Remote User Access Standard

Medium

Purpose

To provide remote access capability to the enterprise network from any location, for any authorized customer without compromising the network.

Standard

  1. All external connectivity to the internal state network must utilize TLS or client-based VPN.
  2. All TLS or client-based VPN solutions will be provided by NDIT.
  3. All TLS or client-based VPN connectivity will be authenticated and authorized by the enterprise authentication/authorization process.
  4. The enterprise Multi-Factor Authentication solution will be required in conjunction with TLS or client-based VPN for remote access.
  5. Remote access shall not be allowed for team members connecting outside the U.S. or U.S. territories.
  6. Connections must be logged and monitored for unauthorized access.
  7. Devices used for remote access must have up-to-date antivirus and anti-malware software.
  8. Network traffic must be monitored for unauthorized access and have logging enabled.
  9. Intrusion detection and prevention systems must identify threats and mitigate risk.
  10. Access to Office 365 documents requires mobile device management software to govern security policies.
  11. The State operates a zero-trust environment in which all users, devices, and systems must be explicitly authorized prior to permitting a connection.

Definition

Remote Access - the ability to connect to an internal network from a distant location. Generally, this implies a computer, a modem (cellular, cable, dsl, etc.), and some remote access software to connect to the internal network. Remote access means that the remote computer actually becomes a full-fledged host on the internal network.

Virtual Private Network (VPN) - a network that is constructed by using public wires to connect nodes. For example, there are a number of systems that enable you to create networks using the Internet as the medium for transporting data. These systems use encryption and other security mechanisms to ensure that only authorized users can access the network and that the data cannot be intercepted.

Authentication - the process of identifying a person prior to allowing them to access some resource or service. Authentication in this context is usually a userid and password.

Authorization - the process of granting a person access a protected resources or service.

Multi-Factor Authentication (MFA) - is an approach to authentication which requires the presentation of two or more of the three authentication factors: a knowledge factor ("something only the user knows"), a possession factor ("something only the user has"), and an inherence factor ("something only the user is").

Guidance

  1. Authentication and authorization for remote access to servers will be provided by enterprise managed central authentication services.
  2. User IDs shall be maintained within the enterprise-managed central authentication services.
  3. NDIT will provide TLS or client-based VPN to the requesting agency. The VPN will be configured to be able to access only pre-authorized hosts.
  4. Use only enterprise-approved devices for remote access to VPN.
  5. Mobile devices used to access Office 365 documents require MFA and mobile device management to govern security policies.

Policy

To provide users remote access to the enterprise network and attached hosts.

Scope

This standard applies to all executive branch state agencies including the University Systems Office and entities performing actions on their behalf, e.g. vendors.

Higher education institutions beyond the University Systems Office are excluded, e.g. campuses and agricultural and research centers.

This standard is designed to ensure the integrity of the wide area network, therefore it applies to all entities currently using wide area network services.

Statement of Commitment

North Dakota's CIO/CTO directs that IT Policy be created to establish statewide information technology policies and standards as defined within ND Century Code (Chapter 54-59-09).

Exceptions

In cases where agencies have team members that have a need to conduct business internationally (outside U.S. or U.S. territories), a request must be submitted three weeks prior to travel. The request shall be submitted by the team member’s HR to NDIT using ServiceNow and submitted as a generic service request.

Non-Compliance

Non-compliance with this standard shall be reported to the Office of the State Auditor.

Noncompliance to this standard has been classified as high-risk i.e. having impact on the integrity of enterprise information systems. Violations to this standard will result in ITD operations taking immediate action to prevent enterprise risk prior to the reporting of non-compliance to the Office of the State Auditor.

Revision Number: 8
Revision Date: 2024-07-30
Effective Date: 2004-05-12
Last Reviewed: 2024-07-30
Number: POL0020126