Remote Access Policy
Purpose
To reduce the cybersecurity risk to the organization, SLAM is required to design, implement and maintain a coherent set of policies, standards and procedures (collectively the Security Program) to manage risks to its data and information systems. Users are required to protect and ensure the Confidentiality, Integrity, and Availability (CIA) of data and information systems, regardless of audience, purpose, or how data is created, distributed, or stored. Security controls will be tailored accordingly so that cost-effective controls can be applied commensurate with the risk and sensitivity of the data and information system.
Remote access to the St Louis Art Museum’s (SLAM) network is essential to maintain productivity, but in many cases, this originates from networks that may already be compromised or are at a significantly lower security posture than our network. While these remote networks are beyond the control of the St Louis Art Museum’s policy, we must mitigate these external risks to the best of our ability.
The purpose of this policy is to define rules and requirements for connecting to the museum's network from any device. These rules and requirements are designed to minimize the potential exposure to SLAM from damages which may result from unauthorized use of SLAM resources, damages include the loss of sensitive or confidential data, intellectual property, damage to public image, damage to critical SLAM internal systems, and fines or other financial liabilities incurred as a result of those losses.
Definition
In the realm of IT security terminology, the National Institute of Standards and Technology (NIST) IR 7298, Revision 1, Glossary of Key Information Security Terms, is the primary reference document that SLAM uses to define common IT security terms. Key terminology to be aware of includes:
- Control: A term describing any management, operational, or technical method that is used to manage risk. Controls are designed to monitor and measure specific aspects of standards to help SLAM accomplish stated goals or objectives.
- CIA: Confidentiality, Integrity, and Availability of company information systems and the underlying electronic data.
- Users: SLAM staff, volunteers, and contractors who have access to SLAM information systems and who are in a computer-related position of trust.
- Systems: Information Technology systems (e.g., networks, operating systems, applications and databases)
- Privileged User Accounts: Those accounts granted special access rights for particular business needs pursuant to approved procedures.
Policy
This policy applies to remote access connections used to do work on behalf of the museum, including reading or sending email and viewing intranet web resources. This policy covers all technical implementations of remote access used to connect to SLAM networks.
For information regarding SLAM's remote access connection options, including how to obtain a remote access login, software, troubleshooting, etc., contact the IT group.
Secure remote access must be strictly controlled with strong password. For further information see the Access Controls-Password Policy.
Users shall protect their remote login and password from everyone, including staff and family members. Divulging login credentials to anyone is a violation of SLAM policy.
While using a SLAM-owned computer to remotely connect to SLAM's corporate network, Users shall ensure the remote device is not connected to any other network at the same time, apart from personal networks that are under their complete control or under the complete control of a User or Third Party.
Use of external resources to conduct SLAM business must be approved in advance by the IT Director.
All devices that are connected to SLAM’s internal networks via remote access technologies must use the most up-to-date anti-virus software and have the latest version of the device’s operating system, this includes personal computers and laptops.
Personal equipment used to connect to SLAM's networks must meet the requirements of SLAM-owned equipment for remote access as stated in the Hardware and Software Configuration Standards for Remote Access to SLAM Networks.
Remote connections (i.e., any connection to Systems from external networks) require prior approval by the IT Director. No such approvals shall be granted before due consideration of a documented assessment determining the scope and method of access, the technical and business risks involved, the length of time the access is needed, and the contractual, technical safeguards required for reasonable security.
Approval and Ownership
| Owner |
Title |
Date |
| Phillip Deleel |
IT Director |
03/29/2021 |
| Approved By |
Title |
Date |
| Carolyn Schmidt |
Deputy Director/Controller |
05/13/2021 |
Revision History
|
Version
|
Description
|
Revision
Date
|
Review
Date
|
Reviewer / Approver
Name
|
| 1.0 |
Final |
03/29/2021 |
05/13/2021 |
Carolyn Schmidt |
| 2.0 |
Review |
|
4/24/2023 |
Phillip Deleel |
| 3.0 |
Review |
|
6/25/2024 |
Phillip Deleel |
| 4.0 |
Review |
|
7/1/2025 |
Phillip Deleel |