Remote Access Security Standard

1 PURPOSE

This standard aims to establish authorized methods for remotely accessing ��쿪��ֱ�� (��쿪��ֱ��) resources and services.

2 SCOPE

This Standard applies to any ��쿪��ֱ��-authorized user accessing University Technology Resources from an external network using remote access solutions.

3 STANDARD

3.1 Remote Access

3.1.1 Approved remote access technologies must be used to connect to ��쿪��ֱ�� technology resources from a non-university location.

3.1.2 Authorized users must never share their credentials to facilitate remote access authentication for unauthorized individuals.

3.1.3 Multi-factor authentication (MFA) is required for all remote access solutions when feasible.

3.1.4 Institutionally owned devices or personal devices connected to a ��쿪��ֱ�� network or ��쿪��ֱ�� information technology resource or used to conduct ��쿪��ֱ�� business are required to meet minimum security standards outlined in the Endpoint Management Standard for remote access.

3.1.5 Devices and software used for remote access must be approved by the Information Security Officer/designated security representative.

3.1.6 When feasible, remote access technologies must use a centrally managed authentication system for administration and user access authentication.

3.1.7 Remote access traffic is subject to monitoring for anomalous and malicious behavior. Remote access logs will be kept for at least 90 days and must contain successful/unsuccessful login attempts, event type, date/time, associated user, and remote and local IP Addresses.

3.1.8 At least 90 minutes of inactivity, remote access sessions must require re-authentication, or devices must utilize lockout/screen lock mechanisms based on operational needs to prevent unauthorized access.

3.1.9 Remote access sessions must time out after 24 hours and require re-authentication before re-use.

3.1.10 Any requirements for extended access must submit a security exception request.

2.2 Virtual Private Network (VPN) Access:

3.2.1 ��쿪��ֱ�� provides Virtual Private Networks (“VPNs”) (e.g., Global Protect, Pulse Secure) to permit access to University Information Systems.

3.2.2 All authorized ��쿪��ֱ�� users may utilize the benefits of the ��쿪��ֱ�� Virtual Private Network (VPN) to access University computing resources to which they have been granted access.

3.2.3 Enterprise and/or other ��쿪��ֱ�� VPN gateways are managed by or in conjunction with the ��쿪��ֱ�� ET&S Information Technology Services network and security staff.

3.2.4 Remote VPN access to ��쿪��ֱ�� Resources is only permitted using the following approved VPN technologies: Global Protect / Pulse Secure.

3.2.5 VPN gateways may only be established by ET&S Networking. No other department or individual may implement VPN Gateways to ��쿪��ֱ�� Technology Resources without prior authorization. ��쿪��ֱ�� reserves the right to monitor unauthorized VPNs and disable access to those devices that could cause harm to the stability of the ��쿪��ֱ�� network.

3.2.4 ��쿪��ֱ�� VPNs will employ, at minimum, AES-256 Advanced Encryption Standard to ensure confidentiality over remote connections.

3.2.4.1 “Split Tunneling - routing some of your applications or device traffic through an encrypted VPN, while other applications or devices have direct access to the internet” should only be used if there is an operational need.

3.2.4.2 Remote access VPN may not be permitted from some locations, such as embargoed or sanctioned countries.

3.2.4.3 Authorized users must always disconnect from a VPN solution when not in use

3.3 Remote Desktop Access

The University provides programs or operating system features that allow authorized users to connect remotely to a physical or virtual computer located on the Campus Network on which a remote computer resides (“Remote Desktop”).
Remote Desktop access is subject to permissions granted by University Information System owners.
Remote Desktop access solutions (e.g., Remote Desktop Protocol) are provided to permit authorized users access to computers located on-campus from an off-campus location.
Use of unauthorized third-party remote desktop services (e.g., gotomypc.com, logmein.com) is strictly prohibited unless the service utilizes Enterprise Directory Services and 2FA for Authentication. Authorized Users must never install or configure unapproved Remote Desktop solutions on their University Device that permits connections from other devices.
Remote Desktop access is provided for both personal devices and University devices.
Remote Desktop access, or similar secure, approved solutions, must be utilized when a personal device is the only option available to conduct Privileged Access to a University Information System.
Remote Desktop access screen must be configured to lock and require user to re-authenticate if left unattended for more than 15 minutes.
After no more than 180 minutes of inactivity, Authorized Users must automatically be signed out of Remote Desktop access and must reauthenticate.

3.4 SSH (Secure Shell) Remote Access

Secure Shell is a network protocol used to access a remote machine or to execute commands on a remote machine. It provides secure encrypted communications between two hosts over an unsecured network. Remote access services must be protected and implemented in such a way that does not put ��쿪��ֱ�� resources at risk.

3.4.1 The following requirements do not apply to sessions where access occurs from one campus to another or is restricted to trusted hosts.

3.4.1.1 Inbound SSH Access is limited to ��쿪��ֱ�� networks and specific use cases. Please submit a security exception request to request direct inbound SSH Access without using the ��쿪��ֱ�� VPN.

3.4.1.2 Recognized best practices must be implemented to secure the SSH server against unauthorized access, such as firewalls and other network-based access controls. Additional examples may include but are not limited to requiring certificate and password authentication, deny-by-default firewall rules, active denial of hosts performing brute-force attacks, and disabling remote login for a superuser account.

3.5 Third Party Remote Access

3.5.2 Vendors and contractors must have a ��쿪��ֱ�� 쿪��ֱ��-sponsored account to utilize ��쿪��ֱ�� remote access solutions.

3.5.3 All third parties must adhere to all ��쿪��ֱ�� policies and standards.

3.5.4 All third parties granted remote access to ��쿪��ֱ�� technology resources are responsible for ensuring the external networks used to access the ��쿪��ֱ�� network are secure.

3.5.5 ��쿪��ֱ�� does not guarantee a remote access connection to the ��쿪��ֱ�� network to any third party.

3.5.6 Connections provided to third parties will be based on the principle of least privilege to conduct business relative to the contractual relationship established.

3.6 Telecommuting and Remote Work Guidance

Telecommuting permits authorized employees to work at an alternative location for all or a portion of the work week. The telecommuting policy outlines conditions applicable to employees working in alternative locations, including compliance, work schedules, compensation, use of equipment and materials, expenses, and confidentiality. Please contact your supervision for guidance on telecommuting policies. Information can be found at: /human-resources/flexible-work-arrangements.

DOCUMENT HISTORY

Approved by: Tom Nudd, Chief Information Security Officer
Reviewed by: Dr. David A Yasenchock, Director, Cybersecurity GRC
Revision History:
- V 1.00 October 14, 2022, Cybersecurity GRC Working Group
- V1.1 April 23, 2024, Cybersecurity GRC Working Group
- May 30, 2024, K SWEENEY, Revised formatting

��쿪��ֱ��������