 |
Longwood University |
Policy
6133
REMOTE
ACCESS
I.
PURPOSE
II.
DEFINITION
A.
Remote Access:
Remote access is the ability to get access to University information technology
(IT) resources and systems without directly connecting to the University’s wired
network.
B.
Virtual Private Network (VPN):
A VPN is a network that uses a public telecommunication infrastructure, such as
the Internet, to provide secure remote access to the University’s network.
III.
POLICY
A.
Remote Access from non-University Owned Computing Devices:
1.
Acceptable solutions for remotely accessing University IT resources and
systems from non-University owned computing devices are:
a.
Use of web-based applications.
b.
Use of Information and Instructional Technology Services (IITS) approved
remote access solutions.
2.
Storing of any University data on non-University owned computing devices
is prohibited due to records retention and Freedom of Information Act (FOIA)
complexities, as well as the associated information security risks.
3.
Eligible employees using non-University owned computing devices for
remote access must be aware of the following requirements:
a.
In the event a non-University owned computing device used for University
business is involved in the investigation of a security incident, the employee
may be required to release the device to law enforcement or the Commonwealth of
Virginia Computer Security Incident Response Team (COV CIRT) for forensic
purposes.
b.
The COV CIRT is obligated to report any illegal activity uncovered during a
security incident investigation, whether the activity is related to the incident
being investigated or not.
c.
While all investigations are confidential, the remote user concedes any
expectation of privacy related to information stored on a personally owned
computing device involved in a security incident.
B.
Remote Access from University Owned Computing Devices:
1.
In addition to the above options, individuals remotely accessing University IT
resources and systems from University owned computing devices may use IITS
approved VPN technology that is permanently installed onto
the devices.
2.
Users should be aware that VPN clients may use encryption technologies protected
by U.S. Government export restrictions. Further details may be found in the
Encryption Policy.
C.
Remote Access from Any Computing Device:
1.
All computing devices used for remote access to the University network must meet
minimum security standards. These devices must utilize malware protection
software as required in the
Malware Protection
policy, up-to-date operating system patches, a personal firewall and a strong
administrator password. (Guidelines for meeting these requirements are available
in items 1-4 of the “Protecting Your Computer” documents for
Personal Computers
and
Macs.)
2.
Users remotely accessing the University’s IT resources and systems from either a
non-University owned or University owned computing device are responsible for
selecting their own Internet Service Provider (ISP) and maintaining compliance
with the contracts and policies of their ISP.
3.
Users must not attempt to bypass inactivity time limits or maximum session
lengths of VPN connections.
IV.
ENFORCEMENT
The University regards any violation of this policy as a serious offense. Violators of this policy are subject to disciplinary action, in addition to possible cancellation of IT resources and systems access privileges. Users of IT resources and systems at Longwood are subject to all applicable local, state and federal statutes. This policy does not preclude prosecution of criminal and civil cases under relevant local, state, federal and international laws and regulations.
Approved by the Board of Visitors, September 12, 2008.
Revised and approved by the Board of Visitors, March 27, 2009.