Remote Access and Virtual Private Network (VPN) Security Policy

  1. ³Ô¹Ïtv
  2. Administrative Services
  3. University Policies
  4. Information Technology Policies
  5. Remote Access and Virtual Private Network (VPN) Security Policy

Policy Name:  Remote Access and Virtual Private Network (VPN) Security
Policy Number: IT- 6003
Effective:  2021/05
Revised: Not applicable

Policy Statement

Policy

Approved ³Ô¹Ïtv employees and authorized third parties (contractors, vendors, etc.) may utilize the benefits of VPNs for remote access to the services on the internal ³Ô¹Ïtv network.

Procedure:

  1. Remote access must be requested by opening a Help Desk request. Required approvals include the requestor’s vice president and the VP of Information Technology. Remote access consideration is intended for job functions that require remote access to the internal network.
  2. Remote access to the ³Ô¹Ïtv Network is for the sole use of the individual only. The individual bears responsibility for the consequences should the access be misused.
  3. VPN Access will be set up and managed by ³Ô¹Ïtv network operational groups.
  4. Remote access is implemented and controlled through an IPSec Concentrator.  Only one VPN network connection is allowed at a time. Remote connections and VPN users will be automatically disconnected from ³Ô¹Ïtv's network after 30 minutes of inactivity (idle timeout) and a maximum connection time of 10 hours. The user must then log on again to reconnect to the network. Pings or other artificial network processes are not to be used to circumvent these limits to keep the connection open.
  5. Please review the following policies for details of protecting information when accessing the university network via remote access methods, and acceptable use of ³Ô¹Ïtv's network: 
    1. Information Security Policy
    2. Electronic Communications Acceptable Use Policy

Requirements:

  1. ³Ô¹Ïtv Employees must use a ³Ô¹Ïtv-owned and managed laptop or desktop to access the network by VPN. Employee personal devices are not allowed.
  2. Only IT-approved VPN client software may be used.
  3. Secure remote access and VPN use must be strictly controlled. Control will be enforced via password authentication, token device, or public/private keys with strong passphrases.
  4. The user is responsible for selecting their personal Internet Service Provider (ISP), coordinating installation, installing any required software, and paying associated fees.
  5. It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to ³Ô¹Ïtv internal networks. At no time should any ³Ô¹Ïtv employee, contractor, vendor, or agent provide their login or email password to anyone, not even family members.
  6. It is the responsibility of ³Ô¹Ïtv employees, contractors, vendors, and agents with remote access privileges to ³Ô¹Ïtv's network to ensure that their remote access connection is given the same security consideration as the user's on-site connection to ³Ô¹Ïtv and uphold the same security and privacy requirements for FERPA and HIPAA when working remotely. 
  7. ³Ô¹Ïtv employees and contractors with remote access privileges must ensure that their computer or workstation, which is remotely connected to ³Ô¹Ïtv's network, is not connected to any other network at the same time, with the exception of a personal/private network that is under the complete control of the user. For example, the user does not control the Starbucks wireless network.
  8. All computers connected to ³Ô¹Ïtv internal networks via VPN must include security software to detect and protect against viruses.
  9. Reconfiguration of a remote user's equipment for the purpose of split-tunneling or dual-homing is not permitted at any time
  10. Vendors using VPN connectivity with vendor-owned equipment must understand that their machines are a de facto extension of ³Ô¹Ïtv's network, and as such are subject to the same rules and regulations that apply to ³Ô¹Ïtv-owned equipment, i.e., their machines must be configured to comply with HFU IT’s Security Policies.
  11. Contractor or vendors performing work on ³Ô¹Ïtv’s behalf must certify that their equipment meets the security and network requirements of ³Ô¹Ïtv, and must be approved by the Vice President of IT.
  12. Organizations or individuals who wish to implement non-standard hardware and security configurations for Remote Access to the ³Ô¹Ïtv production network must obtain prior approval from the Vice President of IT.

 

Definitions

VPN – Virtual Private Network