name Position Signature Date Adrian Last Business Support Manager August 2011 Adrian Last ISMS Manager October 2012 1 COMMERCIALISM INTEGRITY STEWARDSHIP Table of Contents 1. Purpose 3 2. Scope 3 3. Policy 3 3.1. Policy Statement 3 3.2. Policy Objectives 3 3.3. Policy Overview 3 3.4. Policy Maintenance 4 4. Policy Requirements 4 4.1. General 4 4.2. Documentation and Data 4 4.3. Working Remotely 5 4.4. General Rules & Principles of VPN’s (Virtual Private Networks) 5 4.5. Telephone 6 4.6. Direct Access 6 4.7. Edge devices (Homeworker solution) 6 4.8. Reporting Security Incidents 6 4.9. Business Continuity 6 4.10. User Awareness 6 5. Disciplinary Process 6 6. Deviations from Policy 7 7. Glossary of Terms 7 Appendix A – List of related documents, procedures and processes 8 2 COMMERCIALISM INTEGRITY STEWARDSHIP 1. Purpose The purpose of this policy is to protect the confidentiality, integrity and availability of The Crown Estate’s information by controlling remote access to its IT systems and to define standards for connecting to The Crown Estate’s network from any host. 2. Scope The scope of this policy applies to: • The Crown Estate’s personnel, temporary staff, contractors and service providers utilising The Crown Estate’s information system resources from a remote location; and • Information system resources, including data networks, LAN servers and personal computers (stand-alone or network-enabled) located on The Crown Estate and non-Crown Estate locations, where these systems are under the jurisdiction and/or ownership of The Crown Estate, and any personal computers and/ or servers authorised to access The Crown Estate’s data networks. Third parties shall also adhere to this policy. May 2007 • Remote access connections used to do work on behalf of The Crown Estate, including reading, sending email and viewing intranet web resources from all types of equipment. 3. Policy 3.1. Policy Statement The Crown Estate’s information system resources are assets important to The Crown Estate’s business and stakeholders and its dependency on these assets demands that appropriate levels of information security be instituted and maintained. It is The Crown Estate’s policy that appropriate remote access control measures are implemented to protect its information system resources against accidental or malicious destruction, damage, modification or disclosure, and to maintain appropriate levels of confidentiality, integrity and availability of such information system resources. 3.2. Policy Objectives The objectives of this policy with regard to the protection of information system resources against unauthorised access from remote locations are to: • Minimise the threat of accidental, unauthorised or inappropriate access to either electronic or paper-based information owned by The Crown Estate or temporarily entrusted to it; • Minimise The Crown Estate’s network exposure, which may result in a compromise of network integrity, availability and confidentiality of information system resources; and • Minimise reputation exposure, which may result in loss, disclosure or corruption of sensitive information and breach of confidentiality. 3.3. Policy Overview The Crown Estate information system resources are important business assets that are vulnerable to access by unauthorised individuals or unauthorised remote electronic processes. Sufficient precautions are required to prevent and detect unwanted access from unauthorised users in remote locations. Users should be made aware of the dangers of unauthorised remote access, and managers should, where appropriate, introduce special controls to detect or prevent such access. 3 COMMERCIALISM INTEGRITY STEWARDSHIP 3.4. Policy Maintenance Supporting standards, guidelines and procedures will be issued on an ongoing basis by The Crown Estate. Users will be informed of any subsequent changes or updated versions of such standards, guidelines and procedures by way of e-mail or other relevant communication media. Users shall then have the obligation to obtain the current information systems policies from The Crown Estate intranet (i-site) or other relevant communication media on an ongoing basis and accept the terms and conditions contained therein. 4. Policy Requirements The Crown Estate’s information system resources shall be appropriately protected to prevent unauthorised remote access. May 2007 4.1. General • It is the responsibility of The Crown Estate’s employees, contractors, vendors and agents with remote access privileges to The Crown Estate’s corporate network to ensure that their remote access connection is given the same consideration as their on-site connection to The Crown Estate. • IT equipment provided to the employee to support working from home is for the exclusive use of that employee alone • The only permitted remote access method for non Crown Estate computers is via terminal services or The Crown Estate Extranet or the Guest Wireless Network if at one of The Crown Estate Office’s offering that facility. • Mobile devices e.g Blackberrys, smartphones, iPhones and iPads are managed and supported by The Crown Estate IT Service Desk. • Users are permitted to connect their personal mobile devices to The Crown Estate email system. However, the IT Service Desk will only provide support for this method of connection on a goodwill basis. Furthermore, it is the responsibility of the user to ensure that their personal mobile device is protected by a password. If that device is lost or stolen then it is the responsibility of the user to advise their mobile provider and arrange for the device to be removed from the service. If the IT Service Desk believes that access to The Crown Estate email systems is occurring without adequate security provisions, this facility will be withdrawn immediately and a request for the mobile device to be wiped will be issued. • The use of external email accounts (i.e. Hotmail, Yahoo, AOL), or other external resources to conduct The Crown Estate business is forbidden. • The ISMS Committee will be the final arbiter for methods of connection to The Crown Estate corporate IT network. 4.2. Documentation and Data • All sensitive and business critical documentation belonging to The Crown Estate and being used at a remote location must be securely stored and not displayed in a manner which allows its content to be viewed by unauthorised persons. • Data and documents belonging to The Crown Estate must not be stored on personal equipment unless permission from the Line Manager has been obtained. Any data stored on personal equipment must be encrypted, using advice obtained from the IT Service Desk. • iPhones and iPads are managed and supported using Apple’s “Common Criteria Certification” 4 COMMERCIALISM INTEGRITY STEWARDSHIP Security Statement. 4.3. Working Remotely • Employees wishing to work away from the office occasionally must secure the agreement of their Line Manager prior to the actual date of working remotely. When approving requests, Line Managers are responsible for ensuring that there is a clear business requirement for the employee to undertake work remotely rather than attending the office. • Retrospective requests will not normally be agreed and any absence may be considered as unauthorised, which may lead to disciplinary action being taken. • Employees wishing to work from their own equipment should ensure that their hardware and software configuration complies with The Crown Estate’s minimum requirements. This check should be done before the date on which they have booked to work remotely to ensure that any necessary patches or updates can be implemented. See Remote Access Via Terminal Services User Guide on I-Site. It is the responsibility of the user to ensure their own equipment is patched accordingly. The IT Service Desk will advise the user only on suggested actions but they will not action any changes to non-Crown Estate equipment. May 2007 • Subject to line management approval and hardware availability a laptop or other equipment may be provided if the employee intends to work remotely on a more frequent basis. • The Crown Estate will retain ownership of the equipment and also insure and maintain the equipment. • The employee must take good care of the equipment and ensure that it be used in accordance with The Crown Estate’s full range of policies. • Alternatively, the employee has access to pool laptops which, subject to availability, can be used when required. • When working in a public area, for instance on a train, the employee must take all reasonable steps to ensure that The Crown Estate’s information remains confidential and secure. The employee must ensure that any documents/laptop screens are, as much as possible, not readily visible to members of the public. 4.4. General Rules & Principles of Virtual Private Networks (VPNs) • It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to The Crown Estate internal networks. • VPN use is to be controlled using either a one-time password authentication such as a token device or a public/private key system with a strong passphrase. • When actively connected to the corporate network, VPNs will force all traffic to and from the PC over the VPN tunnel: all other traffic will be dropped. • Dual (split) tunnelling is NOT permitted; only one network connection is allowed. • VPN gateways will be set up and managed by The Crown Estate network operational groups. • All computers connected to The Crown Estate internal networks via VPN or any other technology must use the most up-to-date anti-virus software that is the corporate standard (provide URL to this software); this includes personal computers. • VPN users will be automatically disconnected from The Crown Estate’s network after thirty minutes of inactivity. The user must then logon again to reconnect to the network. Pings or other artificial network processes are not to be used to keep the connection open. • Users of computers that are not The Crown Estate-owned equipment must configure the 5 COMMERCIALISM INTEGRITY STEWARDSHIP equipment to comply with The Crown Estate’s Network related policies. • Only Crown Estate approved VPN clients may be used. • By using VPN technology with personal equipment, users must understand that their machines are a de facto extension of The Crown Estate’s network, and as such are subject to the same rules and regulations that apply to The Crown Estate-owned equipment, i.e., their machines must be configured to comply with The Crown Estate’s information security policies. 4.5. Telephone • The Crown Estate will provide external access to voicemail (via Outlook Web Access via the extranet) which the employee will be required to check on a regular basis when working away from the office. • Any application for a mobile phone will need to be agreed by the employee’s Line Manager and reviewed by the IT Service Desk on a case-by-case basis. May 2007 4.6. Direct Access • The Crown Estate will provide external access to members of the business who use a laptop via the Microsoft “Direct Access” method. • See 4.4 “General Rules & Principles of Virtual Private Networks (VPNs)” for expectations and responsibilities. 4.7. Edge devices (Homeworker solution) • Where The Crown Estate provides exceptionally a full Homeworker solution it is expected that that all equipment provided will be used solely for work on behalf of The Crown Estate. • See 4.4 “General Rules & Principles of VPN’s (Virutal Private Networks)” • Management and HR approval is required for the above solution. 4.8. Reporting Security Incidents All security incidents, including actual or potential unauthorised access to The Crown Estate’s information systems via remote access, should be reported immediately to the ISMS Manager or Head of IS. 4.9. Business Continuity Business continuity plans may include provision for working from home or other remote locations in the event of The Crown Estate’s corporate headquarters or other premises being unavailable for a significant period of time. 4.10. User Awareness Users commencing remote working will be made aware by their Line Manager of this policy and all its provisions. 5. Disciplinary Process The Crown Estate reserves the right to audit compliance with this policy from time to time. Any disciplinary action, arising from breach of this policy, shall be taken in accordance with The Crown Estate’s Rules and Disciplinary Code as amended from time to time. Disciplinary action may ultimately lead to dismissal. 6 COMMERCIALISM INTEGRITY STEWARDSHIP May 2007 7 COMMERCIALISM INTEGRITY STEWARDSHIP 6. Deviations from Policy Unless specifically approved, any deviation from this policy is strictly prohibited. Any deviation from or non-compliance with this policy will be reported to the ISMS Manager & Head of IS. 7. Glossary of Terms The terms used in this policy document are to be found in ISMS Glossary of Terms. In particular, “Remote Access and Mobile Working” is defined as the means of using The Crown Estate’s electronic information resources from a remote location in a way which ensures that they are available only to persons authorised to view or process that information in accordance with predetermined rules. May 2007 8