Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Remote Access to the ACT Government ICT Environment Policy

advertisement 
UNCLASSIFIED
ICT Document No. WhoG-122
Remote Access to the ACT
Government Information and
Communications Technology
(ICT) Environment Policy
Version 1.3
September 2014
Approved by Executive Director,
Shared Services ICT
September 2014
UNCLASSIFIED
Shared Services ICT
Quality Management System
Security Management
UNCLASSIFIED
ICT Document No. WhoG-122
Remote Access to the ACT Government Information and Communications Technology (ICT) Environment Policy
Contents
Purpose ............................................................................................. 3
Scope ................................................................................................ 3
Introduction ....................................................................................... 3
Policy ................................................................................................. 3
1. Access ...................................................................................................3
1.1
Individual ACT Government employees .............................................3
1.2
Remote sites .................................................................................3
1.3
Trusted third parties/vendors ..........................................................4
2. Approval process ....................................................................................4
3. Dispute resolution ...................................................................................4
4. Security.................................................................................................4
5. Monitoring and logging ............................................................................5
6. Use of non-Shared Services ICT equipment ................................................5
7. Support arrangements ............................................................................5
7.1
Technical support ...........................................................................5
8. Documentation .......................................................................................5
9. Evaluation measures ...............................................................................5
Associated Documents ......................................................................... 6
Roles and Responsibilities ..................................................................... 6
Compliance ........................................................................................ 7
Contact Officer .................................................................................... 7
Appendix A ......................................................................................... 8
Glossary .....................................................................................................8
Metadata ....................................................................................................8
Amendment history ......................................................................................8
UNCLASSIFIED
Date issued: September 2014
Version: 1.3
Page 2 of 9
UNCLASSIFIED
ICT Document No. WhoG-122
Remote Access to the ACT Government Information and Communications Technology (ICT) Environment Policy
Purpose
The intention of this policy is to ensure that the provision and use of remote access to
the ACT Government ICT Environment is appropriately managed.
Scope
This policy:




supplements the provisions of the ICT Security Policy
references the Acceptable Use of ICT Resources Policy
applies to all ACT Government Directorates, including contracted service providers
applies to all ICT resources (see definitions below) and electronic information held on
those assets.
This policy does not address any human resource or personnel management issues
associated with remote access. Information on these issues can be found in the Public
Sector Management Best Practice Note 6.3 Management: Home Based Work and from
the Directorate Personnel section.
Introduction
This policy is consistent with and must be implemented in accordance with the:



ACT Government Purchasing Policy and Principles Guidelines
Public Sector Management Best Practice Note 6.3 Management: Home Based Work
ACT Government policies, guidelines and standards , in particular the:


o ICT Security Policy and
o Acceptable Use of ICT Resources Policy
processes and procedures prepared by Shared Services ICT
Directorate policies and guidelines in relation to particular ICT resources.
Policy
1.
Access
Remote access can be granted to the ICT environment as follows:
1.1
Individual ACT Government employees
A default level of access will be provided to a minimum subset of systems, e.g. to access
Microsoft Office applications, Outlook email and calendar and the file servers (G, H and W
drives).
Business Applications requests for remote access will be assessed on a case by case
basis. Remote access will only be permitted where access controls can be implemented
that are appropriate to address any identified threats and risks.
UNCLASSIFIED
Date issued: September 2014
Version: 1.3
Page 3 of 9
UNCLASSIFIED
ICT Document No. WhoG-122
Remote Access to the ACT Government Information and Communications Technology (ICT) Environment Policy
1.2
Remote sites
For sites where a permanent WAN connection may not be viable or appropriate, requests
for remote access to the ICT environment will be assessed on a case by case basis.
Remote access by remote sites must be:



controlled
for time periods mutually agreeable to the directorate/business unit and Shared
Services ICT
configured so that work is performed with the minimum level of permissions.
1.3
Trusted third parties/vendors
Requests for remote access to the ICT environment by trusted third parties/vendors will
be assessed on a case by case basis where a demonstrated business need exists.
Remote access by trusted third parties/vendors must be:

Controlled. The default remote access for trusted third parties/ vendors must be for
specific limited access, not for open access

for time periods mutually agreeable to the Directorate, Shared Services ICT and the
trusted third party/vendor

contractually based, legally enforceable and in accordance with established ACT
Government business processes

approved by Shared Services ICT where the access, or work to be undertaken, affects
the ICT environment domain

configured so that the minimum level of permissions is granted for access to
components and sub systems (e.g. database, file systems, applications) and work is
performed with the minimum level of permissions

Documented in the System Security Plan.
2.
Approval process
Approval is subject to:

a demonstrated business need

the availability of an appropriate technical solution

a threat and risk assessment together with risk mitigation strategies agreed to by all
stakeholders

the completion of a Clearance and Approval Form

any persons or parties receiving remote access signing a remote access acceptance
agreement

contractually based and legally enforceable arrangements are made with trusted third
parties/vendors where appropriate

All FORMS are signed with copies provided to Shared Services ICT Security PRIOR
to the provision of the service.
3.
Dispute resolution
Where any involved parties (including Shared Services ICT) are unable to reach
agreement, they may seek mediation by the Whole-of-Government IM/ICT Committee.
UNCLASSIFIED
Date issued: September 2014
Version: 1.3
Page 4 of 9
UNCLASSIFIED
ICT Document No. WhoG-122
Remote Access to the ACT Government Information and Communications Technology (ICT) Environment Policy
4.
Security
Remote access to the ICT environment must not compromise the security or integrity of
the ICT environment; an ICT resource; or any information residing on an ICT resource in
accordance with the provisions of the ICT Security Policy. Refer to paragraph 2 above.
5.
Monitoring and logging
All remote access activities are monitored and logged in accordance with the provisions
of the ICT Security Policy and the Acceptable Use of ICT Resources Policy and in
compliance with the ACT Workplace Privacy Act.
6.
Use of non-Shared Services ICT equipment
Connections to ACTGOV should be initiated from computer hardware that is under the
control or ownership of the individual or Directorate authorised to access the service.
Where agencies allow the use of non-Shared Services ICT computers for remote access
Directorates must notify users:

about issues of security, taxation, protection of network and occupational health and
safety as detailed in the Public Sector Management Best Practice Note 6.3
Management: Home Based Work, and

that the ACT government will not accept any liability for damage or failure to
privately owned equipment used for remote access.
7.
Support arrangements
7.1
Technical support
Shared Services ICT will:

develop the ACT Government Remote Access Standard

develop, support and maintain the approved remote access solutions and associated
infrastructure

negotiate service level agreements and other support agreements with agencies
specifying services, technical requirements and fees applicable to the remote access
arrangements.
8.
Documentation
The documentation required to assist users of remote access services includes:

user documentation developed and documented by Shared Services ICT

a remote access acceptance agreement

an acceptable use statement

confidentiality and non-disclosure agreements for ALL 3rd party staff or at contract
level whichever is appropriate

Police records checks for all 3rd party personnel accessing systems that are deployed
in an education environment involving minors.
UNCLASSIFIED
Date issued: September 2014
Version: 1.3
Page 5 of 9
UNCLASSIFIED
ICT Document No. WhoG-122
Remote Access to the ACT Government Information and Communications Technology (ICT) Environment Policy
The documentation required to assist directorates apply for remote access includes:

a "Clearance and Approval" form and processes

procedures developed and documented by Shared Services ICT
9.
Evaluation measures
This policy will be reviewed annually.
Associated Documents

ACT Government Purchasing Policy and Principles Guidelines

ACT Government Remote Access Standard

The Public Sector Management Best Practice Notes

ACT Government Policies, Guidelines and Standards

Processes and procedures prepared by Shared Services ICT
Roles and Responsibilities
Role
Agencies
Shared
Services ICT
Responsibilities

Identify a business need;

Develop an appropriate remote access technical solution in consultation with
Shared Services ICT.

Conduct an agency discrete assessment of specific or general threats and
risks associated with remote access, and put in place risk mitigation steps or
strategies.

Ensure necessary arrangements have been implemented for the protection of
sensitive information, security and privacy in compliance with ACT
Government policies, standards and guidelines;

Complete a clearance and approval or business case for determination by the
Director General or the Director General's authorised delegate

Ensure that trusted third parties/ vendors responsibilities and obligations
regarding remote access are addressed in contracts and legally enforceable
arrangements.
Shared Services ICT’s roles, deliverables and associated costs are defined
contractually in the Service Level Agreements (SLAs) and other support
agreements.
Shared Services ICT will:

Provide agencies with information about threats, risks and mitigation
strategies that are relevant to the agency Threat and Risk Assessment.

Provide minimum hardware specifications to all remote access users.

Develop, in consultation with agencies, appropriate remote access technical
solutions;

Develop, in consultation with agencies, procedures and guidelines for
accessing the Remote Access Infrastructure.
UNCLASSIFIED
Date issued: September 2014
Version: 1.3
Page 6 of 9
UNCLASSIFIED
ICT Document No. WhoG-122
Remote Access to the ACT Government Information and Communications Technology (ICT) Environment Policy
Role
Responsibilities

Distribute, review and revise this policy as necessary.

Provide advice.

Provide transitional policy support including

Provide assistance with the completion of TRA and Risk Mitigation templates.

Advise whether the TRA has identified all stakeholders and all major whole of
government risks.

Approve the satisfactorily completed “Clearance and Approval Form” with
supporting TRA’s and risk mitigation.

Provide mediation when requested.
Compliance
If, as a result of an audit or other circumstance, an agency is found to have not complied
with this Policy, the appropriate Director General will be informed with details of noncompliance in writing.
Contact Officer
For any queries about this Policy, contact the Shared Services ICT Policy Office.
UNCLASSIFIED
Date issued: September 2014
Version: 1.3
Page 7 of 9
UNCLASSIFIED
ICT Document No. WhoG-122
Remote Access to the ACT Government Information and Communications Technology (ICT) Environment Policy
Appendix A
Glossary
Term
Definition
ICT Environment
The ICT technologies utilised to conduct ACT Government business.
The ICT environment can be categorised as the operational,
production or test domains.
All ACT Government ICT networks, equipment, systems and
applications (e.g. hardware and software), email, the Internet and
Internet email.
ICT Resources
Remote Access
Remote sites
The ability to get access to a computer or a network from a remote
distance
A normal place of work for ACT Government employees that is not
connected to the ACTGOV network.
NOTE: Other terms may be found in the Shared Services ICT Glossary of Terms.
Metadata
Owner:
Senior Manager, Shared Services ICT Security
Document location:
www.sharedservices.act.gov.au/docs/Remote-Access-ICT-Policy.doc
Review cycle:
This policy should be reviewed every 24 months or when conditions
significantly change, whichever is the shorter.
Note: This is a CONTROLLED document. Any documents appearing in paper form are not
controlled and should be checked against the intranet version prior to use.
Amendment history
Ver no.
Issue date
Amendment details
Author
Approval
1.0
Dec 2001
Initial release.
ACTIM
Supported by ISG &
IMCC, endorsed by
ACTIS Mgt Board,
approved by CE
CMD
1.1
21/11/2006
Minor revision
Policy Office
Endorsed by Policy
Review Group - Oct
2006
1.2
25 May 2012
Kerry Webb
Executive Director,
Shared Services ICT
1.3
September
Revision due to restructure of
Shared Services ICT. Minor
changes to reflect Auditor
general findings.
Add Bolden Jame ‘Privacy Act
1988’ to ‘Information Privacy Act
Peter Major,
Greg Tankard
Executive Director Shared
Services ICT – Executive
UNCLASSIFIED
Date issued: September 2014
Version: 1.3
Page 8 of 9
UNCLASSIFIED
ICT Document No. WhoG-122
Remote Access to the ACT Government Information and Communications Technology (ICT) Environment Policy
Ver no.
Issue date
Amendment details
2014
2014’. Cosmetic changes
Author
Approval
responsible for ICT Security
UNCLASSIFIED
Date issued: September 2014
Version: 1.3
Page 9 of 9
Related documents
School ICT Policy
School ICT Policy
ICT in Art and Design work
ICT in Art and Design work
IT Security Officer - Student Loans Company
IT Security Officer - Student Loans Company
COMMISSION ON HIGHER EDUCATION
COMMISSION ON HIGHER EDUCATION
Evolving ICT into Computing Secondary
Evolving ICT into Computing Secondary
Viviki Platform
Viviki Platform
Download
advertisement