Remote Access Security Policy

1.0 OVERVIEW

The security of the County network and County data is essential and mandatory. Each County employee given the privilege of accessing the County network or County data from outside of County’s infrastructure shall not compromise the County network or County data, and shall only access the County network or County data for County business purposes in accordance with this Security Policy.

Please sign and attach the applicable policy when submitting requests for remote access in accordance with this policy:

• Remote Access Security Policy—Employee
• Remote Access Security Policy—Remote Vendor Employee

2.0 SCOPE

This policy applies to all Baltimore County employees and contractors granted remote access to the Baltimore County network or County data from outside of the County’s infrastructure via remote access. 

3.0 POLICY

1. Each employee seeking access to the County Network or County data from outside of the County’s infrastructure for County business purposes issued a laptop or mobile device, must submit a signed Remote Access Policy. Employees seeking remote access utilizing personally-owned equipment must submit a signed Remote Access Policy and request form specifying in detail the nature, extent, and time frame for such access, and the request shall be signed in writing by the employee and the employee’s Agency Director. For contractor’s, each individual working on behalf of contractor for which contractor is requesting remote access (“Contractor’s Individual Agents”must approve the access request. The request shall be signed in writing by a legally authorized representative of the contractor and each of contractor’s Individual Agents. Each requester shall submit a signed Remote Access Security Policy and Remote Access Request Form request to the Agency Security Coordinator for submission through SAR.
2. Each requester may only access the County network or County data through a secure remote connection. Remote access may be provided to County employees utilizing Government Furnished Equipment (GFEprovided by Baltimore County. 
3. Each user understands and agrees that it is their responsibility to manage their remote access accounts, and must take the necessary and reasonable precautions to protect their account, and remote access device.  The user must inform The Office of Information Technology (OITimmediately by calling the Service Desk at 410-887-8200 if they determine their account has been tampered, disclosed inadvertently to others, or if the user transfers departments, leave the employment of the County or vendor company; or if for any reason the user no longer requires remote access. 
4. A user must call the Service Desk to have their accounts reset and will be required to verify their identity by providing personal verifiable information at that time.
5. OIT is responsible for providing user access and maintaining availability of remote resources.
6. Sharing of remote access accounts is not permitted. Each user must obtain an individual account to use remote access.
7. Each user must continue to follow all OIT policies while connected to the County network remotely. 
8. Users shall not modify or circumvent remote access configuration settings as configured and managed by OIT.   
9. All activity associated with remote access connectivity will be logged and audit trails will be reviewed regularly.
10. The County reserves the right to suspend the user’s access to the County network and County data for any reason. 
11. An employee utilizing GFE shall not simultaneously connect to the County network and any other private network. 
12. Utilizing the remote access solution to bulk transfer files or confidential (controlledinformation to a remote system is prohibited. 
13. Users utilizing personal equipment to connect to County resources remotely may be denied access if the device utilized does not meet minimum standards such as an active up-to-date antivirus product or other minimum requirement as determined by OIT.
14. A user shall only connect to the County network and County data through remote access services for County business. The user shall not connect to the County network or County data for any other purpose or reason, and shall promptly terminate their connection to the County network and data when County business is complete. 
15. A user who establishes access to the County network or County data shall not walk away and leave their computer unattended. If the user must walk away from their computer, they must log out and reconnect at a later time. 
16. The remote access solution(shave a built in 30-minute idle time out. If there is no activity on your session for 30 minutes, you will automatically be logged out of the County network.
17. Non-emergency personnel that do not utilize remote access services routinely (three monthswill be blocked by OIT and a new request in accordance with this Security Policy must be submitted to OIT for approval by the Director of OIT.

4.0 ENFORCEMENT

1. Violation of this Security Policy may result in the removal of remote access.
   
   Any Baltimore County employee who violates this Security Policy may be subject to disciplinary action, up to and including termination of employment.
   
   In the event a contractor violates this Security Policy, contractor understands and agrees that contractor shall be responsible for all damages associated therewith and that such damages shall only be limited if specifically stated as such in any written contract executed by and between the County and the contractor. Contractor also understands and agrees that any violation of this Security Policy by contractor or any of contractor’s Individual Agents may be, in the sole discretion of the County, a breach of the contract executed by and between the County and the contractor, and that County may exercise any and all rights and remedies as available under the contract, at law, or in equity. 
2. I (signature of employee) have received a copy of and have read this Security Policy. I hereby evidence my receipt, knowledge, understanding, and acceptance of this Security Policy and all of my duties and responsibilities associated with my receipt of remote access to Baltimore County network, or Baltimore County data. I understand the consequences of my noncompliance with this Security Policy and that I may be responsible for actual damages and disciplinary actions.

5.0 SIGNATURE

Please sign and attach the Remote Access Security Policy when submitting requests for remote access in accordance with this policy.