Purpose
To provide remote access capability to the enterprise network from any location, for any authorized customer without compromising the network.
Standard
- All external connectivity to the internal state network must utilize TLS or client-based VPN.
- All TLS or client-based VPN solutions will be provided by ITD.
- All TLS or client-based VPN connectivity will be authenticated and authorized by the enterprise authentication/authorization process.
- The enterprise Multi-Factor Authentication solution will be required in conjunction with TLS or client-based VPN for remote access to sensitive data and/or information as defined by the agency.
Definition
Remote Access - the ability to connect to an internal network from a distant location. Generally, this implies a computer, a modem (cellular, cable, dsl, etc.), and some remote access software to connect to the internal network. Remote access means that the remote computer actually becomes a full-fledged host on the internal network.
Virtual Private Network (VPN) - a network that is constructed by using public wires to connect nodes. For example, there are a number of systems that enable you to create networks using the Internet as the medium for transporting data. These systems use encryption and other security mechanisms to ensure that only authorized users can access the network and that the data cannot be intercepted.
Authentication - the process of identifying a person prior to allowing them to access some resource or service. Authentication in this context is usually a userid and password.
Authorization - the process of granting a person access a protected resources or service.
Multi-Factor Authentication (MFA) - is an approach to authentication which requires the presentation of two or more of the three authentication factors: a knowledge factor ("something only the user knows"), a possession factor ("something only the user has"), and an inherence factor ("something only the user is").
Guidance
- Authentication and authorization for remote access to servers will be provided by enterprise managed central authentication services.
- User ID’s shall be maintained within the enterprise managed central authentication services.
- Agencies will be provided usage reports of their user ID's.
- ITD will provide TLS or client-based VPN to the requesting agency. The VPN will be configured to be able to access only pre-authorized hosts.
Policy
To provide users remote access to the enterprise network and attached hosts.
Scope
This standard applies to all executive branch state agencies including the University Systems Office and entities performing actions on their behalf, e.g. vendors.
Higher education institutions beyond the University Systems Office are excluded, e.g. campuses and agricultural and research centers.
This standard is designed to ensure the integrity of the wide area network, therefore it applies to all entities currently using wide area network services.
Statement of Commitment
North Dakota's CIO/CTO directs that IT Policy be created to establish statewide information technology policies and standards as defined within ND Century Code (Chapter 54-59-09).
Non-Compliance
Non-compliance with this standard shall be reported to the Office of the State Auditor.
Noncompliance to this standard has been classified as high-risk i.e. having impact on the integrity of enterprise information systems. Violations to this standard will result in ITD operations taking immediate action to prevent enterprise risk prior to the reporting of non-compliance to the Office of the State Auditor.