The intent of this policy is to establish guidelines specifically pertaining to remote access to LEADx’s internal network. Preventing unauthorized access to company data from insecure networks is of utmost importance to LEADx. This policy is designed to ensure remote and/or traveling employees have the ability to securely connect to the corporate network without fear of threat and to provide the Company with an additional means of monitoring and controlling access to the internal network.
This policy shall apply to all employees, contractors, and affiliates of LEADx, and shall govern remote network access for all authorized users. Remote access is defined as any connection to LEADx’s internal network from a location outside of any affiliated company offices.
- Authorized users must protect their login credentials and must not share them with anyone for any reason.
- All inbound connections to LEADx internal networks must pass through an access control point before the user can reach a login banner.
- Remote users must be required to authenticate before being granted access to company information.
- Remote access must be logged in a central database and kept for a period of at least 30 days. Access logs must be reviewed regularly.
- All hosts connected to LEADx internal networks must be equipped with the most up-to-date anti-malware software. Third-party hosts must comply with this requirement before connecting to the network.
- All hosts connected to LEADx internal networks via remote access must be company-issued or approved third-party devices.
- Restricted company information must only be accessible via the LEADx internal network or VPN. Access to the VPN must require multi-factor authentication.
- Authorized users shall not connect to the LEADx VPN while the host is connected to a network that is not the user’s personal home network or a trusted third-party network. Users shall not connect to the LEADx VPN while also using another VPN.
- Users must exercise caution when connecting to networks in public venues like airports, coffee shops, etc., and must not connect to the Company’s internal network (even via VPN) if on an unsecured, public network.
- Access accounts used by remote vendors must only be enabled during the required time period and must be disabled immediately thereafter. Vendor accounts must be closely monitored and approved by CTO.
- Authorized third-party users must be required to authenticate before being allowed to access restricted information.
It is the responsibility of the end user to ensure compliance with the policies above.
Any exceptions to the policy must be approved by the CTO. Questions regarding remote access should be directed to CTO.
If you believe your connection may have been compromised, please immediately report the incident to CTO.
Date Established: 5/1/2020