CTPAT Breakdown: 4.9

Item 4.9

Members that allow their users to remotely connect to a
network must employ secure technologies, such as virtual
private networks (VPNs), to allow employees to access the
company’s intranet securely when located outside of the
office. Members must also have procedures designed to
prevent remote access from unauthorized users.

Implementation Guidelines

VPNs are not the only choice to protect remote access to a network.
Multi-factor authentication (MFA) is another method. An example of a
multi-factor authentication would be a token with a dynamic security
code that the employee must type in to access the network.


VPNs are deployed via perimeter firewalls and rules can be applied to restrict traffic flows over the VPN. VPNs require software to be installed and/or configured on each device that is to connect. This is okay for company owned devices that are mobile enough to be brought to the IT staff for configuration. Home computers not owned by the company are another story as either the IT staff has to travel to those homes or the VPN has to be installed and/or configured by the user. If the VPN configuration has “restricted information” requirements then the IT staff has to handle everything.

Other options include Citrix and Remote Desktop (a.k.a Terminal Server) servers. These provide a desktop via controlled access on a dedicated server.

Another option is Remote Desktop access to the user’s desktop. The right to use remote access has to be granted, account + password is required, smart card may be required. User only needs to know what the server settings are to connect.

I’ve set up VPN plus Remote Desktop for users with a laptop that travels.
I’ve set up Remote Desktop for users to work from home during the COVID-19 pandemic. These users do not travel (obviously, it is a pandemic lock down) so firewall restrictions are in place to limit the connection sources.

Other Programs

  • Controlled Goods
  • PCI-DSS: 8.3

Bookmark the permalink.

Comments are closed.