Q

Distinguishing a remote access policy from a portable computing protection policy

In this security management Ask the Expert Q&A, Shon Harris discusses how these two policies differ and what issues each address.

What is the best way to distinguish a remote access policy from a portable computing protection policy?
These two policies have very distinct focuses.

A remote access policy should address the following items and concepts:

  • Standardize remote connectivity for:
    • Any system type, whether it is company owned or personally owned computers, PDAs, smart phones, laptops, Blackberries, etc.
    • User type (employee, vendor, contractors, partners, etc.)
    • Connectivity type, as in dial-in modems, frame relay, ISDN, DSL, VPN, SSH, and cable modems, etc.
  • Remote access should only be allowed to carry out company-related functions
  • Reduce potential unauthorized use of company resources
  • Connectivity and encryption requirements:
    • VPN, SSL, SSH and encryption needs for sensitive data
  • Employee is responsible for ensuring:
    • Family members do not violate any company policies
    • Antivirus signatures, hot fixes and patches are up to date
    • Personal firewall is installed and properly configured
    • Authentication credentials are not shared
    • System is not connected to another network that is not owned by the company or employee
    • No use of non-company e-mail accounts are used
    • Non-approved hardware configurations are not used
  • Authentication type that is allowed
    • Passwords, passphrases, one-time passwords, private key, etc.
  • Enforcement
    • Disciplinary actions, termination, prosecution

While a portable computing protection policy should address the following items and concepts:

  • Standardize connectivity and configurations for:
    • Notebook computers, Tablet PCs, Palm Pilots, Microsoft Pocket PCs using Windows CE, text pagers, smart phones, FireWire devices, USB drives, etc.
    • User type (employee, vendor, contractors, partners, etc.)
    • Connectivity type, as in remote, LAN, WAN, wireless, etc.
  • Allowable usage
    • Smart phones with cameras may be banned in sensitive areas for example
  • Classified data needs to be encrypted during transfer or synchronization steps
  • Roles that are allowed to use certain portable devices:
    • Only executives may be able to use and connect Blackberry devices to the network
  • Specific types of security software may be required for specific types of devices
    • Additional security software may need to be installed and properly configured
  • Asset management
    • Company owned portable devices must be properly tagged and documented
    • User must register device with company before attempting to connect it to the network
  • Portable devices should not be left unattended in public areas
  • Public network may be setup to allow only Internet accessibility for portable devices
  • Prior to transfer of ownership or disposal of portable device, all sensitive data must be properly destroyed
  • Access should only be allowed to carry out company related functions
  • Reduce potential unauthorized use of company resources
  • Connectivity and encryption requirements:
    • VPN, SSL, SSH and encryption needs for sensitive data
  • Employee is responsible for ensuring:
    • Antivirus signatures, hot fixes and patches are up to date if applicable
    • Personal firewall is installed and properly configured if applicable
    • Authentication credentials are not shared
    • System is not connected to another network that is not owned by the company or employee
    • No use of non-company e-mail accounts are used
    • Non-approved hardware configurations are not used
  • Authentication type that is allowed:
    • Passwords, passphrases, one-time passwords, private key, etc.
  • Enforcement
    • Disciplinary actions, termination, prosecution

More Information
  • Learn more about acceptable use policies in our resource center
  • Learn how to minimize e-mail risks with acceptable use policies

  • This was first published in November 2005

    Dig deeper on Information Security Policies, Procedures and Guidelines

    Pro+

    Features

    Enjoy the benefits of Pro+ membership, learn more and join.

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    0 comments

    Oldest 

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    -ADS BY GOOGLE

    SearchCloudSecurity

    SearchNetworking

    SearchCIO

    SearchConsumerization

    SearchEnterpriseDesktop

    SearchCloudComputing

    ComputerWeekly

    Close