Policy 636: Remote Access addresses requirements for accessing state network resources from networks external to the state including monitoring and control, protection of confidentiality and integrity, managing access control points, encryption, and privileged account access.

Remote access standards define additional requirements to ensure the integrity of state network resources while a remote connection (dial-in, virtual private network) is established. Because the risks associated with remote access are greater than with local access, agencies should only authorize individuals for remote access when deemed necessary for them to accomplish official duties. Failure to adhere to the policy and standards may result in the user being denied remote system access.

There are two standards supporting remote access policy implementation. They define the security requirements for virtual private network (VPN) and dial-in access/modem use.

  • Standard 636S1: Virtual Private Network
  • Standard 636S2: Dial-In Access and Modem Use

The above policy and standards were created to replace the following legacy documents:

  • Policy 622: Remote Access
  • Standard 622S1: Virtual Private Networks
  • Standard 622S2: Dial-In Access/Modem Use

Risks addressed in these documents include network access security risk resulting from improper implementation of remote access connections over the Internet to state-owned information resources.

Policy 636 and Standards 636S1 and S2 address NIST SP 800-53 security controls AC-7, AC-12, AC-17; AC-17 (CE 1-4); SI-4; SI-4 (CE 2, 4, 5); SC-7, SC-7 (CE 7); SC-23.

Organization-defined time periods are consistent with IRS Publication 1075.

View or Download:

DRAFT Policy 636: Remote Access

DRAFT Standard 636S1: Virtual Private Network

DRAFT Standard 636S2: Dial-In Access and Modem Use