VPN Policy and Procedure
Details
| Date | Version | Status | Information Classification | Document Template ID | Document No |
|---|---|---|---|---|---|
| 27-01-2020 | 1.7 | Approved | Internal | AMS DOC | AMS-ISMS-PL-03 |
Revision History
| Date | Version | Description | Author | Reviewed by | Approved by | Approved date |
|---|---|---|---|---|---|---|
| 18-01-2013 | 1.0 | Initial Version | ||||
| 18-01-2014 | 1.1 | Reviewed version | ||||
| 18-06-2014 | 1.2 | Reviewed for adequacy | Ganesh | Premanand/Praveen | Premanand | |
| 06-06-2015 | 1.3 | Reviewed as part of AMS transition | ||||
| 23-06-2016 | 1.3 | Annual Review – No Changes Done | ||||
| 09-08-2016 | 1.4 | Added 2FA authentication along with VPN access Deleted usage from Non-Antares Owned Equipment point | ||||
| 31-07-2017 | 1.4 | Reviewed no changes | ||||
| 10-08-2017 | 1.5 | Replaced shall with will and deleted etc., | ||||
| 18-08-2019 | 1.6 | Reviewed no changes | ||||
| 14-01-2020 | 1.7 | Annual Review 2020 - Changes made to align with the standard document format, Added VPN provision for CRM and Consultants | Nuthan, Usha | Shaila | Praveen | 27-01-2020 |
Acronym Used
| Acronym | Expanded Form |
|---|---|
| 2FA | 2 Factor Authentication |
| VPN | Virtual Private Network |
Purpose
The purpose of this policy is to specify the security standards required for VPN access, ensuring the integrity of data transmitted and received, and securing the VPN pathways into the network.
Scope
This VPN Policy covers how the employees connect to the production environment at Antares Systems Ltd from outside the office network.
Policy Statement
All users who are required to establish a real-time connection with Antares Systems' production network through the Internet must employ a Virtual Private Network (VPN) product configured by the IT dept. along with the 2FA for 2 levels of authentication for a user and encrypt all traffic exchanged.
Authority
This policy is approved by the IT Head & CISO.
Summary
The purpose of this policy is to define standards for connecting to Antares Systems' network from hosts (IT Team, Java Team Helpdesk, Antares Consultants, CRM Team) on the Internet by using a VPN & 2FA to the internal network. These standards are designed to minimize potential exposure to Antares Systems production environment from damages that may result from unauthorized use of Antares resources. Damages include the loss of sensitive or confidential data, intellectual property, damage to public image and damage to critical Information & technology systems.
Applicability
This policy applies to all Antares Systems' employees, utilizing VPNs to access the Antares production network.
Remote Computer Security
Remote computers become an extension of the Antares production network, and therefore are subject to the same rules and regulations that apply to Antares' managed computers (acceptable use of assets).
Software Security Patches
Remote computers must have up-to-date security patches for the operating system and applications that are installed.
Anti-virus Software
Remote computers must have up-to-date and active anti-virus software (this includes personal computers) and these must be free from viruses.
Remote Vulnerability Scanning
Remote computers using VPN technology are subject to being remotely scanned to determine that the software is current and that the system has been properly secured.Computers that do not meet the requirements will be disconnected automatically from the Antares' network until a secure computing environment has been re-established.
Approved VPN Client & Fortigate application
Only VPN clients & 2FA application which is approved by the IT Dept will be used.
Responsibilities
Users
It is the responsibility of users with VPN & 2FA privileges to ensure that unauthorized users are not allowed access to Antares Systems' networks when the privilege is given to the concerned user for IT related/helpdesk activities.
The usage of the VPN & 2FA technology with personal equipment is not permitted, users must use the Laptop provided by ASL only
Users are responsible for communications from their computers while connected to the VPN
Users will comply with organization password management policy.
Network Administrator
VPN gateways, Fortigate 2FA Security and concentrators will be setup and maintained by an administrator from the IT Dept. to meet minimum requirements.
The Network Administrator will configure the Forticlient for VPN on System and Fortitoken for 2FA on the mobile device given to users to access the network through VPN. The development team will be given predefined usernames and cannot be changed.
It is the responsibility of employees with VPN & 2FA privileges to ensure that unauthorized users are not allowed access to Antares network when the privilege is given to the concerned user for IT related/helpdesk activities.
The VPN requires the user to authenticate. VPN use is to be controlled using 1) password authentication and 2) a one-time Fortitoken which will be generated and sent to the user's mobile (valid for 60secs). When actively connected to the administrative network, VPNs will force all traffic to and from the PC over the VPN tunnel.
All communication over the VPN are encrypted
All authentication attempts will be logged.
Notification of Changes
The IT team will provide users with a copy of this policy (or a link to it), and notify users of changes to this policy.
Enforcement
Any employee found to have violated this policy may be subject to disciplinary action in accordance with the HR policy.