IT REMOTE ACCESS POLICY

Transcription

1 IT REMOTE ACCESS POLICY PURPOSE The purpose of this Policy is to define requirements for remote connectivity to Brock University s systems, services and data that are not explicitly publically accessible using any device, regardless whether the device is University- or personallyowned. This is to minimize the potential exposure to Brock University of damages which may result from unauthorized use of Brock resources. SCOPE This Policy applies to all employees (i.e., faculty, staff), students, consultants, vendors or any third party affiliate connecting remotely to Brock University s network via the University s provided VPN service. It does not apply to University applications explicitly made available through the internet (e.g., , my.brocku.ca). The scope of this Policy includes all users of remote access systems. POLICY STATEMENT All remote access not explicitly made public must be established by a secured and centrally managed service (e.g., Virtual Private Network (VPN)) that complies with the Standards for Remote Access Users are not permitted to be connected to multiple networks while using VPN (i.e., no split tunneling) Server logs of all VPN access must be retained for a minimum period of 90 days for review / audit. DEFINITIONS Remote Access: Access to Brock University systems from an untrusted network zone (e.g., Internet). Remote Access System: A service (e.g., VPN) which provides remote access to non-public Brock University systems and Page 1 of 2

2 services. Virtual Private Network (VPN): A secured private network connection built on top of a public network. VPN provides a secure tunnel over the internet between a computer and a private network. COMPLIANCE AND REPORTING Information Technology Services ( ITS ) enforces this Policy and the related Standards at all times. Anyone who has reason to suspect a deliberate and / or significant violation of this Policy must promptly report it to the ITS Help Desk. Policy violations that come to the attention of the ITS Help Desk will be escalated to the Director, Infrastructure. Policy violations will be assessed and action taken to remediate the violation subject to collective agreements and / or other contractual conditions. Where Policy violations are considered severe and / or cannot be easily remediated, the incident will be escalated to the Associate Vice-President, ITS for further action. Periodically, the AVP, ITS will provide to SAC a summary of all policy violations. Policy owner: Associate Vice-President, Information Technology Services Authorized by: Board of Trustees, Capital Infrastructure Committee Accepted by: SAC Effective date: March 2016 Next review: March 2017 Revision history: New Related documents: Standards for Remote Access Logical Access Acceptable Use IT Remote Access Policy Page 2 of 2

3 Brock University Version 0.7 Prepared By: Sergio Sartor Andreas Paulisch Chad Cupola

4 Contents 1. Revisions... 3 i. Document Editors... 3 ii. Document Reviewers... 3 iii. Intended Audience... 3 iv. References and Related Documents Purpose Requirements Virtual Private Network (VPN) and Remote Access Services (RAS) Identity Authentication VPN Sessions Remote Computing Devices and Software VPN Service for Brock Users VPN Service for NON-Brock Users Sensitive Information Monitoring VPN Usage VPN Implementation VPN Compliance VPN Security Assessments Responsibilities VPN Users VPN Administrators Remote Access Definitions

5 1. Revisions Version Primary Author(s) Description of Version Date 0.5 Various Initial implementation November 25, Sergio Sartor Updated based on internal ITS feedback December 12, 2014 i. Document Editors Reviewer Section(s) ii. Document Reviewers Reviewer Section(s) iii. Intended Audience This document is intended for all users and administrators of Virtual Private Networking remote access at Brock University. iv. References and Related Documents Version Title Document Location Date Accessed mm/dd/yyyy 3

6 1. Purpose This document outlines requirements that must be adhered to when using, deploying and administering Virtual Private Networks to connect to Brock University s systems and data from an untrusted network zone (eg. Internet). This document contains requirements that are specific to usage, administration, setup, maintenance and configuration. 2. Requirements 2.1 Virtual Private Network (VPN) and Remote Access Services (RAS) Virtual Private Networking (VPN) and Remote Access Services opens a door to Brock s network and extends it to the remote computer. It is imperative that these services be centrally reviewed, monitored and approved. Only remote access services that comply with the requirements in this document will be permitted to connect to Brock s network. Non-compliant remote access services will be reported to Director, IT Infrastructure and the administrator will be required to implement appropriate controls or the solution will be shut down. All systems and services not purposely made public available through the internet by ITS must be accessed through a remote access service. 2.2 Published Services Requests to make new services publically accessible must be submitted via an ITS Help Desk Ticket for review, risk assessment and change control scheduling. These changes must be made in compliance with the policy and standard for Firewalls. 2.3 Identity Authentication The identity of a user connecting via a remote access service must be authenticated upon initiation of each session. Automated log ins are not permitted. 4

7 2.4 Remote Access Sessions Termination of remote access sessions must occur after a period of inactivity of sixty (60) minutes in order to reduce the possibility of unauthorized users accessing unattended devices. Split tunneling will be disabled so that devices connected to Brock s network cannot be connected to other networks at the same time. 2.5 Remote Computing Devices and Software Remote devices must be operated in accordance with and maintain a level of security commensurate with that enforced on devices connected to the local area network. To achieve this principle, all VPN connected users must: Have vendor supported operating system and software that is up to date; Be protected with a personal or desktop firewall; Be protected with antivirus/anti malware software with signatures that are automatically updated. 2.6 Remote Access Service for Brock Users Active Staff, Faculty and Students are eligible for Remote access. Staff and faculty user accounts are automatically granted Remote access rights to core services such as printing and file shares. Course instructors may request remote access on behalf of their students for the duration of the course if they need to access networked resources not available through normal means. This is completed via an ITS Help Desk ticket. Additional services (eg. remote desktop, SSH) may be requested via an ITS help desk ticket and granted on a per user account basis. 2.7 Remote Access Service for NON-Brock Users Brock employees may request that remote access to Brock s network be provided to individuals external to Brock via the Information Technology Services Help Desk. Such accounts will be set up by the Help Desk with a defined expiry date not exceeding 30 days or the length of a contracted agreement. The account may be renewed upon request by a Brock employee. 5

8 An up-to-date list of all external user accounts with remote access must be maintained by the ITS Help Desk. The list must include the expiry date, user s contact information including referring department, home and cell contact information. 2.8 Sensitive Information Brock University sensitive data (such as credit card information) must not be downloaded or stored on the remote device. 2.9 Monitoring Remote Access Usage A central remote access log must be maintained by ITS and retained for a minimum period of 90 days. The log must contain successful and failed login attempts Remote Access Implementation Equipment used to provide and support remote access gateways must be: Placed in a DMZ Hardened with updated patches and antivirus. Comply with the Policy and Standards for System Security Administrative access to remote access services must be limited to authorized and trained technical staff whose identity is authenticated using a strong and centrally administered authentication mechanism (i.e., no local user accounts). Remote access services which are not managed by ITS will be reviewed and monitored for compliance with the policy and standards for remote access. Remote access services can be requested by creating a Schedule 8 project request Remote Access Compliance Policy violations that come to the attention of the ITS Help Desk will be reported to the Director, IT Infrastructure. In the event that the issue is not remediated, it will be escalated to the AVP, ITS. 6

9 Periodically, the AVP, ITS will provide a summary of policy violations to SAC in order to raise awareness and achieve compliance with this Policy and related Standards Remote Access Security Assessments Remote Access infrastructure is a boundary level control for the entire Brock network and therefore must be reviewed for security posture, assessed regularly and when there is significant change to the technology, physical design or other elements that may introduce new threats or vulnerabilities. This assessment will be conducted as part of the change management process 3. Responsibilities 3.1 Remote Access Users All Remote Access users are responsible for: Adhering to the Remote Access Policy and related standards and the University s Acceptable Use Policy Ensuring that security safeguards installed to protect their remote device are not disabled or tampered with Exercising good judgment regarding the selection of remote device used to connect the remote access service Avoiding use of public terminals Protecting Brock University systems and data from unauthorized individuals Reporting any suspected security breaches to the ITS Help Desk. 3.2 Remote Access Administrators Remote Access administrators are responsible for: Ensuring that a request for termination of a VPN privileges is promptly acted upon Monitoring the administration, operations and security of the VPN infrastructure for adherence to these requirements Ensuring that security testing and evaluation of the VPN gateway is completed whenever there is a change that could introduce new threats or vulnerabilities. 7

10 4. Remote Access Definitions Demilitarized Zone (DMZ): A DMZ is a computer host inserted as a neutral zone between a company s private network and the outside public network. It prevents outside users from getting direct access to company data. Remote Access: Access to a Brock University system from an untrusted network zone (e.g., Internet). Remote Access System: A service (eg. VPN) which provides remote access to non-public Brock University systems and services. Remote Desktop: Is a program or operating system feature that allows the user to connect to a computer in another location. Secure Shell (SSH): SSH is a secure shell user for remote command line login, remote command execution and other secure network services between networked computers. Virtual Private Network (VPN): A secured private network connection built on top of a public network. VPN provides a secure tunnel over the internet between a computer and a private network. 8