Re: Remote Access Policy

[Fred Chase <fnc () mitre org>]

Tina Bird wrote:
> ... I need a few references to ... policy .. in the area of .. Internet-based .... remote access.

Below is MITRE's policy for internet (not dialup) remote access.


  -Fred Chase





4.2.2.1 VSCLIENT "Remote Desktop" Security Policy
A user must take steps to protect the confidentiality, integrity, and
availability of MITRE information.  Use is approved when the following
policy conditions are met:

1. All MITRE information held locally must be protected from non-MITRE
access by either physical or software security when the system is not in
use by MITRE staff. This can be done with a locked office, removable
media, or encryption of the information with a package such as "Your
Eyes Only".  Alternatively, all MITRE information can be removed from
the local system at the end of each session, leaving the information
stored on servers back inside the MITRE security firewall.
2. Your connection with MITRE must be protected from non-MITRE access at
the desktop any time the you leave the system unattended.  This access
control can be provided by using a locked office or a locking "screen
saver" which locks user interaction after no more than 30 minutes of
inactivity.  "Your Eyes Only" on Win95, or existing capabilities of
Windows NT are recommended.
3. Your connection with MITRE must be protected from non-MITRE remote
access.  Applications providing remote application sharing functions to
non-MITRE systems may not be running on the machine while there is a
connection with MITRE.
· Running Microsoft Net Meeting is permitted, but application sharing
"control" access must not be given to non-MITRE users.
· Running CVW (which has no local application sharing) is permitted.
· Running Timbuktu is permitted, but "control" access must not be given
to non-MITRE users.

Any usage or configuration not consistent with the above needs advance
written approval by INFOSEC (see MCF 3371).