Remote User Access Standard

Medium

Purpose

To provide remote access capability to the enterprise network from any location, for any authorized customer without compromising the network.

Standard

  1. All external connectivity to the internal state network must be by SSL or client-based VPN.
  2. All SSL or client-based VPN solutions will be provided by ITD.
  3. All SSL or client-based VPN connectivity will be authenticated and authorized by the enterprise authentication/authorization process.
  4. The enterprise Multi-Factor Authentication solution will be required in conjunction with SSL or client-based VPN for remote access to sensitive data and/or information as defined by the agency.

Definition

Remote Access - the ability to connect to an internal network from a distant location. Generally, this implies a computer, a modem (cellular, cable, dsl, etc.), and some remote access software to connect to the internal network. Remote access means that the remote computer actually becomes a full-fledged host on the internal network.

Virtual Private Network (VPN) - a network that is constructed by using public wires to connect nodes. For example, there are a number of systems that enable you to create networks using the Internet as the medium for transporting data. These systems use encryption and other security mechanisms to ensure that only authorized users can access the network and that the data cannot be intercepted.

Authentication - the process of identifying a person prior to allowing them to access some resource or service. Authentication in this context is usually a userid and password.

Authorization - the process of granting a person access a protected resources or service.

Multi-Factor Authentication (MFA) - is an approach to authentication which requires the presentation of two or more of the three authentication factors: a knowledge factor ("something only the user knows"), a possession factor ("something only the user has"), and an inherence factor ("something only the user is").

Guidance

1.    Authentication for remote access to servers will be provided by the central authentication server and will require registered user ID's.

2.    Agencies will be provided usage reports of their user ID's.

3.    ITD will provide SSL or client-based VPN to the requesting agency.  The VPN will be configured to be able to access only pre-authorized hosts.

Policy

To provide users remote access to the enterprise network and attached hosts.

Scope

This standard applies to all executive branch state agencies including the University Systems Office but excluding other higher education institutions, i.e. campuses and agricultural and research centers.

This standard is designed to ensure the integrity of the wide area network, therefore it applies to all entities currently using wide area network services.

Statement of Commitment

North Dakota's CIO/CTO directs that IT Policy be created to establish statewide information technology policies and standards as defined within ND Century Code (Chapter 54-59-09).

Non-Compliance

Non-compliance with this standard shall be reported to the Office of the State Auditor.

Noncompliance to this standard has been classified as high-risk i.e. having impact on the integrity of enterprise information systems.  Violations to this standard will result in ITD operations taking immediate action to prevent enterprise risk prior to the reporting of non-compliance to the Office of the State Auditor.


Revision Number: 3
Revision Date: 2016-02-12
Effective Date: 2004-05-12
Last Reviewed: 2019-12-03
Number: POL0020126