Standard for Secure Remote Access
The following security standard, which defines secure remote access and the required tools and practices, is intended to ensure that remote access to the Weber State University network and high risk/confidential information is performed in a secure fashion. Remote access is determined by access to university resources regardless of whether the connections are on-campus or off-campus.
Remote access to the WSU network, servers and data is a privilege. The University is tasked with the responsibility of controlling access to student, employee and other high risk, restricted and/or confidential records under FERPA (Family Educational Rights and Privacy Act), GRAMA (Government Records Access and Management Act), GLB (Gramm-Leach-Bliley) and other legislation. To that end, the university requires that remote access to high-risk, restricted and/or confidential records be encrypted during travel over public or unsecured networks (e.g. the Internet).
It is recognized that some departmental personnel may not be able to comply with this standard immediately. Therefore, Information-Security-Office-approved compensating controls must be in place until compliance can be reached.
Guidelines for remote access to WSU’s network:
· The approved remote access methods for off-campus access are VPN (Virtual Private Network) and SSH (Secure Shell) for registered hosts (servers).
· For on-campus remote access to high-risk, restricted and/or confidential records, only secure and encrypted remote control tools should be used such as Remote Desktop or SSH (instead of telnet). Any unencrypted remote control tools should not be used, such as telnet and VNC.
· Remote access tools used from off-campus to access systems on campus can only be used when in conjunction with the VPN client.
· The use of remote control services such as GoToMyPC.com are discouraged.
· Individuals who remotely access University servers may only download replicated University data, such as student records, onto a University owned computer(s). According to University Policy this means that replicas of any high-risk, restricted and/or confidential data are not allowed to be stored on non-WSU or personally owned computers.
· Any high-risk, restricted and/or confidential data temporarily on a non-WSU or personally owned computer must be entirely deleted from such computer and equipment.
Remote access may be blocked at any time for any of the following reasons:
- Failure to adequately protect university data.
- Evidence of security compromise in login credentials and/or hardware or software used for access.
- Any violation of the WSU Acceptable Use Policy (PPM 10-2).
- At the discretion of a dean or supervisor.
Blocked access may be reinstated with verification that the problems that resulted in access being blocked have been adequately addressed and resolved.
Use of the following tools and practices are required on all university remote computers, non-WSU and personally-owned computers:
- Antivirus software, with daily updates enabled and full system scans enabled.
- Patched with the latest approved security patches, including those for Internet Explorer.
- Windows Update must be enabled and set to auto-install updates.
- A secure and encrypted remote-control application.
- VPN software installed and used whenever the remote control application is being used.
- Personal firewall.
- A technology or process for detecting and removing spy ware.
Individuals must coordinate with their departmental computing support person to determine which specific vendors' tools to use and to obtain information on how the tools will be supported. To receive Service Desk support, staff members must use the listed tools and run Windows XP, MAC or Linux operating system.
Service Desk supported tools:
- Cisco VPN Client - provides a secure connection between the remote computer and the WSU campus.
- McAfee VirusScan - VirusScan protects against viruses and worms, while the ePo utility allows controlled DAT updates and reporting of problems from VirusScan.
- Microsoft Remote Desktop
Departmental computing support personnel may alternatively specify a different set of tools or may choose to provide a computer that is pre-built and includes the necessary tools. Finally, staff members have the option of selecting their own tools, but support will not be provided for vendor tools not listed above.
Third Party Remote Access:
· Third party users must have a WSU sponsor to complete the Remote Access Registration form located on WSU’s Portal web page on their behalf.
· Third parties must adhere to all University policies and standards to ensure University resources are adequately protected.
VPN Technical Requirements:
- The University VPN will be configured to allow remote VPN access to WSU’s network.
- Management of the VPN concentrator is the responsibility of the Network Security Administrator.
- The VPN concentrator must be configured to not use split tunneling, to reduce security risks. By not allowing split tunneling all traffic will go through the VPN “tunneled” connection. This means a home user who is connected through a VPN connection will not be able to connect to a networked printer or other networked resources on a home network.
- Any VPN session after 30 minutes of inactivity will be disconnected.
Questions/comments should be directed to the Network Security Administrator by sending an e-mail to firstname.lastname@example.org.