Effective VPN policies are those that clearly define security restrictions imposed on VPNs and align with the overall IT mission and goals of your organization. VPNs can offer numerous exciting possibilities for mobility and interconnection. However, VPNs can also be a risk to the confidentiality and stability of your organization’s infrastructure.

Like all security policies, your VPN policy should start with a thorough risk assessment and analysis. Without fully understanding the assets, processes, threats, and risks of VPNs, you cannot effectively use or manage the device or traffic.

Developing your VPN security policy is not a simple or straightforward task. You need to plan for time and effort to address a wide variety of issues and concerns. Some of the aspects of design and planning of a VPN policy include (but are not limited to):

• Considering the benefits and drawbacks of software and hardware VPN solutions
• Imposing stringent multifactor authentication (multiple elements you know or that validate who you are) on all VPN connections
• Implementing strong access control (authorization) restrictions on all VPN connections
• Defining how the VPN will be managed, through what interfaces, and by whom
• Exploring the complexities of patch management over VPN
• Defining the mechanisms of providing remote technical support for VPN telecommuters
• Enabling detailed auditing on all activities occurring across or through a VPN
• Defining distinct qualifications on granting user access to telecommuting VPNs
• Prescribing the user training requirements for all VPN activities