Information Technology Standard 02.6.0

Remote Access and Virtual Private Network Standard


Date of Current Revision or Creation:ÌýDecember 1, 2019


The purpose of an Information Technology Standard is to specify requirements for compliance with Â鶹´«Ã½ Information Technology policies, other University policies, as well as applicable laws and regulations. Standards may include business principles, best practices, technical standards, migration and implementation strategies, that direct the design, deployment and management of information technology.

Purpose

The purpose of this compliance standard is to define the tools and practices used for connecting to the University's information technology resources from any host remote to the University. The intent of this standard is to augment the established Telecommuting Policy and minimize the potential exposure to information technology provide a clear understanding of technology requirements of remote access. Remote access includes VPN, SSH, and any other technology that may be used to access Â鶹´«Ã½'s network remotely on or off campus.

Definitions

ITS is the acronym for the official name of Information Technology Services.

Institutional Data - Recorded information that documents a University business-related transaction or activity by or with any appointed board member, officer, or employee of the University. Regardless of physical form, characteristic, or source, the recorded information is a University record if it is produced, collected, received or retained in pursuance of law or in connection with the transaction of University business. The medium upon which such information is recorded has no bearing on the determination of whether the recording is a University record. University records include but are not limited to personnel records, student records, academic records, financial records, patient records and administrative records. Record formats/media include but are not limited email, electronic databases, electronic files, paper, audio, video and images

Remote Access is any access to Â鶹´«Ã½'s network from a non-campus network through ITS managed devices as well as self-administered or personally owned devices.

Telecommuting is working in a location other than the traditional office setting, which may include a telecommuter's home. Telecommuting utilizes communication technology (telephone, computer, fax machine, remote access to a data processing network, etc.) to transport information, but may be accomplished with as little as a telephone.

User includes anyone who accesses and uses the Â鶹´«Ã½ information technology resources.

Virtual Private Network (VPN) is a secure encrypted network connection over the Internet between an individual and a private network.

Standards Statement

All authorized Â鶹´«Ã½ employees and third parties may utilize the benefits of the Virtual Private Network (VPN) to access University computing resources to which they have been granted access.

Users must follow ITS Standard 04.2.0 (Account Management Standard).

VPN gateways are set up and managed by Information Technology Services network and security staff. No other department may implement VPN services unless approved by Information Technology Services. Cloud-based software remote administration tools which provide direct access to campus workstations without the use of the campus VPN (such as TeamViewer, LogMeIn, GotoMyPC, Splashtop) are explicitly prohibited. Exceptions may be granted on a case-by-case basis upon request to the ITS Security team for vendor remote support purposes. The University reserves the right to monitor for unauthorized VPNs and disable access of those devices performing non-sanctioned VPN service.

To protect the integrity and security of data, ITS may require connecting to the VPN before using remote management applications such as Remote Desktop Protocol (RDP) or Secure Shell (SSH) to access a University IT service.

When actively connected to the Â鶹´«Ã½ network, the VPN will force all traffic to and from the workstation over the VPN tunnel; split tunneling is not permitted.

VPN users will be automatically disconnected from Â鶹´«Ã½ network after one hundred twenty (120) minutes of inactivity. The user must then logon again to reconnect to the network. Pings or other artificial network processes are not to be used to keep the connection open.

VPN connection time is limited to an absolute continuous connection time of 12 hours. Users may reconnect if necessary.

Communications on the University's computer systems may be monitored and/or recorded to ensure the effective operation of these systems and for other legal purposes.

VPN Accounts
A Virtual Private Network (VPN) connection is available to all full-time employees and authorized third parties with a need to access resources internal to the campus network. (Part-time staff are ineligible for remote work and therefore do not generally get VPN accounts.) Vendors may be provided accounts through a sponsoring department.

Accounts requests are made via an electronic account request form available at . The successful completion of online training is required before users may download and install the VPN client software to their device.

VPN access is controlled via Monarch-Key authentication and password complexity rules are enforced per ITS standards. Users who are enrolled in multi-factor authentication will be prompted for additional credentials upon attempting to connect.

Telecommuting policy
Telecommuting permits authorized employees to work at an alternative location for all or a portion of the work week. The telecommuting policy outlines conditions applicable to employees working in alternative locations, including compliance, work schedules, compensation, use of equipment and materials, expenses and confidentiality. For more information on the Telecommuting Policy, Contact Human Resources.

REQUIREMENTS

User Responsibilities
Users, including faculty, staff, students and other agents accessing information technology resources from a non-campus location must be authorized to access the data. Remote work is done in compliance with the Commonwealth of Virginia Human Resources Policy 1.61.

  • Secure remote access must be strictly controlled. Access will be controlled via account ID and password.
  • Users working with sensitive or confidential data must use an approved VPN.
  • The University may provide state-owned equipment and materials or authorize the use of personal equipment. It is the employee's responsibility that the all possible measures have been taken to secure a remote access connection.
  • Employees with remote access privileges must ensure that their state-owned or personal computer is not connected to any other network at the same time, with the exception of personal networks that are under the complete control of the user.
  • All hosts including personal computers (or other devices) connected to internal networks via remote access technologies must follow University policies and standards.
  • Users must ensure that unauthorized users are not allowed access to the Â鶹´«Ã½ campus networks.
  • Users must ensure that computers connected to the network via VPN are configured with a supported Operating System with updates enabled, up-to-date anti-virus, and active firewall software. By using VPN technology with personal equipment, users must understand that their machines are an extension of the institution's network and as such are subject to the same rules and regulations that apply to University-owned equipment.

Exceptions
Any exceptions to this Standard must be approved in writing by the Information Security officer or his designee.

Enforcement
Failure to comply may result in disciplinary sanctions consistent with University policies and applicable law.

Procedures, Guidelines & Other Related Information

History

Date

Responsible Party

Action

December 2006

IT Policy Office

Created

February 2014

IT Policy Office

Updated for clarity and to reflect changes in access

August 2016 IT Policy Office Updated for clarity and merged with former ITS Standard 05.4.1 Remote Access Standard
December 2019 IT Policy Office

Updated for clarity and correspondence with existing metrics.

Ìý