Bentley University Remote Access Policy

  1. Overview and Purpose
  2. Scope
  3. Policy
  4. Exceptions
  5. Enforcement
  6. Policy Support Contact
  7. Approval and Revisions
  8. Supporting Documentation

1.0 Overview and Purpose

The university provides secure remote access technologies that enable authorized users to remotely access the university network and its internal resources. Secure remote access technologies provide several benefits to the organization and its constituents including, but not limited to:

  • Improved productivity and security for remote access users.
  • The protection of communications and transmissions between remote devices and the university network resources.
  • The protection of sensitive university systems and information from unauthorized access.
  • Greater insight into university network traffic and routing, increasing the efficiency and security of activities performed through university remote access technologies.

This purpose of this policy is to define the appropriate users and uses of university remote access technologies.

2.0 Scope

This policy applies to university employees[1], faculty, staff, contractors, vendors, and other personnel who are granted remote access privileges to the university network and its internal resources. This policy does not apply to remote access of publicly (externally) available campus-wide resources such as web email, web sites and applications.

3.0 Policy

Remote access is provided for university related activity only. All devices that are used to connect to the university network through an approved remote access technology are considered to be extensions of the university network and are subject to all applicable university policies, standards and rules.

3.1 Requirements

  • The university’s Acceptable Usage Policy applies to all authorized users of  university remote access technologies.
  • Level 1 data cannot be stored (saved) on any devices used for remote access. (Refer to university Data Classification Policy for full details on data types and appropriate usage.)
  • Remote access to internal university applications and networks is currently limited to only authorized VPN technologies and users.Remote access users must not share their login credentials and should take all reasonable efforts to avert accidental disclosure.
  • In order to connect to remote access technologies from off campus a high-speed internet connection is recommended (i.e. cable modem, DSL, FIOS).

3.2 Authorization

  • All new employees that require remote access as a function of their job should have a remote access account requested via the New Hire Account Request process.
  • All current employees[2], faculty and staff that require remote access as a function of their job must have their supervising manager or director send an email to the university Helpdesk (helpdesk@bentley.edu) requesting an account.
  • All contractors and vendors that require remote access as part of their job requirements with the university must fill out and sign the university remote access request form and confidentiality agreement. Each request will be reviewed and approved by the Director of Systems, Networks, and Telecom.
  • Any exceptions to the authorization process or access model must be reviewed by the Director of Systems, Networks, and Telecom and the Information Security and Privacy Administrator.

3.3 Technology Configuration and Management

  • All university remote access technologies will be configured and managed by the university Information Technology groups.
  • All university remote access technologies must be configured to automatically disconnect after a preset amount of inactivity and/or after a predetermined length of time.
  • All university remote access technologies must employ a secure authentication mechanism.
  • Remote access client installation and configuration is currently only supported for university owned and managed notebooks with a standard configuration.
  • Devices that are used to remotely connect to university administrative applications containing level 1 and level 2 data must be owned and managed by university Information Technology. (Refer to the university Data Classification Policy for full details on data types and appropriate usage)
  • The following configuration requirements must be enabled on all devices that support them:
    • Antivirus software must be installed and configured to scan on a recurring schedule.
    • The latest antivirus definitions must be updated and installed on a recurring schedule.
    • The latest available patches for the remote access device’s operating system and applications must be configured to automatically download and install on a recurring schedule.
  • The deployment of new remote access technologies must be approved by the Director of Systems, Networks, and Telecom and the Information Security and Data Privacy Administrator.

4.0 Exceptions

Any exceptions to this policy are to be reviewed and approved by the Director of Systems, Networks, and Telecom and the Information Security and Privacy Administrator in consultation with the Information Privacy Committee.

5.0 Enforcement

As described in the university’s Acceptable Usage Policy anyone found to have violated this policy may be subject to disciplinary action, up to and including immediate termination.

6.0 Policy Support Contact

7.0 Approval and Revisions

This policy is approved by the Information Privacy Committee. The policy is reviewed on an annual basis and updated as needed.

Revision v1: Approved by the Information Privacy Committee on 9/30/2013

8.0 Supporting Documentation

This policy is supported by the following policies, procedures, and/or guidelines;


[1] Non-exempt employees requiring remote access as part of their job function must receive approval from both their management and human resources before being granted an authorized remote access account.

 

[2] Non-exempt employees requiring remote access as part of their job function must receive approval from both their management and human resources before being granted an authorized remote access account.