IT REMOTE ACCESS POLICY



Similar documents
IT BACKUP POLICY. This Policy applies to all University electronic data stored on all IT-managed applications and systems.

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

ADMINISTRATIVE POLICY # (2014) Remote Access. Policy Number: ADMINISTRATIVE POLICY # (2014) Remote Access

Wright State University Information Security

IT CHANGE MANAGEMENT POLICY

Securing the Service Desk in the Cloud

Secondary DMZ: DMZ (2)

Supplier Information Security Addendum for GE Restricted Data

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

DHHS Information Technology (IT) Access Control Standard

Data Management Policies. Sage ERP Online

Best Practices for PCI DSS V3.0 Network Security Compliance

modules 1 & 2. Section: Information Security Effective: December 2005 Standard: Server Security Standard Revised: Policy Ref:

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

PCI General Policy. Effective Date: August Approval: December 17, Maintenance of Policy: Office of Student Accounts REFERENCE DOCUMENTS:

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Network Security Policy

FINAL May Guideline on Security Systems for Safeguarding Customer Information

Altus UC Security Overview

Antivirus and Malware Prevention Policy and Procedures (Template) Employee Personal Device Use Terms and Conditions (Template)

STRATEGIC POLICY. Information Security Policy Documentation. Network Management Policy. 1. Introduction

Consensus Policy Resource Community. Lab Security Policy

Introduction. PCI DSS Overview

BMC s Security Strategy for ITSM in the SaaS Environment

Network Security Policy

Automation Suite for. 201 CMR Compliance

State of South Carolina Policy Guidance and Training

Attachment A. Identification of Risks/Cybersecurity Governance

How To Protect Decd Information From Harm

Central Agency for Information Technology

1B1 SECURITY RESPONSIBILITY

DOT.Comm Oversight Committee Policy

IT Security Standard: Computing Devices

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

UMHLABUYALINGANA MUNICIPALITY FIREWALL MANAGEMENT POLICY

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

Network Security Administrator

Estate Agents Authority

FISMA / NIST REVISION 3 COMPLIANCE

Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Network Security Guidelines. e-governance

University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009

TECHNICAL WHITE PAPER. Symantec pcanywhere Security Recommendations

Information Security Policy

Miami University. Payment Card Data Security Policy

Remote Access Agreement

How To Protect Your School From A Breach Of Security

FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY

Access Control BUSINESS REQUIREMENTS FOR ACCESS CONTROL

System Security Plan University of Texas Health Science Center School of Public Health

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Newcastle University Information Security Procedures Version 3

Automate PCI Compliance Monitoring, Investigation & Reporting

CITY OF BOULDER *** POLICIES AND PROCEDURES

M E M O R A N D U M. Revised Information Technology Security Procedures INFORMATION TECHNOLOGY SECURITY PROCEDURES. I. General

Information Security: A Perspective for Higher Education

Retention & Destruction

How To Control Vcloud Air From A Microsoft Vcloud (Vcloud)

PCI Requirements Coverage Summary Table

SonicWALL PCI 1.1 Implementation Guide

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

U.S. Department of the Interior's Federal Information Systems Security Awareness Online Course

SECURITY FOR ENTERPRISE TELEWORK AND REMOTE ACCESS SOLUTIONS

6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING

Information Security Policies. Version 6.1

State of Oregon. State of Oregon 1

Information Security Network Connectivity Process

How To Protect A Hampden County Hmis From Being Hacked

VMware vcloud Air HIPAA Matrix

74% 96 Action Items. Compliance

A Rackspace White Paper Spring 2010

Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite.

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

c) Password Management The assignment/use of passwords is controlled in accordance with the defined Password Policy.

How does IBM deliver cloud security? An IBM paper covering SmartCloud Services 1

Introduction. Purpose. Reference. Applicability. HIPAA Policy 7.1. Safeguards to Protect the Privacy of PHI

REMOTE WORKING POLICY

Best Practices for DanPac Express Cyber Security

Achieving PCI-Compliance through Cyberoam

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

Mobile Devices Policy

PCI Requirements Coverage Summary Table

Music Recording Studio Security Program Security Assessment Version 1.1

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

THE TOP 4 CONTROLS.

This policy shall be reviewed at least annually and updated as needed to reflect changes to business objectives or the risk environment.

Checklist of Requirements for Protection of Restricted Data College of Medicine Departments (v 03/2014)

INCIDENT RESPONSE CHECKLIST

Transcription:

IT REMOTE ACCESS POLICY PURPOSE The purpose of this Policy is to define requirements for remote connectivity to Brock University s systems, services and data that are not explicitly publically accessible using any device, regardless whether the device is University- or personallyowned. This is to minimize the potential exposure to Brock University of damages which may result from unauthorized use of Brock resources. SCOPE This Policy applies to all employees (i.e., faculty, staff), students, consultants, vendors or any third party affiliate connecting remotely to Brock University s network via the University s provided VPN service. It does not apply to University applications explicitly made available through the internet (e.g., email, my.brocku.ca). The scope of this Policy includes all users of remote access systems. POLICY STATEMENT All remote access not explicitly made public must be established by a secured and centrally managed service (e.g., Virtual Private Network (VPN)) that complies with the Standards for Remote Access Users are not permitted to be connected to multiple networks while using VPN (i.e., no split tunneling) Server logs of all VPN access must be retained for a minimum period of 90 days for review / audit. DEFINITIONS Remote Access: Access to Brock University systems from an untrusted network zone (e.g., Internet). Remote Access System: A service (e.g., VPN) which provides remote access to non-public Brock University systems and Page 1 of 2

services. Virtual Private Network (VPN): A secured private network connection built on top of a public network. VPN provides a secure tunnel over the internet between a computer and a private network. COMPLIANCE AND REPORTING Information Technology Services ( ITS ) enforces this Policy and the related Standards at all times. Anyone who has reason to suspect a deliberate and / or significant violation of this Policy must promptly report it to the ITS Help Desk. Policy violations that come to the attention of the ITS Help Desk will be escalated to the Director, Infrastructure. Policy violations will be assessed and action taken to remediate the violation subject to collective agreements and / or other contractual conditions. Where Policy violations are considered severe and / or cannot be easily remediated, the incident will be escalated to the Associate Vice-President, ITS for further action. Periodically, the AVP, ITS will provide to SAC a summary of all policy violations. Policy owner: Associate Vice-President, Information Technology Services Authorized by: Board of Trustees, Capital Infrastructure Committee Accepted by: SAC Effective date: March 2016 Next review: March 2017 Revision history: New Related documents: Standards for Remote Access Logical Access Acceptable Use IT Remote Access Policy Page 2 of 2

Brock University Version 0.7 Prepared By: Sergio Sartor Andreas Paulisch Chad Cupola

Contents 1. Revisions... 3 i. Document Editors... 3 ii. Document Reviewers... 3 iii. Intended Audience... 3 iv. References and Related Documents... 3 1. Purpose... 4 2. Requirements... 4 2.1 Virtual Private Network (VPN) and Remote Access Services (RAS)... 4 2.2 Identity Authentication... 4 2.3 VPN Sessions... 5 2.4 Remote Computing Devices and Software... 5 2.5 VPN Service for Brock Users... 5 2.6 VPN Service for NON-Brock Users... 5 2.7 Sensitive Information... 6 2.8 Monitoring VPN Usage... 6 2.9 VPN Implementation... 6 2.10 VPN Compliance... 6 2.11 VPN Security Assessments... 7 3. Responsibilities... 7 3.1 VPN Users... 7 3.2 VPN Administrators... 7 4. Remote Access Definitions... 8 2

1. Revisions Version Primary Author(s) Description of Version Date 0.5 Various Initial implementation November 25, 2014 0.9 Sergio Sartor Updated based on internal ITS feedback December 12, 2014 i. Document Editors Reviewer Section(s) ii. Document Reviewers Reviewer Section(s) iii. Intended Audience This document is intended for all users and administrators of Virtual Private Networking remote access at Brock University. iv. References and Related Documents Version Title Document Location Date Accessed mm/dd/yyyy 3

1. Purpose This document outlines requirements that must be adhered to when using, deploying and administering Virtual Private Networks to connect to Brock University s systems and data from an untrusted network zone (eg. Internet). This document contains requirements that are specific to usage, administration, setup, maintenance and configuration. 2. Requirements 2.1 Virtual Private Network (VPN) and Remote Access Services (RAS) Virtual Private Networking (VPN) and Remote Access Services opens a door to Brock s network and extends it to the remote computer. It is imperative that these services be centrally reviewed, monitored and approved. Only remote access services that comply with the requirements in this document will be permitted to connect to Brock s network. Non-compliant remote access services will be reported to Director, IT Infrastructure and the administrator will be required to implement appropriate controls or the solution will be shut down. All systems and services not purposely made public available through the internet by ITS must be accessed through a remote access service. 2.2 Published Services Requests to make new services publically accessible must be submitted via an ITS Help Desk Ticket for review, risk assessment and change control scheduling. These changes must be made in compliance with the policy and standard for Firewalls. 2.3 Identity Authentication The identity of a user connecting via a remote access service must be authenticated upon initiation of each session. Automated log ins are not permitted. 4

2.4 Remote Access Sessions Termination of remote access sessions must occur after a period of inactivity of sixty (60) minutes in order to reduce the possibility of unauthorized users accessing unattended devices. Split tunneling will be disabled so that devices connected to Brock s network cannot be connected to other networks at the same time. 2.5 Remote Computing Devices and Software Remote devices must be operated in accordance with and maintain a level of security commensurate with that enforced on devices connected to the local area network. To achieve this principle, all VPN connected users must: Have vendor supported operating system and software that is up to date; Be protected with a personal or desktop firewall; Be protected with antivirus/anti malware software with signatures that are automatically updated. 2.6 Remote Access Service for Brock Users Active Staff, Faculty and Students are eligible for Remote access. Staff and faculty user accounts are automatically granted Remote access rights to core services such as printing and file shares. Course instructors may request remote access on behalf of their students for the duration of the course if they need to access networked resources not available through normal means. This is completed via an ITS Help Desk ticket. Additional services (eg. remote desktop, SSH) may be requested via an ITS help desk ticket and granted on a per user account basis. 2.7 Remote Access Service for NON-Brock Users Brock employees may request that remote access to Brock s network be provided to individuals external to Brock via the Information Technology Services Help Desk. Such accounts will be set up by the Help Desk with a defined expiry date not exceeding 30 days or the length of a contracted agreement. The account may be renewed upon request by a Brock employee. 5

An up-to-date list of all external user accounts with remote access must be maintained by the ITS Help Desk. The list must include the expiry date, user s contact information including referring department, home and cell contact information. 2.8 Sensitive Information Brock University sensitive data (such as credit card information) must not be downloaded or stored on the remote device. 2.9 Monitoring Remote Access Usage A central remote access log must be maintained by ITS and retained for a minimum period of 90 days. The log must contain successful and failed login attempts. 2.10 Remote Access Implementation Equipment used to provide and support remote access gateways must be: Placed in a DMZ Hardened with updated patches and antivirus. Comply with the Policy and Standards for System Security Administrative access to remote access services must be limited to authorized and trained technical staff whose identity is authenticated using a strong and centrally administered authentication mechanism (i.e., no local user accounts). Remote access services which are not managed by ITS will be reviewed and monitored for compliance with the policy and standards for remote access. Remote access services can be requested by creating a Schedule 8 project request. 2.11 Remote Access Compliance Policy violations that come to the attention of the ITS Help Desk will be reported to the Director, IT Infrastructure. In the event that the issue is not remediated, it will be escalated to the AVP, ITS. 6

Periodically, the AVP, ITS will provide a summary of policy violations to SAC in order to raise awareness and achieve compliance with this Policy and related Standards. 2.12 Remote Access Security Assessments Remote Access infrastructure is a boundary level control for the entire Brock network and therefore must be reviewed for security posture, assessed regularly and when there is significant change to the technology, physical design or other elements that may introduce new threats or vulnerabilities. This assessment will be conducted as part of the change management process 3. Responsibilities 3.1 Remote Access Users All Remote Access users are responsible for: Adhering to the Remote Access Policy and related standards and the University s Acceptable Use Policy Ensuring that security safeguards installed to protect their remote device are not disabled or tampered with Exercising good judgment regarding the selection of remote device used to connect the remote access service Avoiding use of public terminals Protecting Brock University systems and data from unauthorized individuals Reporting any suspected security breaches to the ITS Help Desk. 3.2 Remote Access Administrators Remote Access administrators are responsible for: Ensuring that a request for termination of a VPN privileges is promptly acted upon Monitoring the administration, operations and security of the VPN infrastructure for adherence to these requirements Ensuring that security testing and evaluation of the VPN gateway is completed whenever there is a change that could introduce new threats or vulnerabilities. 7

4. Remote Access Definitions Demilitarized Zone (DMZ): A DMZ is a computer host inserted as a neutral zone between a company s private network and the outside public network. It prevents outside users from getting direct access to company data. Remote Access: Access to a Brock University system from an untrusted network zone (e.g., Internet). Remote Access System: A service (eg. VPN) which provides remote access to non-public Brock University systems and services. Remote Desktop: Is a program or operating system feature that allows the user to connect to a computer in another location. Secure Shell (SSH): SSH is a secure shell user for remote command line login, remote command execution and other secure network services between networked computers. Virtual Private Network (VPN): A secured private network connection built on top of a public network. VPN provides a secure tunnel over the internet between a computer and a private network. 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information