A.10 ABC Inc. InfoSec Dial-In Access Policy

Policy No. 9

Effective date Month / Day / Year

Implement by Month / Day / Year

1.0 Purpose

The purpose of this policy is to protect ABC Inc.'s electronic information from being inadvertently compromised by authorized personnel using a dial-in connection.

2.0 Scope

The scope of this policy is to define appropriate dial-in access and its use by authorized personnel.

3.0 Policy

1. ABC Inc. employees and authorized third parties (customers, vendors , etc.) can use dial-in connections to gain access to the corporate network through vendor solutions approved and provided by IT Operations. Dial-in access should be strictly controlled, using one-time password authentication. Dial-in access should be requesting using the corporate account request process.
2. It is the responsibility of employees with dial-in access privileges to ensure a dial-in connection to ABC Inc. is not used by non-employees to gain access to company information system resources. An employee who is granted dial-in access privileges must remain constantly aware that dial-in connections between their location and ABC Inc. are literal extensions of ABC Inc.'s corporate network, and that they provide a potential path to the company's most sensitive information. The employee and/or authorized third party individual must take every reasonable measure to protect ABC Inc.'s assets.
3.Only IT Operations approved dial-in numbers will be used.
4. Analog and non-GSM digital cellular phones cannot be used to connect to ABC Inc.'s corporate network, as their signals can be readily scanned and/or hijacked by unauthorized individuals. Only GSM standard digital cellular phones are considered secure enough for connection to ABC Inc.'s network. For additional information on wireless access to the ABC Inc. network, consult the InfoSec Wireless Communications Policy.
5.For a third party using dial-in or remote access:
- All connections or accounts must have an expiry date with a duration of 12 months or end of contract, whichever comes first.
- A new network access request must to be submitted to extend the access time period beyond the expiration date.
- There will be no auto-renewal upon expiration. Connection will be automatically disabled upon expiration date.

Note

Dial-in accounts are considered 'as needed' accounts. Account activity is monitored , and if a dial-in account is not used for a period of six months, the account will expire and no longer function. If dial-in access is subsequently required, the individual must request a new account as described above.

4.0 Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

5.0 Definitions

6.0 Exceptions

Exceptions to information system security policies exist in rare instances where a risk assessment examining the implications of being out of compliance has been performed, where a Systems Security Policy Exception Form has been prepared by the data owner or management, and where this form has been approved by both the CSO or Director of InfoSec and the Chief Information Officer (CIO).

7.0 Revision History

Date ___/____/_____

Version:_______________________

Author:____________________________________

Summary:__________________________________