1. Purpose, scope, and users
The purpose of this policy is to protect the confidentiality, integrity, and availability of Resolver’s and its customer’s information by controlling remote access to Resolver’s IT systems.
This policy defines standards for connecting to Resolver’s networks from any host. These standards prevent unauthorized access to mobile devices both within and outside of the organization’s premises.
This policy provides guidance to all Revolver employees who have a requirement to work with information assets outside of the confines of Resolver’s premises.
This policy is equally applicable to Resolver personnel who work remotely on a regular basis and those who work remotely on rare occasions. In the context of this policy, information assets can be either electronic or hard copy.
This policy applies to the entire Information Security Management System (ISMS) scope, i.e. to all persons, data, and equipment in the ISMS scope.
If users are in doubt as to the meaning of or how to apply the guidance provided in this policy, they must contact the IT or InfoSec team or send an e-mail to firstname.lastname@example.org before engaging in remote working practices.
2. Reference documents
- ISO/IEC 27001:2013 standard controls A.6.2 and A.11.2.6
- Information Security Policy.
3. Mobile computing
Mobile computing equipment and portable devices include all kinds of portable computers (Laptops, Notebooks, Tablets), mobile phones, smartphones, memory cards, and other mobile equipment used for the storage, processing, and transferring of data.
The above mentioned equipment may be taken off-premises only after obtaining authorization in accordance with the IT Security Policy.
3.2. Basic rules
Special care should be taken when portable devices are placed in vehicles (including cars), public spaces, hotel rooms, meeting places, conference centers, and other unprotected areas outside the organization’s premises.
Anyone taking a portable device off-premises must follow these rules:
- Portable devices carrying important, sensitive, or critical information must not be left unattended and, if possible, should be physically locked away, or special locks should be used to secure the equipment.
- When using portable devices in public places, the user must take care that data cannot be viewed by unauthorized persons.
- Updates of patches and other system settings must be performed by Resolver’s corporate IT team.
- Resolver corporate end-point protection for malicious code must be installed and updated regularly.
- Anyone using portable devices off-premises is responsible for regular back-ups of data to BOX, Resolver’s file storage, sharing, and backup solution.
- Information on portable computers must be encrypted according to Resolver’s Corporate Cryptography standard.
- The protection of sensitive data must be implemented in accordance with the Information Classification Policy in Resolver Corporate Data Handling Policy.
3.3. Storage of Resolver information assets
Information assets must be secured appropriately when removed from the local security environment of a Resolver-controlled office facility. To compensate for the lack of physical security controls, the following procedures should be applied:
- Users must not transfer significant quantities of data simply for convenience.
- Data should be securely erased when no longer required.
- It is the responsibility of the user to ensure that all data is backed-up appropriately and moved to Resolver’s file storage system (Box).
- An information asset created outside of Resolver’s premises must be moved to Resolver’s file storage system (Box), network, or office as soon as possible after the completion of the task the information asset was created for.
- Resolver’s hardcopy documentation must not be stored with personal/privately owned documents due to the increased likelihood of inappropriate disposal.
- Privately owned electronic devices (e.g. home laptops or smartphones) must not be used to store INTERNAL or CONFIDENTIAL information. Contact the IT team for further details.
3.4. Traveling with Resolver information assets
- Information assets and devices must not be checked into baggage hold and must always remain in the possession of the user.
- Users must ensure that, before leaving any transportation, they have collected all Resolver information assets in their care.
- Resolver information assets must not be given to unauthorized individuals to carry on a user’s behalf.
3.5. Overseas travel considerations
- Users are rarely able to assert the same level of control of their physical surroundings when traveling overseas.
- Users are unlikely to be able to enhance physical controls when traveling, when at conference centers, or while staying in hotels.
- Locking hotel room doors and safes may provide protection against opportunistic theft but are unlikely to prevent access to more determined or capable individuals.
- Hotel facilities typically have a master code or key which may be accessible to hotel staff.
- Authentication passwords are to be memorized and must not be written down to accompany a mobile computing device.
- If a user is compelled to demonstrate that a device is a functioning device by an authorized officer, such as a Customs official, they should, where possible, only switch the device on and not provide any decryption credentials.
- Should a device be confiscated, the incident must be reported to the IT Team or InfoSec as soon as possible so that the device may be remotely deactivated (where this functionality exists).
- Resolver’s Information Security Analyst is responsible for training and raising awareness of persons who are using portable devices outside the organization’s premises.
4. Teleworking / Remote working
Teleworking means that information and communication equipment is used to enable employees to perform their work outside of the office. Teleworking does not include the use of mobile phones outside the organization’s premises.
Teleworking must be authorized by an employee’s direct manager.
Take all reasonable care not to be eavesdropped on when talking in public places; chatting in cafés on the telephone, for example.
4.2. Wireless connections
It is important that only secured Wireless (Wi-Fi) connections are utilized.
These connections are typically announced as and secured by, WPA2-Personal or WPA2-PSK (AES).
Please validate your home Wi-Fi Access point is configured with the most secure configuration possible:
WPA2-PSK (AES) – this most recommended option for a home Wi-Fi routers/access points, or WPA2-Enterprise level Wi-Fi routers/access points,
and protected with a strong randomly generated password.
The following connections should be avoided:
- WEP (Wired Equivalent Privacy) secured: known to be insecure; easy to gain unauthorized access to the network.
- Public Hotspots: should be avoided due to the uncertainty of the security of the provided network.
- Certificate Errors: if a certificate error is displayed upon connection, your device should be disconnected immediately and an alternative wireless access point found, as the security of the connection cannot be guaranteed.
4.3. Use of portable devices
- Any portable devices used by Resolver’s employees must have encryption enabled if they store sensitive information.
- When using portable devices, corporate and personally identifiable information MUST NOT be stored or transferred using an unencrypted device.
- Non-sensitive or non-personal information may be stored and transferred using non-encrypted devices. Whilst the security of data is greatly increased when using encrypted equipment, it does not remove responsibility from the user who must always exercise due care and attention when using these devices.
- When data at rest encryption is used, it is only effective when the device is fully powered down or in hibernation. While the device is in use or sleep mode, the encryption is not active and therefore the data is less protected.
- Additionally, data at rest encryption does not protect from a network borne attack, e.g. using Wi-Fi or a mobile phone network, while the device is in use or loss/theft where the device is unlocked.
- Devices must never be left logged on and unattended by the user. Auto-screen locking must be enabled at all times.
- Users must ensure that no other person accesses Resolver’s information systems with their device log-on.
- Resolver’s devices must not be given to others to operate e.g. Resolver’s laptops must not be operated by family members or friends.
- If you suspect your device may have a virus or other form of malicious software, you must immediately notify the IT and InfoSec teams by emailing email@example.com.
4.4. Information on Resolver portable devices
- Confidential information may only be held on the organization’s portable devices with the permission of IT or InfoSec. This arrangement should be recorded on a Service Information Asset Register and an updated copy sent to the Information Governance Team.
- The Information must be virus checked before transferring onto any Resolver computer. This is done automatically for information that is sent via email.
5. User Requirements
- Devices must not be jailbroken* or rooted* (see note at end of section) or have any software/firmware installed which is designed to gain access to functionality not intended to be exposed to the user.
- Users must not load pirated software or illegal content on their devices.
- Applications must only be installed from official platform-owner approved sources. Installation of code from untrusted sources is forbidden. If you are unsure if an application is from an approved source, contact Resolver’s IT and InfoSec team at firstname.lastname@example.org or other communication channels e.g. Slack.
- Devices must be kept current with manufacturer or network provided patches.
- Devices must not be connected to a PC which does not have current and enabled anti-virus and anti-malware protection, and which does not comply with corporate policies.
- All computers connected to Resolver internal networks via VPN or any other technology must use the most current anti-virus software used as the corporate standard: this includes personal computers.
- Devices must be encrypted as per Resolver’s compliance standards.
- The user is responsible for the backup of their own personal data. Resolver accepts no responsibility for the loss of files due to a non-compliant device being wiped for security reasons.
- A suitable procedure that considers legal, insurance and security requirements shall be used for cases of theft or loss of a portable device.
- All Resolver employees should pass mandatory security awareness training and special
To jailbreak/root, a mobile device is to remove the limitations imposed by the manufacturer. This gives access to the operating system, thereby unlocking all its features and enabling the installation of unauthorized software.
6. Remote VPN Access to the company networks
- Remote connection over VPN to the company networks allowed ONLY using company-managed devices.
7. Special requirements for DevOps Team members
Once the Manager of DevOps has approved, access to server instances is initiated by DevOps through a combination of OpenVPN Access service to specific AWS VPC and Jumphost utilizing individualized LDAP/AD DS type accounts.
- OpenVPN server is the: “OpenVPN Access Server is a full-featured SSL VPN software solution” AWS EC2 instance from AWS Marketplace provisioned as part of a specific VPC environment and configured utilize VPN communication to VPC over TLSv1.2 secure protocol.
- Access to the OpenVPN server should be monitored, with the connectivity log stored in CloudWatch.
- Remote access allowed ONLY from the Company issued devices / Laptops.
- All clients must use Multifactor Authentication (MFA) for OpenVPN access.
- All connected clients should be compliant with the following minimal requirements:
- Antivirus is installed and running, real-time protection/detection is enabled.
- The last full scan of the antivirus report (not later than 5 days back) is available and must show healthy system status.
- Anti-malware detection is installed and running.
- A local Firewall is enabled.
8. Reporting Security Incidents
Portable devices are attractive targets for theft as they are valuable objects which can be reused or resold. Therefore, it is accepted that the loss or theft of a device may be unrelated to the data held on that device, or onward logical access that it may provide. However, in all cases, users must assume that the loss or theft or a device has resulted in a compromise and it must be reported. In addition, personnel should consider the following:
- Once a device is stolen, it must be assumed that attackers have full device access and unlimited time to mount an attack.
- If a user’s access credentials (password or token) are compromised, the device must be treated as though it is unencrypted.
- All security incidents mentioned above but not limited to should be immediately reported to the IT and InfoSec teams by emailing email@example.com.
Any exceptions to this policy can only be granted in accordance with the company CISO or Resolver’s Information Security Department’s written approval.
10. Validity and document management
This document is valid as of July 2020.
The owner of this document is an Information Security Analyst who must check and, if necessary, update the document at least once a year.
When evaluating the effectiveness and adequacy of this document, the following criteria need to be considered:
- The number of incidents related to taking a portable device outside the organization’s premises without authorization.
- The number of incidents related to unauthorized access to a portable device outside of the organization’s premises.
EFFECTIVE ON: September 2020
REVIEW CYCLE: Annual at least and as needed
REVIEW, APPROVAL & CHANGE HISTORY: Last time reviewed and approved in August 2020 by Resolver’s Information Technology Security team.