Purdue University :: University Policies :: Information Technology: V.1.6

IN THIS SECTION

Data Security

World Wide Web

Policy for Purdue Pages on the World Wide Web (C-42)

Electronic Mail

Acceptable Use

Social Security Numbers

Social Security Number Policy (V.5.1)

Information Technology

Remote Access to IT Resources (V.1.6) Interim

POLICY V.1.6 (Interim)
Volume V, Information Technology
Chapter 1, Data Security
Issuing Office: OVPIT
Responsible Officer: VPIT
Responsible Office: OVPIT
Originally Issued: May 24, 2005

Printable Version (HTML)

Table of Contents

Reason for This Policy

Statement of Policy

Compliance

Who Should Know This Policy

Related Documents

Contacts

Definitions

Reason for this Policy

This policy defines standards for connecting to the Purdue University network from any remote host. These standards are designed to minimize the potential exposure to the University from damages which may result from unauthorized use of University resources. Damages include the loss of Sensitive or Restricted Data, including Protected Healthcare Information (PHI); loss of intellectual property; damage to public image; or damage to critical internal systems.

Statement of Policy

Scope:

This policy applies to all Remote Users of Purdue University IT Resources including faculty, staff, students, outside contractors, vendors, and other agents with a University-owned or personally-owned computer used to connect to the Purdue University network. This policy applies to remote access connections used to do work on behalf of Purdue University, including but not limited to, reading or sending e-mail and viewing intranet Web resources.

All remote access implementations at Purdue are covered by this policy including dial-in modems, frame relay, ISDN, DSL, VPN, SSH, cable modems, and hardware or services provided by third parties.

Nothing in this policy supersedes the Secure Computing Best Practices Document for Electronically Stored Information.

General

It is the responsibility of Remote Users to ensure that all possible measures have been taken to secure the remote machine. When available, this includes hardware and software firewalls and anti-virus software. A Remote User's computer system must be at least as secure as its on-site counterpart.
Remote Users must comply with federal, state, and local law and all Purdue policies.

Requirements

Secure remote access must be strictly controlled. Access to Purdue IT Resources will be controlled via career account ID and password.
All Remote Users working with Sensitive or Restricted Data must use Purdue VPN services.
At no time will a Remote User provide their password to anyone, including family members. ITaP employees will never ask for a Remote User's password.
Remote Users must ensure that their University-owned or personal computer or workstation, which is remotely connected to the University network, is not connected to any other network at the same time, other than a Private Network under the user's control.
All hosts that are connected to the University network must use up-to-date anti-virus software, keep virus definitions up to date, and run regular scans.
Remote Users must ensure that systems used to connect to the University network have the most recent operating system and application patches applied.

Compliance

Anyone found to have violated this policy is subject to disciplinary action, up to and including termination and/or expulsion.

Who Should Know This Policy

President
Provost
Executive Vice President and Treasurer
Chancellors
Vice Presidents
Deans
Directors/Department Heads

Principal Investigators
Faculty
Business Office Staff
Administrative and Professional Staff
Clerical and Service Staff
All Employees
Undergraduate Students
Graduate Students

Related Documents

IT Resource Acceptable Use Policy
http://www.purdue.edu/policies/pages/information_technology/v_4_1.html

Secure Computing Best Practices Document for Electronically Stored Information
http://www.itap.purdue.edu/security/procedures/dataHandling/electrStored.cfm

VPN Instructions
http://www.itap.purdue.edu/connections/vpn/

Contacts

Subject	E-mail
Questions about this policy	itap-securityhelp@purdue.edu

Definitions

Word	Definition
IT Resource	A computing asset provided by the University to further its mission of discovery, learning, and engagement. Examples of such assets include, but are not limited to, network bandwidth, computers, mobile devices, printers, and paper.
Protected Healthcare Information	Health information in any form that can be connected to a patient. Health information includes the individual's past, present, or future physical or mental health or condition, the provision of healthcare to the individual, or the past, present, or future payment for the provision of healthcare to the individual.
Private Network	Any class A, B, or C IP-based network that employs non-routable addresses as specified in IETF RFC 1918.
Remote User	Any user of IT Resources from an off-campus location.
Restricted Data	Information protected because of protective statutes,policies, or regulations. This level also represents information that isn't by default protected by legalstatute, but for which the information owner has exercised their right to restrict access.
Sensitive Data	Information whose access must be guarded due to proprietary, ethical, or privacy considerations. This classification applies even though there may not be a civil or legal statute requiring this protection.
VPN	Virtual Private Networking. A mechanism that encrypts the traffic between the VPN Server and the remote computer and allows the remote computer to obtain an onsite IP address.