Should an organization mention that it will be monitoring and logging remote access use in its remote access policy definition?

While an organization isn’t required to mention that explicitly in the Remote Access Policy, it is in its best interest and those of its employees, to do so.

The Acceptable Use Policy usually mentions that employees will have no expectations of privacy while using the organizations’ assets, networks, and resources.

However, mentioning it again in the remote access use policy ensures transparency of monitoring and logging activities, as well as serves as a further reminder to the employee. Additionally, it can act as a deterrent to a potential rogue employee.

It can also help an employee to take more precaution with his VPN access as he wouldn’t want a hacker to abuse his credentials and perform malicious activities which will leave a log under his (VPN accessing employee’s) name.