1 PURPOSE
This standard aims to establish authorized methods for remotely accessing 绿巨人视频 (绿巨人视频) resources and services.聽
2 SCOPE
This Standard applies to any 绿巨人视频-authorized user accessing University Technology Resources from an external network using remote access solutions.聽
3 STANDARD聽
3.1 Remote Access聽
3.1.1 Approved remote access technologies must be used to connect to 绿巨人视频 technology resources from a non-university location.聽
3.1.2 Authorized users must never share their credentials to facilitate remote access authentication for unauthorized individuals.聽
3.1.3 Multi-factor authentication (MFA) is required for all remote access solutions when feasible.聽
3.1.4 Institutionally owned devices or personal devices connected to a 绿巨人视频 network or 绿巨人视频 information technology resource or used to conduct 绿巨人视频 business are required to meet minimum security standards outlined in the Endpoint Management Standard for remote access.聽
3.1.5 Devices and software used for remote access must be approved by the Information Security Officer/designated security representative.聽
3.1.6 When feasible, remote access technologies must use a centrally managed authentication system for administration and user access authentication.聽
3.1.7 Remote access traffic is subject to monitoring for anomalous and malicious behavior. Remote access logs will be kept for at least 90 days and must contain successful/unsuccessful login attempts, event type, date/time, associated user, and remote and local IP Addresses.聽
3.1.8 At least 90 minutes of inactivity, remote access sessions must require re-authentication, or devices must utilize lockout/screen lock mechanisms based on operational needs to prevent unauthorized access.聽
3.1.9 Remote access sessions must time out after 24 hours and require re-authentication before re-use.聽
3.1.10 Any requirements for extended access must submit a security exception request.聽
2.2 Virtual Private Network (VPN) Access:
3.2.1 绿巨人视频 provides Virtual Private Networks (鈥淰PNs鈥) (e.g., Global Protect, Pulse Secure) to permit access to University Information Systems.聽
3.2.2 All authorized 绿巨人视频 users may utilize the benefits of the 绿巨人视频 Virtual Private Network (VPN) to access University computing resources to which they have been granted access.聽
3.2.3 Enterprise and/or other 绿巨人视频 VPN gateways are managed by or in conjunction with the 绿巨人视频 ET&S Information Technology Services network and security staff.聽
3.2.4 Remote VPN access to 绿巨人视频 Resources is only permitted using the following approved VPN technologies: Global Protect / Pulse Secure.聽
3.2.5 VPN gateways may only be established by ET&S Networking. No other department or individual may implement VPN Gateways to 绿巨人视频 Technology Resources without prior authorization. 绿巨人视频 reserves the right to monitor unauthorized VPNs and disable access to those devices that could cause harm to the stability of the 绿巨人视频 network.聽
3.2.4 绿巨人视频 VPNs will employ, at minimum, AES-256 Advanced Encryption Standard to ensure confidentiality over remote connections.聽
聽 3.2.4.1 鈥淪plit Tunneling - routing some of your applications or device traffic through an encrypted VPN, while other applications or devices have direct access to the internet鈥 should only be used if there is an operational need.聽
聽 聽3.2.4.2 Remote access VPN may not be permitted from some locations, such as embargoed or sanctioned countries.聽
聽 聽3.2.4.3 Authorized users must always disconnect from a VPN solution when not in use聽
3.3 Remote Desktop Access
- The University provides programs or operating system features that allow authorized users to connect remotely to a physical or virtual computer located on the Campus Network on which a remote computer resides (鈥淩emote Desktop鈥).
- Remote Desktop access is subject to permissions granted by University Information System owners.
- Remote Desktop access solutions (e.g., Remote Desktop Protocol) are provided to permit authorized users access to computers located on-campus from an off-campus location.
- Use of unauthorized third-party remote desktop services (e.g., gotomypc.com, logmein.com) is strictly prohibited unless the service utilizes Enterprise Directory Services and 2FA for Authentication. Authorized Users must never install or configure unapproved Remote Desktop solutions on their University Device that permits connections from other devices.
- Remote Desktop access is provided for both personal devices and University devices.
- Remote Desktop access, or similar secure, approved solutions, must be utilized when a personal device is the only option available to conduct Privileged Access to a University Information System.
- Remote Desktop access screen must be configured to lock and require user to re-authenticate if left unattended for more than 15 minutes.
- After no more than 180 minutes of inactivity, Authorized Users must automatically be signed out of Remote Desktop access and must reauthenticate.
3.4 SSH (Secure Shell) Remote Access
Secure Shell is a network protocol used to access a remote machine or to execute commands on a remote machine. It provides secure encrypted communications between two hosts over an unsecured network. Remote access services must be protected and implemented in such a way that does not put 绿巨人视频 resources at risk.聽
3.4.1 The following requirements do not apply to sessions where access occurs from one campus to another or is restricted to trusted hosts.聽
3.4.1.1 Inbound SSH Access is limited to 绿巨人视频 networks and specific use cases. Please submit a security exception request to request direct inbound SSH Access without using the 绿巨人视频 VPN.聽
3.4.1.2 Recognized best practices must be implemented to secure the SSH server against unauthorized access, such as firewalls and other network-based access controls. Additional examples may include but are not limited to requiring certificate and password authentication, deny-by-default firewall rules, active denial of hosts performing brute-force attacks, and disabling remote login for a superuser account.聽
3.5 Third Party Remote Access
3.5.2 Vendors and contractors must have a 绿巨人视频 绿巨人视频-sponsored account to utilize 绿巨人视频 remote access solutions.聽
3.5.3 All third parties must adhere to all 绿巨人视频 policies and standards.聽
3.5.4 All third parties granted remote access to 绿巨人视频 technology resources are responsible for ensuring the external networks used to access the 绿巨人视频 network are secure.聽
3.5.5 绿巨人视频 does not guarantee a remote access connection to the 绿巨人视频 network to any third party.聽
3.5.6 Connections provided to third parties will be based on the principle of least privilege to conduct business relative to the contractual relationship established.聽
3.6 Telecommuting and Remote Work Guidance
Telecommuting permits authorized employees to work at an alternative location for all or a portion of the work week. The telecommuting policy outlines conditions applicable to employees working in alternative locations, including compliance, work schedules, compensation, use of equipment and materials, expenses, and confidentiality. Please contact your supervision for guidance on telecommuting policies. Information can be found at: /human-resources/flexible-work-arrangements.
DOCUMENT HISTORY
- Approved by:聽Tom Nudd, Chief Information Security Officer聽
- Reviewed by:聽Dr. David A Yasenchock, Director, Cybersecurity GRC聽
- Revision History:聽
- V 1.00 October 14, 2022, Cybersecurity GRC Working Group聽
- V1.1 April 23, 2024, Cybersecurity GRC Working Group聽
- May 30, 2024, K SWEENEY, Revised formatting