II.C.15(d) Use of Remote Devices
Management may choose to allow employees to connect remotely to the institution's network using either an institution-owned or a personally owned device (often referred to as BYOD or "bring your own device"). Institution-owned devices are easier to secure because the institution controls the devices' configuration and often can implement remote wiping if the devices are lost or stolen. It may be more difficult to implement remote wiping or a similar measure on an employee's personally owned device. BYOD is becoming more popular, however, with institutions and employees because it reduces costs to the institution and enables employees to carry one device instead of two.
For all remote devices, management should do the following to control employee remote access to the institution's network:
- Disallow remote access unless a compelling business justification exists.
- Require management approval of employee remote access.
- Regularly review remote access approvals and rescind those that no longer have a compelling business justification.
- Restrict remote access to authorized network areas and applications by using VLANs, permissions, and other techniques.
- Log remote access communications (including date, time, user, user location, duration, and activity), analyze logs in a timely manner, and follow up on anomalies.
- Implement robust authentication methods for remote access.
- Use encryption to protect communications between the access device and the institution.
- Use application white-listing.Application white-listing is the maintenance and use of a list of applications and their components (e.g., libraries and configuration files) that are authorized to be present or active on a system according to a well-defined baseline.
For institution-owned devices, the institution should have the ability to manage the remote devices. The following controls should be implemented:
- Securely configure remote access devices.
- Protect remote access devices against malware.
- Patch, update, and maintain all software on remote access devices.
- Encrypt sensitive data residing on the access device.
- Implement secure containers with internal boundaries to store sensitive information, in a way that is not accessible to the device without permission.
- Periodically audit the access device configurations and patch levels.
- Remotely disable or wipe the device in the event of theft or loss.
- Use geolocation of the device to support device recovery efforts.
For personally owned devices, the institution may not have the ability to configure the devices; therefore, management should have an effective method or solution to ensure that such devices meet defined institution security standards, such as operating system version, patch levels, and anti-malware solutions, before such devices are allowed to log on to the network.
II.C.15(c) Remote Access
II.C.16 Customer Remote Access to Financial Services