POL00362916
POL00362916
Post Office Limited - Document Classification: INTERNAL
IT Security Standards
Remote Access Standard
Version — V1.2
INTERNAL Page 1 of 7 Remote Access Standard
1.22
POL00362916
POL00362916
Post Office Limited - Document Classification: INTERNAL
®
Do OVEPVIOW 20. cee cceeeeseeeeeceneensseneeenenennescuneeeesesnnesseeseceeansnssaaeeeeessessscuaceeeeeseseteeeeaees 3
1.1. Introduction by the Standard OWNED .........:ccccsceseeeeeeseeeeeeeseesseeuueeuueeeeeeeereeeees 3
1.2 PUPPOSE oo... ceecesececeeseeeesseeeseneeeeeeeeeeeeeeeeseeesssaaeeneeeeesseeeeeeeseeeseseusaaansenseeseeees 3
1.3. Core Principles.
1.4 Application.
2 Policy Framework
2.1. Policy Framework
2.2 Who must comply?
3 MINIMUM CONtrOls 0.0... eeceeeseeeeeeeeeteeeetteeeetteeeetteeenteeenteeesneeeesteeeeenreenteesenieeeenee 5
4 Where to go for help.......cccccccccccsceceeseeeseeeeeeeesueueeeeeeeeeeseueeeseueeesseeeseseaeeessaeeeseoen 6
4.1 — Additional POliCi€S ...........ccsccssssesssescesesesseeessseenseseessesessenesssaseensasessaeesssaees 6
4.2 HOW to raiS€ & CONCEFN oo... eee eect eeeeeee eet e eet eee e eee tttneee eter tt ntneeeeeeeeeetennaee 6
4.3 Who to contact for more information .........c:ccccceeeesesteeeeeeeeettteeeeeeeeeteeeeeeeeees 6
5S VErSION CONTIOL.....sssssssecssssenssseensssennsseeressseresssesssseensssesessseresneesasseeesseseesseesannes 7
5.1. Version Control
5.2 Standard Approval ...
INTERNAL Page 2 of 7 Remote Access Standard
1.22
POL00362916
POL00362916
Post Office Limited - Document Classification: INTERNAL
1 Overview
1.1 Introduction by the Standard Owner
Post Office is committed to protecting its employees, customers, Third Party Supply Chain
and information assets from damaging or illegal actions by individuals, either knowingly
or unknowingly. Post Office enables this through the development and deployment of
policies, standards and guidelines which are aligned to international best practices.
Effective cyber and information security is a team effort involving everyone in Post Office.
1.2 Purpose
The purpose of the Remote Access Standard is to mitigate the risks associated with
privileged users accessing POL environments.
1.3 Core Principles
Compliance with this standard will aid in ensuring that the risks associated with working
and accessing Post Office information and environments remotely by privileged users will
be mitigated.
1.4 Application
This standard relates to all people, systems, networks, and services used to support the
Post Office, including those managed, maintained and supported by and on behalf of the
Post Office by suppliers, partners and Post Office employees.
INTERNAL Page 3 of 7 Remote Access Standard
1.22
POL00362916
POL00362916
Post Office Limited - Document Classification: INTERNAL
2 Policy Framework
2.1 Policy Framework
This standard forms part of the Cyber and Information Security Policy Set. This contains
controls that form part of the Information Technology Control Framework (ITCF) governed
by the overarching Post Office wide framework.
2.2 Who must comply?
Compliance with this standard is mandatory for all Post Office employees and applies
wherever in the world Post Offices business is undertaken. All third parties who do business
with Post Office, including consultants, suppliers and business and franchise partners, will
be required to agree contractually to this standard or have their own equivalent
standard/policy.
INTERNAL Page 4 of 7 Remote Access Standard
1.22
Post Office Limited - Document Classification: INTERNAL
3 Minimum Controls
POL00362916
POL00362916
The table below sets out the minimum control standards.
Control Number. Control Detail Attestation Guidance
PHT0569 Control all methods of Establish, implement, and maintain a remote access and teleworking
CTRLO020584 remote access and program.
teleworking. Implement strong controls over remote access by privileged user
PHT0571 Control remote access To ensure protection against data leakage, unauthorized access, computer
through a network access virus intrusion, and other major incidents, access to the internal network
control. and utilization of remote access should be in accordance with prior specified
procedures
PHT0572 Employ multifactor Use two-factor authentication and strong encryption for remote access.
authentication for remote Review the method of encryption (e.g. algorithm and key length) periodically
access to the to ensure that it is recognised by the industry as relevant and secure
organization's network.
PHT0573 Implement multifactor To be ready for cases of passwords leakage, other measures such as
authentication techniques. I multifactor authentication or multilevel authentication may be used together
with passwords, in accordance with the content of services used and the
properties of related risks
PHT0574 Monitor and evaluate all Manage IDs used by vendors to access, support, or maintain system
remote access usage. components via remote access as follows: - Enabled only during the time
period needed and disabled when not in use. - Monitored when in use
Access to critical systems and networks by external individuals for remote
maintenance purposes (e.g., remote diagnosis / testing, software
maintenance) should be managed by logging all activity undertaken.
INTERNAL Page 5 of 7 Remote Access Standard
1.22
POL00362916
POL00362916
Post Office Limited - Document Classification: INTERNAL
4 Where to go for help
4.1 Additional Policies
This standard is one of a set of policies. The full set of policies can be found at:
https://poluk.sharepoint.com/sites/postoffice/Pages/policies.aspx
4.2 How to raise a concern
Any Post Office employee who suspects something is wrong has a duty to:
e Discuss the matter fully with their Line Manager; or,
e Report their suspicions by contacting the Service Desk.
4.3. Who to contact for more information
If you need further information about this standard or wish to report an issue in relation
to this standard, please contact Cyber Security Team via cybe'
INTERNAL Page 6 of 7 Remote Access Standard
1.22
POL00362916
POL00362916
Post Office Limited - Document Classification: INTERNAL
5 Version Control
5.1 Version Control
Date Version Updated by Change Details
27/04/2018 0.1 IT Security Changed to the new template for
policies
Changed to reflect the new Post
Office structure
First draft
23/05/2018 0.2 IT Security Updated post peer review
29/05/2018 1.0 IT security Final Approved Version
14/04/2023 1.1 Cyber Compliance Updated to cover remote access only,
portable devices are covered by
BYOD and AUP standards
25/04/2023 1.2 Cyber Compliance CSF Approval for publication
5.2 Standard Approval
Standard Owner: Chief Information Security Officer
Standard Author: Hazel Freeman
Approved by CSF: 25/04/2023
Next review: 25/04/2024
INTERNAL Page 7 of 7 Remote Access Standard
1.22