This policy outlines guidelines and processes for requesting, obtaining, using, and terminating remote access to organization networks, systems, and data. It applies to scenarios where employees connect remotely to in-house data centers as well as offsite facilities, such as cloud providers.
From the policy:
Secure remote access to company systems and networks is now a way of life for most companies. As corporate conglomerates, small businesses, and brick-and-mortar shops fade away in favor of a distributed offsite workforce, companies and employees can profit from the greater convenience and efficiency provided by remote access. Combined with a BYOD (bring your own device) policy, a remote access implementation can lower equipment costs, reduce office overhead, and facilitate employee productivity.
However, the advantages of remote access also include some challenges that are more easily surmounted by onsite staff: ensuring that only authorized personnel can access company resources, securing devices not directly under IT control (nor available for hands-on support), and properly handling employee terminations.
Only users with a demonstrable business need to connect to company resources shall be provided with remote access capabilities. This will obviously apply to offsite workers by default, but onsite workers should be screened accordingly. Users with access to credit card data, for instance, may be ineligible for remote access capability if this would pose a security or financial risk. Users whose job responsibilities involve hands-on or face-to-face interaction may also be restricted from remote access privileges.
Employee eligibility to remotely access the organization’s computer network will be determined by their respective managers. The IT department must also approve each staff member’s remote access use.