Why is it a best practice of a remote access policy definition to require employees and users to fill in a separate VPN remote access authorization form?


The Remote Access domain is fraught with vulnerabilities as it is a direct connection from the outside into the organization’s internal network and data. However, organizations realize that some roles require employees to connect remotely. This could be traveling sales representatives, administrators connecting to systems in remote branches for troubleshooting, international managers connecting to monitor employees in other countries, etc.

Organizations implement a secure tunnel connection via the VPN and allow for personnel with these roles to access the networks. However, not every employee or every role needs this access. Remote Access is a privilege that is granted to employees with specific needs and who are in compliance with the governing policies. Each VPN access account needs to be created on an individual need basis and by following the least privilege principle and the need to know principle.

Additionally, VPN access should be time-bound to further reduce risk. Employees who do get access will need to be specifically trained on using the VPN, on the importance of never sharing their credentials, on keeping their devices encrypted, screens locked. and laptops physically secure. They also realize that they are held accountable for activities that take place on their VPN time, through their login.

Hence it is a best practice for employees to fill in a VPN authorization form, and for their supervisors to approve of it. This form typically contains fields like name, employee id, date, reason for access, duration (start and end time), employee signature, as well as a field for their supervisor to sign their approval. Additionally, the CIO and/or the CISO may further need to approve of it.