Overview
Through the implementation of the remote work access, Red Clay Renovations (RCR) is projected to work with better efficiency in terms of time and resources spent on tasks. However, the proper organization of this format is challenging, as it is expected to meet serious requirements in terms of both convenience and security (Department of Homeland Security, 2011). Cyberthreats and negligence are not uncommon in the current environment, making it necessary to design comprehensive remote access policy that would prevent data leaks and unauthorized access to private information (National Institute of Standards and Technology, 2011). Compliance with the PCI-DSS, HIPAA Security Rule, and Red Flags rule poses additional requirements, prompting RCR’s remote access policy to be updated.
Purpose
The objective of the proposed policy is to to prevent unauthorized individuals and organizations from accessing the information due to security loopholes and worker negligence. As per the PCI-DSS, HIPAA, and Red Flags, non-compliance with the data confidentiality requirements poses serious legal and image risks for RCR (Department of Health & Human Services, 2007). The aforementioned regulations have been drafted specifically to ensure that all organizations follow considerate, evidence-based protocols of data protection against unauthorized use. The lack of effort in this regard may undermine the integrity of Red Clay Renovations. As result, the company will face serious problems in terms of customer trust, as well as within the legal framework of the country.
Scope
The proposed remote access policy is to be comprehensive in all senses. First of all, it applies to all situations in which the remote access to the company’s data is implied. Second, the policy’s regulations are to be followed by all workers without exception. At the same time, while the protocols are obligatory for all workers, managers, and outsourced employees, each unit will have its specific tasks in preventing the unauthorized access to the data. The use of the guidelines is to be informed and aware of the consequences of non-compliance. In other words, all workers are to understand the magnitude of the matter, refraining from taking shortcuts and bypassing the security rules for maximum integrity (Department of Defense, 2015). This way, the likelihood of an unfavorable outcome will decrease significantly.
Policy
The RCR remote access framework enables the use of the company’s data and resources via the Internet. In order to ensure the integrity of the data use in the case of remote access, the following guidelines have been developed based on the best practices of modern cybersecurity:
- All the user information provided by RCR for remote access is to be kept confidential. The user is not to disclose any login information to third parties.
- The user is allowed to access only the information that is required by the immediate tasks and assignments. The attempts to access the data irrelevant to a specific situation will be considered a policy violation.
- The user is to control the duration of each remote access session by logging in and logging out as necessary.
- The user is not to leave any device with an active remote access session unattended.
- If the user loses possession of a device with the remote access, RCR management is to be notified immediately.
- All instances of suspected misuse of the company data are to be reported to the management immediately.
- The use of up-to-date anti-malware services provided by RCR is obligatory for all devices with remote access.
- If any inscription protocols are required, they are to be executed without exception.
- Any use of the VPN or similar software is prohibited unless a specific approval has been granted by the management.
- The compliance with the guidelines is obligatory for all employees, managers, and outsourced workers of RCR without exception. Non-compliance is to be penalized upon the decision of the RCR Board with measures up to immediate termination of the contract (Dept. for Business, Innovation and Skills et al., 2015).
Policy Version History
References
Department of Defense. (2015). The DoD cybersecurity culture and compliance initiative. Web.
Department of Health & Human Services. (2007). Basics of risk analysis and risk management. HIPAA Security Series, 2, 1-20.
Department of Homeland Security. (2011). Risk management fundamentals: Homeland Security risk management doctrine. Web.
Dept. for Business, Innovation and Skills, Government Communications Headquarters, Centre for the Protection of National Infrastructure, & Cabinet Office. (2015). Reducing the cyber risk in 10 critical areas. Web.
National Institute of Standards and Technology. (2011). Managing information security risk: Organization, mission, and information system view. Web.