Remote work is not new, but no one can deny that it has expanded significantly over the past few months. An April CNBC/Change Research survey found that 42 percent of Americans are working from home completely, with 19 percent working from home for the first time.
The same survey also found that 44 percent of employees want to stay home or are unsure if they want to return to the office. Twitter has already announced that its workforce isn't required to come back to the office, and a March 30 Gartner survey of business leaders found that most companies expect at least 5 percent of their pre-pandemic office workers to become permanent work-from-home employees.
It was a scramble to get workers out of the office and into their homes. Business continuity and employee well-being were the priorities, and IT departments rushed to get equipment and configure secure remote access. If this is the first time your company has deployed or allowed widespread use of remote access by VPN, you may want to evaluate your VPN acceptable use policy (AUP).
Why a VPN AUP?
A VPN, or virtual private network, connects an offsite user to the corporate network using an encrypted connection. Ideally, this provides the user with access to the necessary resources while following the principle of least privilege. A properly deployed VPN will allow the offsite user to operate as though onsite on the company’s local network.
The corporate AUP may be sufficient to cover the use of the VPN, or you may want to manage it as a separate policy.
What should be included?
There is no specific documentation that is required for a VPN AUP. There are several examples of VPN acceptable use policies online, including both real policies that are in use and customizable templates that can help you get started. You should write your document to meet your specific needs, including whatever sections and language that best protect your company.
Purpose of VPN acceptable use policy: This section explains why the company needs this policy. This can include references to state and federal data privacy and security laws, regulations like HIPAA, and any laws regulating online behavior.
Scope / applicability / exceptions / binding nature statement: This section is meant to define the who, what, and what-if of the policy. Some common questions addressed in this section include:
- Who does this policy cover? You may want to specify whether this policy applies to employees, contracted workers, etc., or simply “all approved users.”
- Are you allowing any line-item exemptions under this policy? This is not a best practice, but if you are going to allow them, define them in this section.
- What systems and networks are covered by the policy? Is this a site-to-site or remote access VPN?
- What are the penalties for not following the policy? You can keep this simple with a statement like “disciplinary action up to and including termination.”
There are no specific rules for the purpose and scope sections. For example, NC State VPN AUP keeps it simple:
The purpose of this policy is to provide guidelines for Remote Access Virtual Private Network (VPN) connections to the NC State University network.
This policy applies to all NC State Faculty, Staff and Students utilizing a VPN to access the NC State network. This policy applies to implementations of VPN that allow direct access to the NC State network.
Purpose and Scope
The information systems of Northeastern University are intended for the use of authorized members of the community in the conduct of their academic and administrative work. Northeastern’s information systems consist of all networking, computing and telecommunications wiring, equipment, networks, security devices, passwords, servers, computer systems, computers, computer laboratory equipment, workstations, Internet connection(s), cable television plant, university-owned mobile communications devices and all other intermediary equipment, services and facilities. These assets are the property of the university. This Policy describes the terms and conditions of use for Northeastern information systems.
This policy applies to any and all users of these resources both authorized and unauthorized.
Purpose of VPN and/or remote access: This can be as simple as “the exclusive purpose of fulfilling job responsibilities.” Note that this is separate from the purpose of the policy itself, which is defined above.
Definitions / acronyms / technical terms: This section helps the user understand terms that might not be commonly understood. If you include industry terms in the document, then consider adding this section for the sake of clarity. The SANS template places this section at the end of the document and uses it to link to the SANS glossary. Some examples place it earlier in the document, before the scope.
Usage policy: This section details the acceptable use of the VPN, and there are several subtopics here. It's a good idea to specifically address certain things:
- The user is responsible for preventing unauthorized use of the VPN. Some companies address this in detail, including directives around passwords and hardware security.
- Corporate-owned computers are required to connect, or both corporate and personal computers are allowed.
- If personal computers are allowed, the configuration should meet the specifications defined by the IT team.
- All computers must comply with the company's VPN and network policies.
- Only approved VPN clients can be used to access the VPN.
- Only approved VPN users can access the VPN and must comply with the company's VPN and network policies.
Don't forget to include any specific security considerations that you may need. For example, you may want to prohibit split tunneling or require remote access devices to use end-to-end encryption. Truman University adds detailed information about connectivity to the network:
Users shall not use the VPN for web surfing that does not otherwise require it for access. In other words, when the user has completed accessing the TRUMAN Intranet, they must end the VPN session prior to normal web access.
VPN users will be automatically disconnected from the TRUMAN network after thirty minutes of inactivity. The user must then logon again to reconnect to the network. Pings or other artificial network processes are not to be used to keep the connection open.
Implementation / connection procedures: Some companies use this section to describe who is responsible for internet service, how VPN authentication works, and where users can get tech support. The NC State University policy includes all of this, plus links to other related policy documents. The National Cybersecurity Society template has 11 bullet points here, in favor of a shorter usage policy.
Enforcement / compliance: You may want to explain how the company will enforce the VPN AUP. Calvin University uses this phrase to explain how they monitor compliance:
“various methods, including but not limited to, periodic walk-thrus, firewall reports, internal and external audits, and inspection via various security tools.”
This is a common phrase used by many templates and published policies.
If you haven't mentioned this before, you would also include the penalties for non-compliance.
Related policies: If you have other policies relevant to the VPN usage, include them here. These could be the password policy, acceptable use policy, information security policy, etc. You can also keep it simple and include a link to a list of all IT policies.
What's nice about acceptable use policies is that you can tailor them to fit your company perfectly. There many examples to pull from, including the free SANS and National Cybersecurity Society templates. You could even add your VPN policy to your existing AUP and not create a separate document. The important thing is that you have a policy that covers VPN access. Connection via VPN is an extension of your network, and it has a few more pieces than your LAN. A clear VPN AUP will make your company more secure and will help protect your employees from misunderstandings that could get them into trouble.
For more articles like this, check out our section on remote work.
Christine Barry is Senior Chief Blogger and Social Media Manager at Barracuda. In this role, she helps bring Barracuda stories to life and facilitate communication between the public and Barracuda internal teams. Prior to joining Barracuda, Christine was a field engineer and project manager for K12 and SMB clients for over 15 years. She holds several technology credentials, a Bachelor of Arts, and a Master of Business Administration. She is a graduate of the University of Michigan.
Connect with Christine on LinkedIn here.