Remote access policy
Services and devices must only permit remote access if approved by the board and documented in this policy. Approval will only be given if required for the functioning of the business.
Any changes much be requested by sending a ticket to the helpdesk, giving the reason it is required and the duration. This will then be reviewed by the technical director.
All remote access rights will be reevaluated by the board annually.
- Web servers - HTTP/S for primary use serving web apps; SSH for management of system including firewall, and monitoring ports for administration. MFA logins to management port and IP whitelisting for monitors.
- IaaS/SaaS/PaaS - HTTP/S as provided by service for administration. Separate administrative user accounts with MFA must be used for login (this is superceeded by other conditions detailed in the Password and Authentication Policy)