Remote access to MakeWay Foundation (“MakeWay”) data is essential to maintain productivity. However, in many cases this remote access originates from networks that may be at lower security posture than a standard corporate network.  While remote networks are beyond the control of MakeWay, we must mitigate risks as much as possible to protect our staff, resources, and data.

The purpose of this Remote Access Policy is to establish guidelines and requirements for accessing MakeWay resources remotely to ensure the security, confidentiality, integrity, and availability of information, and to mitigate risk of damages which may result from unauthorized use of resources. Damages could include the loss of sensitive or confidential data, intellectual property, damage to public image, damage to critical internal systems, and fines or other financial liabilities incurred as a result of those losses.

This policy applies to all MakeWay employees, contractors, vendors, and agents with a MakeWay owned or personally owned device used to connect to MakeWay systems and data. Remote access is permitted solely for business purposes and must comply with all applicable laws, regulations, and other organizational policies. Remote Access in this context applies to any time a person is working outside of physical MakeWay networks.

It is the responsibility of the Information Systems Team (“IS”) to ensure that Makeway owned Devices and resources meet the below security requirements.

4.01        This policy applies to any device which accesses organizational systems and data including laptops, mobile devices, and tablets. The devices used should be in good physical operation and have current security updates and patches.

4.02        Remote access sessions must be secured using encryption protocols, such as HTTPS with SSL/TLS connections, and must include valid security certificates to protect data transmitted over remote connections.

4.03        Users accessing MakeWay resources remotely must adhere to strong authentication practices, such as multi-factor authentication or biometric authentication, to verify their identity.

4.04        Endpoint security measures, including antivirus software, firewall protection, and device encryption, must be implemented on all remote devices to prevent unauthorized access and malware infections.

MakeWay is committed to respecting the privacy and confidentiality of its users to the extent permitted by law, and any monitoring activities will be conducted in accordance with applicable privacy laws and regulations. Any review of sensitive materials shall be done with the utmost care and with the consultation of the Privacy Officer.

5.01        Remote access sessions will be passively monitored and logged to detect and respond to security incidents, and to facilitate auditing and compliance. Logs may include information such as user login attempts, session durations, accessed resources, and any security-related events. Log data will be retained for a specified period in accordance with MakeWay policies and regulatory requirements.

5.02        Access to log files will be restricted to authorized personnel for security analysis and incident response purposes only.

Users accessing MakeWay resources remotely are responsible for ensuring the security and integrity of their remote access credentials and devices. Users must follow all applicable policies, procedures, and security guidelines when accessing MakeWay systems and data remotely.          

6.01        Acceptable use of remote access resources includes performing work-related activities in line with the Acceptable Use of Technology Policy (Policy No. 4.01).

6.02        While travelling outside of North America, if you plan to access MakeWay resources, please consult IS via [email protected] prior to your trip to ensure that access can be granted from your planned location. IS may need to set up conditional access rules to ensure you won’t be blocked from access during your travels. They may also recommend using a VPN. IS will work with you to plan for your access needs.

6.03        While not using trusted wifi networks (e.g. a home, or MakeWay network), access to     internet can be obtained using several means such as:

1. Tethering to a mobile device via bluetooth or wifi hotspot.
2. Secured wifi, such as in a work environment where wifi credentials are shared securely.
3. Untrusted public wifi, such as in a coffee shop, hotel or airport.

They are listed as most to least secure. Whenever possible always use the most secure method of access. In all 3 situations, use a VPN.

7.01        While tethering, or if using a mobile device while travelling, costs incurred by roaming should be within parameters as discussed and agreed upon with your manager ahead of time. Usage that incurs costs should be for work purposes.

8.01        Unauthorized activities and behaviours are strictly prohibited when accessing MakeWay resources remotely. Prohibited activities include but are not limited to:

• Sharing remote access credentials with unauthorized individuals.
• Attempting to bypass security controls or access restricted resources.
• Installing unauthorized software or tampering with or modifying system configurations on remote devices for the purpose of disabling a VPN.

8.02        Users are prohibited from using Virtual Private Networks (VPNs) to access organizational resources from countries where the use of VPNs is illegal or restricted by law, or where only government-approved VPNs are permitted, thereby compromising the inherent privacy benefits of VPNs. Users must ensure compliance with all relevant regulations and are prohibited from using VPNs if in violation of local laws.

It is the user’s responsibility to check before travelling about possible VPN restrictions in countries. If unsure, before travelling contact IS about Remote Access and Usage.

9.01        Upon discovery of a security incident or suspected violation, users must report the incident promptly to IS via email at [email protected] or by escalating to 437-500-2833 if during non-working hours or if email is not available.

9.02        During an incident, users may be asked to cease remote access activities and must follow incident response procedures as directed by IS. Users may also be asked to communicate over personal or private communication channels if MakeWay devices or accounts are blocked or quarantined during incident management.

9.03        IS will investigate reported incidents, mitigate security risks, and take appropriate corrective actions to prevent recurrence.

9.04        Incident response efforts will be documented and reported to relevant stakeholders in accordance with MakeWay process and regulatory requirements.

10.01      Acceptable Use of Technology Policy (Policy No. 4.01)