Remote Access VPN Policy

Why it matters

Unencrypted or unauthenticated remote access exposes production systems to credential theft, man-in-the-middle attacks, and lateral movement by attackers on compromised home networks. Without mandatory VPN and MFA enforcement, a single compromised device or weak password can grant an attacker direct access to databases, APIs, and customer data.

Evidence to collect

• VPN policy document specifying split-tunnel or full-tunnel mode, MFA requirement, and device enrollment rules
• VPN gateway configuration (Cisco AnyConnect, WireGuard, Tailscale) showing MFA enforcement and session logging enabled
• Sample VPN session logs covering 30+ days, showing user, timestamp, source IP, and session duration
• MDM enrollment policy and screenshots of device compliance check triggered before VPN connection

Testing procedure

Request a list of all VPN users and cross-reference against active employees; verify MFA is enforced at VPN login (test failed login without MFA credential). Review VPN logs for the last 30 days and confirm all sessions include user identity, timestamp, and source IP. Attempt to connect a non-MDM-enrolled device to the production VPN and confirm it is denied. Interview an engineer to verify they cannot bypass the VPN to reach production systems (e.g., direct SSH to private IP) from home.

Common gotchas