Remote Access Standard

PURPOSE

Remote Access refers to the ability to access UMW network resources while off campus. Security measures for remote access should be implemented based on sensitivity and risk to University systems and data.

Standard

  • A virtual private network (VPN) connection must be established during the off‐site remote access of sensitive IT systems (e.g. all systems storing ‘highly sensitive’ data as defined in UMW’s Data Classification Standard), to insure all exchanges of sensitive information are encrypted. (An exception to this is individual access to Banner Self Service, which is granted by default to all faculty, staff and students for web based self service processing.)
  • Authentication to Internet Native Banner is restricted per the Administrative Data Access Policy and requires the use of VPN for remote access.
  •  All remote file transfers of either ‘highly sensitive’ or ‘protected’ data, as defined in UMW’s Data Classification Standard, must utilize encryption (e.g. sftp, https).
  • VPN access is limited to Faculty and Staff by default and is authenticated against the ALL_UMW_Faculty_Staff Security Group in Active Directory. Students do not have VPN capabilities.
  •  A Contractor, Temporary, or Volunteer worker requiring VPN access, must fill out a compulsory form in Human Resources prior to be granted access.  They will require a UMW sponsor who must submit the request to the ISO for final approval.  Once approved, they will be entered into Banner whereby an account will then be created in Banner and AD.  They can get instructions on how to install the required Cisco software client by going to: http://technology.umw.edu/connecting/offcampus-network-access/
  • Users using non-university owned equipment must follow IT Malicious Code Protection Standard.
  • Records logging remote connections must be maintained and reviewed according to the University Monitoring and Logging Procedure.
  • VPN authentication is required in addition to network authentication to remotely access backend servers and is limited to local accounts provisioned by the Server Administrator. Infrastructure equipment authentication is maintained on the TACACS.  Local Accounts are provisioned for Network Services staff only.

Approvals and Revisions

Original Document Version November, 2010

Reviewed and Approved March 2, 2011 by Director, IT Security (ISO)