3.8.10 Remote Access Policy
Remote access to University systems and information will be appropriately provisioned and/or controlled to ensure required security.
The teaching, learning and administrative environment of the University extends beyond the bounds of the campus and beyond the confines of the University’s Intranet domain. Faculty, staff, students, and other Users must have the means to communicate and utilize University information resources from off-campus locations. In most cases, individuals desiring remote access to the University will do so through the Internet using the services of an Internet Service Provider (ISP). The expense and risk of acquiring this external channel for remote access is normally borne by the User.
Remote access security when using an ISP may be limited to secure protocols embodied in web browsers and University servers or may be a function of User installed encryption software. The University’s perimeter firewall or other security devices may control certain types of remote access from the greater Internet. Even so, some on-campus systems may require further firewalls or similar devices to enhance their security when accessed remotely.
While secure web protocols may be sufficient for most access to sensitive information, some remote access activities may require greater levels of security between the University’s most secure systems and a User’s remote system. In these cases, Information Administrators, working with the Information Security Analyst, may require additional authentication, authorization and encryption software and/or hardware before authorization is granted to remotely access the information they steward. For example, a secure, authenticated and encrypted virtual private network (VPN) might be set up between the User’s remote system and the University’s secure network and/or systems. Information Administrators, the Information Security Analyst and those responsible for systems and services must take steps, where possible, to prohibit unauthorized remote access to information resources that require remote access authorization.
The University has, and will, architect its Computing and Communications Resources in a way that provides appropriate on campus system and network security. However, the security of that environment may be endangered by unauthorized connections to the University’s trusted network or to systems attached to that network. Connections inside the campus firewall, for example, direct remote modem connection to campus servers or individual workstations are not permitted except by specific arrangement with the Information Security Analyst. These direct telephone connections create additional access points to the network and increase vulnerability to the entire University network. Concurrent connection of a workstation to the internal local area network and to a modem connection through the telephone system permits the "bridging" of networks and increases the possibility of security breaches. When there is a demonstrated need for direct connection to workstations or other systems on the University network, which cannot be met in any other way, the appropriate Security Administrator, will coordinate installation of the connection and/or appropriate software and ensure that the configuration and connection meets appropriate security requirements.
This policy is not intended to prohibit the use of on-campus wireless connections to the University Network. This policy is also not intended to prohibit the University from offering ISP services as appropriate to its mission. Should the University choose to offer such remote access services, the Information Security Analyst will work with others to ensure such services meet appropriate security requirements. Note that the procedure for exceptions to this policy is detailed under “Exceptions”, earlier in this document (see Table of Contents).
Inappropriately controlled remote access to University Computing and Communications Resources represents a serious threat to the University's electronic information and networked systems.