ISO/IEC 27001 Control 6.7: Remote working

Security measures should be implemented when personnel are working remotely to protect information accessed, processed or stored outside the organization’s premises.

MidPoint is optional for implementation of this control.

Implementation of this control without midPoint is feasible. However, midPoint provides considerable advantages for implementation of this control, making the implementation more efficient and reliable.

MidPoint has mechanisms to set up access for remote work, and automatically de-provision it when not needed.

Role-based access control (RBAC) mechanism together with provisioning can be used to set up all necessary privileges and security configuration for remote access. This includes configuration of network access through firewalls, virtual private networks (VPNs), authentication configuration, policies and so on. RBAC, provisioning and identity lifecycle can make sure that the access is properly disabled (de-provisioned) when remote access is no longer needed or employment is terminated, making sure that the network access will not be left open. Provisioning configuration and policy rules can be used to make sure that the users with remote access have appropriate configuration to use multi-factor authentication. Reporting capability can be used to find users that have remote access, yet they do not have appropriate credentials for second factor enrolled yet. Information classification together with policy rules can make sure that users with remote access do not have access to systems containing highly-sensitive information, if such policy is necessary.

This control deals mostly with policies and physical security measures for remote working locations. However, midPoint can help with policies and access control, especially network access control (firewalls, VPNs) and configuration. MidPoint is essential tool to make sure the access is automatically de-provisioned, making sure that the network access will not be left open when no longer needed.