Remote Access Policy

Policy
Rationale
Standards & Procedures
Revisions
Approval Dates

(Summary of Changes/Additions/Deletions)

POLICY:

Remote access to information technology resources (switches, printers, routers, computers…) and to sensitive or confidential information (social security numbers, credit card numbers, bank account numbers…) are only permitted only through secure, authenticated, and centrally managed access methods.  Authorized users of Georgia State University computer systems, networks, or data repositories are only permitted to remotely access these systems, networks, or data repositories for the conduct of University related business.

Rationale:

Increases in non-traditional teaching methods and the increased mobility of faculty and students have made remote access to centralized University assets increasingly important. Opening uncontrolled or unsecured paths into any element of the University network or internal computer systems presents additional risk to the entire University infrastructure. Establishing policy centrally and issuing standards from a central authority allows a minimum number of penetrations of the security of the network while still allowing flexibility in the actual remote connection technology used.

Standards:

A virtual private network (VPN) connection must be established during the off-site remote access of university information technology resources (switches, printers, routers, computers …).

• Departmental host may provide dial-up modem service ONLY IF that service is limited exclusively to University members and the host prevents connection to the GSU network for those dial-in users.
• The Information Security Department will be contacted when the use of a VPN is not viable, when additional controls are required, or for “pass list” requests.

Remote access to sensitive information. Systems that contain sensitive student, personnel and financial data will be available for off-site remote access through a centrally managed VPN that provides encryption and secure authentication. Access may be revoked at any time for reasons including non-compliance with security policies, request by the user’s supervisor or negative impact on overall network performance attributable to remote connections. Remote access privileges for University Information will be reviewed upon an employee’s change of departments.

Access/Authentication. The access and authentication system for remote access will be centrally managed.

Endpoint Security. External computers that are used to administer university resources or access sensitive information must be secured.  This includes patching (operating system & applications), possessing updated antivirus software, operating a firewall, and being configured in accordance with all relevant university policies/procedures.

Procedures:

Access Georgia State's Network via Virtual Private Network

Secure Your Workstation

Revisions:

Revised for compliance with ISAT Senate Committee recommended formatting.
(January 2003)

Revised for clarification of both VPN usage and endpoint security requirements.
(February 2007)

Approval Date(s):

Reviewed by IST:
Reviewed by Information Security Subcommittee:
Reviewed by ISAT Senate Committee:
Approved by: University Administrative Council
Approved on: December 6, 2000
Version number: 3.0.0
Effective date: December 6, 2000

SUMMARY OF CHANGES/ADDITIONS/DELETIONS

This policy was originally approved by the University Administrative Council on September 8, 1999.

First revision re-validated the intent of the policy. This revision placed the original policy into an ISAT Senate Committee recommended format for clarity and ease of reference and update. As a result of this reformatting, the sections on Procedures were moved to separate Procedure documents that are associated with this policy.

The second revision (approved by University Administrative Council on February 7, 2007) clarified both VPN usage and endpoint security requirements.