Policy 635: Network and System Access, defines the responsibilities for authorizing, administering, and auditing access to state information systems.

Policy 636: Remote Access, addresses remote access requirements including monitoring and control, protection of confidentiality and integrity, managing access control points, encryption, and privileged account access.

Remote access standards define additional requirements to ensure the integrity of state network resources while a remote connection (using dial-in or virtual private network) is established. Because the risks associated with remote access are greater than with local access, agencies should only authorize individuals for remote access when deemed necessary for them to accomplish official duties.

There are two standards supporting remote access policy implementation. They define the security requirements for virtual private network (VPN) and dial-in access/modem use.

  • Standard 636S1: Virtual Private Network
  • Standard 636S2: Dial-In Access and Modem Use


Risks addressed in these documents:

  • Network access security risk with improper implementation of remote access connections over the Internet to state-owned information resources.


The above policies and standards were created to replace the following:

  • ISD Policy 621: Network and System Access
  • ISD Policy 622: Remote Access
  • ISD Standard 622S1: Virtual Private Networks
  • ISD Standard 622S2: Dial-In Access/Modem Use


Policy 635 addresses NIST SP 800-53 security controls AC-1, AC-2. AC-3, AC-5, AC-6, and AC-8.

Policy 636 and Standards 636S1 and S2 address NIST SP 800-53 security controls AC-7, AC-12, AC-17; AC-17 (CE 1-4); SI-4; SI-4 (CE 2, 4, 5); SC-7, SC-7 (CE 7); SC-23.

Organization-defined time periods are consistent with IRS Publication 1075.


View or Download:

DRAFT Policy 635: Network and System Access

DRAFT Policy 636: Remote Access

DRAFT Standard 636S1: Virtual Private Network

DRAFT Standard 636S2: Dial-In Access and Modem Use