Remote access to central systems - recommendations from risk analysis
A risk analysis was undertaken relating to remote access of UCL services with the following intended outcomes:
1. Establishing measures or 'controls' to be applied by UCL to improve security of information when accessed remotely;
2. To provide information to assist in recommending policies and procedures relating to remote working.
Resulting from this analysis, a summary of major recommendations is given below:
1. Use of a controlled environment - either an environment such as a managed service e.g. WTS or the use of the Java client possibly.
2. 2nd-level authentication - ideally something non-transferable like a biometric device. Alternatively a system utilising a token which provides a constantly changing number that is connected with the service being accessed.
3. Force use of secure communications channels - this should be relatively easy to implement and use - simply make sure all access is on ports related to secure communications e.g. use https in preference to http and, further, disallow http access.
4. Improve user education - the problem here is how to ensure this works. Enforcing some education to take place and be completed successfully if remote working is to happen with valuable assets.
5. Advise on appropriate access to valuable assets - this could lead to a policy to govern user behaviour and to allow technological barriers to certain access to be put in place.
Link to full document (pdf):
Risk Analysis of Remote Access to Information Systems at University College London