INFRA-12 VPN

What is this control about?

A VPN (Virtual Private Network) establishes a protected network connection when using public networks. The VPN connection disguises the data traffic online and protects it from external access. Unencrypted data can be viewed by anyone who has network access and wants to see it. With a VPN, hackers and cyber criminals can’t decipher this data.

This control is not required due to cloud computing; remote workers access public cloud resources directly from the internet. Typically the cloud environment handles all authentication and authorization.

Therefore if this control is not applicable to your environment, it can be removed from your program.

However, if your company has enabled a separate network such as DMZ or allows Remote Desktop capabilities, this control can be customized to test these.

Available tools in the marketplace

The following listing is “crowdsourced” from our customer base or from external research. TrustCloud does not personally recommend any of the tools below, because we haven’t personally used them. 

Available templates

TrustCloud has a curated list of templates internally or externally sourced to help you get started. Click on the link for a downloadable version:

• N/A – no templates recommendation

Control implementation

Install and implement a VPN connection in your organization

What evidence do auditors look for?

Most auditors, at a minimum are looking for the below suggested action:

• Upload the VPN settings showing the connection

Evidence example

From the suggested action above, an example is provided below.

1. Upload the VPN settings showing the connection.

Example shows the VPN settings

Google search