.svg){kind=logo}
A developer SSHes into your production database from a coffee shop. No VPN. No MFA. Just a username and a password. Your systems had no rule against it because you never wrote one.
That’s the gap a remote access policy closes.
A remote access policy is a formal document that defines who can access company systems from outside the corporate network, which tools and methods are approved, what authentication is required, and how sessions are monitored and logged. It applies to every user who connects remotely: employees working from home, contractors, and third-party vendors with access to your infrastructure.
Every major compliance framework requires documented remote access controls:
- SOC 2: CC6.6 and CC6.7 (logical access controls, remote session monitoring)
- ISO 27001:2022: A.8.20 (Networks Security), A.8.5 (Secure Authentication)
- HIPAA: §164.312(d) (authentication), §164.312(e) (transmission security)
- NIST SP 800-46: dedicated federal guidance on enterprise remote access
- PCI DSS v4.0: Requirement 8.6 (MFA for all remote access to the cardholder data environment)
By the end of this, you’ll know exactly what to include, how to map it to your compliance framework, and have a free template you can adapt today.
Here’s what I’ll cover:
- What a remote access policy is and how it differs from similar policies
- Who needs one and which frameworks require it
- What every policy must include, with real clause examples
- A free template you can use right now
- How to create and roll out the policy step by step
- What auditors actually check when they review one
Free Template
Download the Remote Access Policy Template (PDF)
Pre-built and aligned to SOC 2, ISO 27001, and HIPAA. Ready to customise and distribute.
What Is a Remote Access Policy?
The term gets used loosely, so let me be precise.
Key insight
A remote access policy is a formal document that governs how users connect to company systems from outside the corporate network.
A remote access policy is a formal document that governs how users connect to company systems from outside the corporate network. It defines which tools are approved (VPN, ZTNA, jump server), what authentication is required (MFA, approved methods), what devices are allowed, and how sessions are monitored and logged.
It’s sometimes called a remote access security policy or a remote access control policy: these are all names for the same document. The word “control” in the variant name just emphasises technical enforcement over operational guidance. Either name satisfies an auditor.
Remote Access Policy vs. Remote Access Control Policy
“Remote access control policy” is a common variant term. Some organisations prefer it because it signals that the document governs technical controls, not just intent. For compliance purposes under SOC 2, ISO 27001, and HIPAA, both names refer to the same required document. The naming choice does not affect compliance.
Remote Access Policy vs. Remote Working Security Policy
These are related but different documents. A remote access policy governs the connection itself: VPN tool, MFA method, device standards, session controls. A remote working security policy covers the broader posture: home office physical security, screen privacy, acceptable use in shared spaces. Both are needed. They just cover different scope.
Who Owns a Remote Access Policy?
The IT or InfoSec lead owns it, with approval from the CISO or CTO. If your company handles regulated data, HR and Legal should review it before sign-off, particularly where HIPAA or GDPR obligations apply.
Who Does It Apply To?
Every user who connects remotely: full-time employees, part-time staff, contractors, consultants, and third-party vendors. If someone has credentials to your systems and accesses them from outside the office, they are in scope.
Why Remote Access Policies Are Non-Negotiable
Remote access is one of the most consistently exploited attack vectors. VPN credential stuffing, exposed RDP ports, and unmanaged personal devices on corporate networks appear in breach reports year after year. The access method is not the problem. The absence of documented, enforced rules around it is.
Free Demo
ComplyJet builds your remote access policy for SOC 2, ISO 27001, and HIPAA
Covers CC6.6, CC6.7, ISO 27001 A.8.20, and HIPAA §164.312(d). Template + approval in hours.
A remote access security policy sets the baseline: MFA on every session, named approved tools, device standards, session timeouts, and logging requirements. Without it, every team makes its own call, and the result is inconsistency that auditors will find and attackers will exploit.
The compliance picture is equally clear. SOC 2 CC6.6 and CC6.7 require restricting and monitoring remote access. ISO 27001 A.8.20 requires documented rules for network connections. HIPAA §164.312(d) mandates authentication controls for remote access to ePHI. NIST SP 800-46 is an entire publication dedicated to enterprise remote access security.
Beyond audits, it matters for business. Enterprise buyers include remote access requirements in vendor security questionnaires (VSQ, SIG, CAIQ). A missing policy becomes a blocker in sales cycles, not just in audit rooms.
Which Companies Need a Remote Access Policy?
Any company where someone connects to internal systems from outside the office. That is not a niche situation: it describes essentially every company today.
Why it matters
Any company where someone connects to internal systems from outside the office. That is not a niche situation: it describes essentially every company today.
Remote Access Policy for Healthcare Providers
For healthcare organisations, a remote access policy for a healthcare provider is a HIPAA requirement, not optional. HIPAA §164.312(d) mandates authentication controls for all remote access to electronic protected health information (ePHI). The HIPAA remote access policy must address encrypted transmission, MFA, and audit logging for every ePHI session. Business Associate Agreements (BAAs) with vendors should explicitly reference it.
HIPAA also requires documented emergency access procedures under §164.312(a)(2)(ii): what happens when the normal remote access method fails and a clinician urgently needs patient data? That scenario belongs in the policy.
Remote Access Policy for SaaS Companies Pursuing SOC 2
SOC 2 CC6.6 and CC6.7 directly apply to remote access. Auditors will ask for the policy document, pull MFA enforcement reports from your identity provider, and check whether access is revoked promptly when someone leaves. If your policy says “MFA required” but your IdP shows accounts without MFA enrolled, that’s a finding.
Vendor Remote Access Policy Requirements
Third-party vendors with access to your systems need the same controls as employees, often stricter ones. A vendor remote access policy governs how those connections are approved, how long they last, and how they’re monitored. Time-limited credentials, session monitoring, and documented approval records are the minimum.
Vendor remote access is a frequent gap in audits. Companies document employee access controls and leave contractor and vendor connections entirely unaddressed. Auditors find that gap quickly. If you use third-party vendors with access to sensitive systems, your vendor risk management policy should reference these controls too.
What a Remote Access Policy Should Cover
The difference between a policy that passes an audit and one that doesn’t usually comes down to specificity. “Use a secure connection” fails. “All remote connections must use [named VPN tool], protected by an approved MFA method, from a device meeting these standards” passes.
| Policy section | What to include |
|---|---|
| Purpose | The risk this policy mitigates and the regulatory requirements that drive it |
| Scope | Users covered (employees, contractors, vendors, MSPs), systems and data in scope |
| Approved Access Methods | Named tools only: corporate VPN, ZTNA solution, approved jump server. Personal VPNs explicitly prohibited. |
| Authentication Requirements | MFA required for all remote sessions; approved MFA methods listed; SMS OTP acceptable only as a documented fallback |
| Device Standards | Corporate-managed devices preferred; BYOD rules including minimum OS version, encryption, antivirus, screen lock; unmanaged personal devices prohibited from production |
| Vendor and Third-Party Access | Named approval process, time-limited credentials, session recording for privileged sessions, no persistent access without documented business justification |
| Session Controls | Automatic idle timeout, maximum session duration, concurrent session limits, geo-restriction policy if applicable |
| Monitoring and Logging | What is logged (user, timestamp, source IP, duration, systems accessed), log retention period, who reviews anomalies |
| Prohibited Activities | Split tunnelling unless explicitly approved, unsecured public networks without VPN, credential sharing, unapproved remote access tools |
| Exceptions | How to request an exception, who approves it, maximum duration, how it is documented |
| Enforcement and Violations | Disciplinary consequences; automatic session termination for non-compliant connections where feasible |
| Review Cadence | Annual minimum; after security incidents; after major infrastructure changes |
Remote Access Policy Examples
Seeing specific clauses helps more than a table. Here are two of the most important ones:
MFA clause: “All users connecting to company systems via VPN or ZTNA must authenticate using an approved multi-factor method (authenticator app or hardware security key). SMS OTP is permitted only with written approval from the CISO and may not be used as a primary MFA method.”
Vendor access clause: “Third-party access to production systems must be requested via the IT helpdesk, approved by the system owner, time-limited to the duration of the engagement, and revoked within 24 hours of engagement completion.”
Those two clauses alone eliminate two of the most common audit findings.
Free Remote Access Policy Template
Free Template
Download the Remote Access Policy Template (PDF)
Pre-built and aligned to SOC 2, ISO 27001, and HIPAA. Ready to customise and distribute.
The template below is free to use and adapt. Fill in the bracketed fields for your environment: your approved tools, MFA methods, device standards, and session timeout values.
Remote Access Security Policy Template
[Company Name] Remote Access Policy
Policy ID: [e.g. IS-RAP-001] Version: 1.0 Effective Date: [Date] Policy Owner: [Name, Title] Approved by: [Name, Title] Next Review Date: [Date, typically 12 months from effective date]
1. Purpose
This policy establishes the rules and controls for remote access to [Company Name]’s information systems, applications, and data. Its purpose is to protect company assets from unauthorised access while enabling employees, contractors, and vendors to work securely from locations outside the corporate network.
2. Scope
| Category | In Scope |
|---|---|
| Employees (full-time and part-time) | Yes |
| Contractors and consultants | Yes |
| Vendors and third-party service providers | Yes |
| Managed service providers (MSPs) | Yes |
| Company-owned information systems | Yes |
| Cloud-based applications and services | Yes |
| Production databases and sensitive data stores | Yes |
| Development and non-production environments | Yes (same controls apply unless explicitly exempted) |
3. Roles and Responsibilities
| Role | Responsibility |
|---|---|
| Policy Owner ([CISO / Head of IT]) | Maintains and reviews this policy; approves exceptions |
| IT / Security Team | Enforces technical controls; reviews access logs; manages VPN/ZTNA infrastructure |
| Managers and Team Leads | Ensure their direct reports comply; initiate access requests for contractors and vendors |
| All Remote Users | Comply with this policy when connecting remotely; report suspected security incidents |
| HR | Ensures policy acknowledgement is part of onboarding; notifies IT on employee offboarding |
| Legal / Compliance | Reviews policy for regulatory compliance; advises on HIPAA and GDPR-related decisions |
4. Approved Remote Access Methods
Only the following methods are approved for remote access to company systems:
| Method | Approved Tool | Use Case |
|---|---|---|
| VPN | [e.g. Tailscale / Cisco AnyConnect / WireGuard] | General remote access to internal systems |
| Zero Trust Network Access (ZTNA) | [e.g. Cloudflare Access / Zscaler] | Application-level access without full network access |
| Jump Server / Bastion Host | [Tool name or “company-managed bastion”] | SSH/RDP access to production infrastructure |
| Approved Remote Desktop | [Tool name, e.g. company-managed RDP only] | Desktop access for specific approved roles |
All other methods, including personal VPN services, consumer remote desktop applications, and direct RDP exposure to the internet, are prohibited.
5. Authentication Requirements
All remote access sessions must use multi-factor authentication (MFA).
Approved MFA methods: - Authenticator app (e.g. Google Authenticator, Authy, Microsoft Authenticator) - Hardware security key (e.g. YubiKey) - Push notification via approved identity provider (e.g. Okta Verify, Duo)
SMS OTP is permitted only as an emergency fallback with written approval from [Policy Owner]. It may not be used as a primary MFA method. Password-only authentication for any remote session is prohibited.
6. Device Standards
| Requirement | Corporate-Managed Devices | BYOD |
|---|---|---|
| Permitted for production access | Yes | [Yes / No] |
| Minimum OS version | [e.g. macOS 14 / Windows 11] | Same as corporate |
| Full-disk encryption | Required | Required |
| Antivirus / EDR | Company-managed solution required | Approved solution; verified by IT |
| Screen lock | Required (max 5 minutes idle) | Required |
| MDM enrolment | Required | [Required / Recommended] |
| Automatic OS updates | Enabled | Enabled |
Devices that do not meet all requirements above are prohibited from accessing production systems or sensitive data.
7. Vendor and Third-Party Access
| Step | Requirement |
|---|---|
| Request | Submitted via [IT helpdesk / ticketing system] by the internal business owner |
| Approval | Approved by the system owner and [Policy Owner] |
| Duration | Time-limited to the engagement; maximum [30 / 60 / 90] days per grant |
| Credentials | Unique credentials provisioned for each vendor; credential sharing is prohibited |
| Access scope | Least privilege: only the systems and data required for the specific engagement |
| Session monitoring | Privileged vendor sessions must be recorded where technically feasible |
| Revocation | Access revoked within 24 hours of engagement completion |
Persistent vendor access without a current, approved record is prohibited.
8. Session Controls
| Control | Requirement |
|---|---|
| Idle session timeout | 15 minutes of inactivity triggers automatic session termination |
| Maximum session duration | [e.g. 8 hours; re-authentication required for new sessions] |
| Concurrent sessions | Maximum [2] active remote sessions per user at any time |
| Geographic restrictions | [If applicable: access from [countries/regions] is blocked by default] |
| Split tunnelling | [Prohibited / Permitted only for [specific applications] with written CISO approval] |
9. Monitoring and Logging
All remote access sessions must be logged. The following must be captured for each session:
- User identity
- Timestamp (session start and end)
- Source IP address
- Systems or applications accessed
- Session duration
Logs must be retained for a minimum of [12 months] in a tamper-resistant system. Anomalous access (unusual geographies, after-hours access to sensitive systems) must be reviewed by [IT/Security Team] within [48 hours] of detection.
10. Prohibited Activities
The following are prohibited for all remote users:
- Using unapproved VPN, remote desktop, or tunnelling tools
- Connecting from public Wi-Fi without an approved VPN or ZTNA solution active
- Sharing remote access credentials with any other person
- Accessing company systems from non-compliant devices
- Enabling split tunnelling unless explicitly approved in writing
- Installing unapproved software on devices used for remote access to production systems
11. Exceptions
Exceptions may be granted in limited circumstances. All exceptions must include:
- Reason for the exception
- Alternative control in place to mitigate the risk
- Maximum duration of the exception
- Name of the risk owner and approver
Exceptions must be approved by [Policy Owner], documented in writing, and reviewed every [90 days]. Any exception not renewed by its expiry date is automatically revoked.
12. Enforcement
Violations of this policy may result in disciplinary action up to and including termination of employment or contract.
Significant violations include:
- Sharing remote access credentials
- Connecting from a prohibited device or network without an approved exception
- Circumventing MFA requirements
- Installing unapproved remote access tools without authorisation
IT reserves the right to terminate any remote session that does not comply with this policy.
13. Review Cadence
This policy is reviewed annually. An out-of-cycle review must be initiated when any of the following occur:
- A remote access-related security incident
- A change to the approved VPN or ZTNA tooling
- A significant change to the company’s identity provider or MFA platform
- A new compliance framework requirement applicable to remote access
- Significant growth in the number of remote users or vendor access grants
14. Version History
| Version | Date | Author | Summary of Changes |
|---|---|---|---|
| 1.0 | [Date] | [Name] | Initial version |
How to Create a Remote Access Policy
Writing the policy is step three, not step one. Here’s the full sequence.
Free Demo
ComplyJet gives you a remote access policy template, aligned and audit-ready
Pre-built to SOC 2 CC6.6, ISO 27001, and HIPAA. Staff acknowledgements and review reminders included.
- Assign a policy owner. IT/InfoSec lead or CISO. Record the owner in the policy header from the start so there’s no ambiguity later.
- Inventory existing remote access methods. What VPNs, RDP tools, SSH configurations, and third-party remote access tools are currently in use? You cannot govern what you haven’t mapped.
- Decide what to allow, restrict, and prohibit. Build the approved tools list. Set your BYOD stance explicitly. Define vendor access rules.
- Set authentication requirements. Choose your approved MFA methods. Document the fallback method and the threshold for approving it.
- Define device standards. Corporate-managed vs BYOD. MDM requirements. Minimum OS version, patching cadence, antivirus, full-disk encryption.
- Draft session controls and logging requirements. Idle timeout value, session duration cap, what is logged, retention period, who reviews anomalies and when.
- Draft the vendor and third-party access section. Approval process, time-limiting, session monitoring for privileged access, revocation procedure.
- Write the exceptions and enforcement sections. Be specific about what constitutes a significant violation for this policy.
- Get HR and Legal sign-off if HIPAA or GDPR applies.
- Get leadership approval. Publish with a version number and effective date.
- Communicate to all affected users. Collect signed acknowledgements. This is the first thing auditors check.
- Map controls to your frameworks. SOC 2 CC6.6/CC6.7, ISO 27001 A.8.20, HIPAA §164.312(d).
- Schedule the annual review. Update immediately after any significant infrastructure change or security incident.
Remote Access Policy Best Practices
A few things I’d add beyond the basics:
- Enforce MFA on every remote connection without exception. No password-only access, full stop.
- Move from legacy VPN to ZTNA where you can. ZTNA gives application-level access without putting your entire network in scope.
- Default to no persistent vendor access. Every grant should have an expiry date and a documented revocation process.
- Review who has remote access quarterly. Dormant accounts and departed employees with active credentials are a consistent audit finding.
- Test that logs are actually being captured and retained to the period stated in the policy. The logging requirement is meaningless if the log pipeline is broken.
- Keep the approved tools list current. When a tool is decommissioned, update the policy immediately.
Remote Access Policy and Compliance: SOC 2, ISO 27001, HIPAA, and NIST
| Framework | Relevant control | What it requires |
|---|---|---|
| SOC 2 | CC6.6, CC6.7 | Logical access restricted to authorised users; MFA for remote access; periodic access reviews; access revoked promptly on termination |
| ISO 27001 | A.8.20, A.8.5, A.5.14 | Controls on network services; secure authentication for remote sessions; documented rules for information transfer |
| HIPAA Security Rule | §164.312(d), §164.312(e)(1) | Authentication and encrypted transmission for all remote access to ePHI; audit controls must log access |
| NIST SP 800-46 Rev. 2 | Full publication | Dedicated federal guidance on enterprise remote access: VPNs, ZTNA, jump servers, monitoring requirements |
| PCI DSS v4.0 | Req. 8.6 | MFA required for all remote access to the cardholder data environment |
ISO 27001 Remote Access Policy Controls
The ISO 27001 remote access policy sits across three controls. A.8.20 (Networks Security) requires documented rules for network connections and remote access. A.8.5 (Secure Authentication) requires strong authentication for all remote sessions. A.5.14 (Information Transfer) requires rules governing how data moves between the organisation and external parties.
If you’re pursuing ISO 27001 certification, the remote access policy is a required document in your Statement of Applicability. It is not optional, and a missing or vague policy is a nonconformity.
HIPAA Remote Access Policy Requirements
The HIPAA remote access policy must address four things: unique user IDs under §164.312(a)(2)(i), authentication under §164.312(d), transmission encryption under §164.312(e)(2)(ii), and audit controls for remote sessions under §164.312(b). Covered entities and business associates must ensure that remote access to ePHI happens only via encrypted, authenticated channels. If a vendor connects to your systems and touches patient data, their access falls under HIPAA too.
Evidence Auditors Look for in a Remote Access Audit
The policy document is the starting point. What auditors check next is whether it’s actually enforced.
I’ve seen auditors spend more time on the evidence checklist than on the policy text itself. The document proves your intent. The records prove your execution.
| Record type | Example |
|---|---|
| Approved policy document | Signed, versioned policy with effective date and named approver |
| User acknowledgements | Log of who signed the policy, the date, and the version they acknowledged |
| MFA enforcement reports | Export from your IdP (Okta, Google Workspace, Entra ID) showing MFA enforced for all remote sessions |
| VPN / ZTNA access logs | Sample logs: user, timestamp, source IP, session duration |
| Access reviews | Quarterly or annual review confirming who has remote access and why it is still needed |
| Vendor access records | Approval ticket for each third-party access grant, with approver name and expiry date |
| Exception log | Documented exceptions with business justification, approver, and expiry |
| Policy review history | Date of last review, who reviewed, changes made (even if “no changes this cycle”) |
Remote Access Policy Mistakes That Create Real Risk
These are the mistakes I see in almost every first audit. They’re easy to avoid once you know them.
Watch out
IT may be logging, but if it is not a stated policy requirement, auditors cannot confirm it is intentional or consistent. “We just do it” does not survive scrutiny.
Vendors not covered. The policy applies to employees but says nothing about third-party or contractor access. Auditors ask about vendor access in the first ten minutes. If your policy is silent on it, that’s a gap they will document.
No named tools. “Use a VPN” without specifying which one. Staff end up using personal VPN services, consumer-grade RDP apps, or nothing. You cannot enforce what you have not defined.
No session timeout defined. A stolen or abandoned session stays open indefinitely. There is no baseline in the policy for how long a session should remain active, so IT has no documented obligation to configure one.
BYOD left unaddressed. Personal devices access production systems with no documented endpoint standards: no MDM requirement, no minimum OS version, no encryption mandate. One unpatched personal laptop becomes your largest attack surface.
Logging not required in the policy. IT may be logging, but if it is not a stated policy requirement, auditors cannot confirm it is intentional or consistent. “We just do it” does not survive scrutiny.
Policy never communicated. The document sits in a folder. No one was told about it. No acknowledgements were collected. The first question in every audit is: “Can you show me who has signed off on this policy?” If you cannot, everything else becomes harder to defend.
Split tunnelling by default. All non-corporate traffic bypasses monitoring without a conscious security decision being made. The policy should explicitly permit or prohibit split tunnelling. Silence is not a control.
Scaling Remote Access Controls as Your Company Grows
Startups (1 to 25 People)
Keep it lean but complete. Enforce MFA on all remote connections. Document the one VPN or ZTNA tool you’re using. State your BYOD stance explicitly: permitted or not, and if permitted, what standards apply. Ban personal devices from production systems.
Quick tip
You do not need a 20-page policy. You need a two-page policy that everyone has read, signed, and can actually follow.
You do not need a 20-page policy. You need a two-page policy that everyone has read, signed, and can actually follow. Review it annually, and update it the moment your remote access tooling changes.
Growing Companies (25 to 150 People)
Add MDM to enforce device standards consistently across a larger, more distributed team. Separate contractor and vendor access tiers from employee access. Move to quarterly access reviews. If you are pursuing SOC 2, align your policy explicitly to CC6.6 and CC6.7 and document that mapping in your control library. The vendor access approval process should become a formal, ticketed workflow: it is an audit artefact, not just an internal process.
Larger Enterprises
Move from legacy VPN to ZTNA to reduce the attack surface and get application-level access control. Implement PAM (Privileged Access Management) for admin and privileged remote sessions: session recording, just-in-time access, credential vaulting. Automate access reviews via your IAM platform. Integrate remote access logs with your SIEM for anomaly detection. Ensure the policy covers all geographies and subsidiaries, with regional variations documented where required.
How ComplyJet Keeps Your Remote Access Policy Audit-Ready
Most companies write the policy once and then forget about it until the next audit. That’s when they find out acknowledgements were not collected, logs were not reviewed, and the vendor access section had not been updated since the policy was first drafted.
ComplyJet centralises the full lifecycle. You get a ready-to-use remote access policy template, a structured approval workflow, employee acknowledgement tracking, and automatic control mapping to SOC 2 CC6.6/CC6.7, ISO 27001 A.8.20, HIPAA §164.312(d), and PCI DSS Req. 8.6. When your VPN tool changes, you update the policy in ComplyJet, trigger a new acknowledgement round, and the review is logged automatically.
When an auditor asks for the policy, the acknowledgements, and the access review records, it is all in one place. No folder-hunting. No “I think we have that somewhere.”
FAQs
What does a remote access policy cover?
A remote access policy is a formal document that defines the rules for connecting to company systems from outside the corporate network. It covers which tools are approved, what authentication is required (typically MFA), what devices are allowed, how sessions are monitored, and how vendor access is controlled. Every user who connects remotely, including employees, contractors, and vendors, is subject to it.
What is the difference between a remote access policy and a remote working policy?
A remote access policy governs the connection itself: the VPN or ZTNA tool, MFA method, device standards, session controls, and logging. A remote working security policy covers the broader work-from-home posture: home office physical security, screen privacy, and use of public spaces. They overlap in scope but serve different purposes. Most compliance frameworks expect both.
Where is the remote access policy stored, and how do employees access it?
The policy should live in your company’s central knowledge base or GRC tool, accessible to all employees. It should also be part of the onboarding process, with signed acknowledgements collected and logged. A policy that employees cannot find is effectively the same as a policy that does not exist.
How do I create a remote access policy?
Start by inventorying your current remote access methods, then decide what to approve, restrict, and prohibit. Define authentication requirements (MFA methods), device standards, vendor access rules, session controls, and logging requirements. Get it approved by leadership, communicate it to all users, collect acknowledgements, and map it to your compliance controls. The template in this article gives you the full structure to start from.
How do I create a remote access control policy?
A remote access control policy is the same document as a remote access policy. The word “control” emphasises technical enforcement. The process is identical: inventory your current methods, document what is approved and prohibited, define authentication and device standards, get approval, communicate, collect acknowledgements, and map to your compliance framework.
Does SOC 2 require a remote access policy?
Yes. SOC 2 CC6.6 requires restricting logical access to authorised users from external sources, and CC6.7 covers monitoring access and restricting it based on risk. Auditors will ask for the policy document and evidence of enforcement: MFA reports, access logs, access reviews, and acknowledgement records.
Does HIPAA require a remote access policy?
Yes. HIPAA §164.312(d) requires authentication controls for remote access to electronic protected health information (ePHI). §164.312(e)(1) requires encryption for ePHI in transit. For covered entities and business associates, a remote access policy that specifies MFA, encrypted transmission, and audit logging is a core HIPAA requirement.
How often should a remote access policy be reviewed?
At minimum annually. You should also review it after a remote access-related security incident, after changing your VPN or ZTNA tool, after a significant identity provider change, or after significant growth in remote users or vendor connections. The review date and outcome should be logged, even if no changes are made.
What MFA methods are acceptable in a remote access policy?
Authenticator apps (Google Authenticator, Authy, Microsoft Authenticator), hardware security keys (YubiKey), and push notifications via your identity provider (Okta Verify, Duo) are all acceptable and recommended. SMS OTP is generally discouraged due to SIM-swapping risks and may only be permitted as a documented fallback with explicit approval. Password-only authentication should not be acceptable for any remote session.
Related Policies
Network Security Policy: Defines the broader network controls that remote access connects into, including network segmentation, firewall rules, and traffic monitoring scope.
BYOD Policy: Device standards for personal devices used for remote access. If your remote access policy permits BYOD, the BYOD policy must specify exactly what device standards apply. The two policies must be consistent.
