Remote Access to IT Resources (V.1.6) Interim

POLICY V.1.6 (Interim)
Volume V, Information Technology
Chapter 1, Data Security
Issuing Office: OVPIT
Responsible Officer: VPIT
Responsible Office: OVPIT
Originally Issued: May 25, 2005
Revised: September 25, 2007

Table of Contents

Reason for Policy

This policy defines standards for connecting to the Purdue University network from any remote host. These standards are designed to minimize the potential exposure to the University from damages which may result from unauthorized use of University resources. Damages include the loss of Sensitive or Restricted Data, including Protected Healthcare Information (PHI); loss of intellectual property; damage to public image; or damage to critical internal systems.

Statement of Policy

Scope:

This policy applies to all Remote Users of Purdue University IT Resources including faculty, staff, students, outside contractors, vendors, and other agents with a University-owned or personally-owned computer used to connect to the Purdue University network. This policy applies to remote access connections used to do work on behalf of Purdue University, including but not limited to, reading or sending e-mail and viewing intranet Web resources.

All remote access implementations at Purdue are covered by this policy including dial-in modems, frame relay, ISDN, DSL, VPN, SSH, cable modems, and hardware or services provided by third parties.

Nothing in this policy supersedes the Secure Computing Best Practices Document for Electronically Stored Information.

General

  1. It is the responsibility of Remote Users to ensure that all possible measures have been taken to secure the remote machine. When available, this includes hardware and software firewalls and anti-virus software. A Remote User's computer system must be at least as secure as its on-site counterpart.
  2. Remote Users must comply with federal, state, and local law and all Purdue policies.

Requirements

  1. Secure remote access must be strictly controlled. Access to Purdue IT Resources will be controlled via career account ID and password.
  2. All Remote Users working with Sensitive or Restricted Data must use Purdue VPN services.
  3. At no time will a Remote User provide their password to anyone, including family members. ITaP employees will never ask for a Remote User's password.
  4. Remote Users must ensure that their University-owned or personal computer or workstation, which is remotely connected to the University network, is not connected to any other network at the same time, other than a Private Network under the user's control.
  5. All hosts that are connected to the University network must use up-to-date anti-virus software, keep virus definitions up to date, and run regular scans.
  6. Remote Users must ensure that systems used to connect to the University network have the most recent operating system and application patches applied.

Compliance

Anyone found to have violated this policy is subject to disciplinary action, up to and including termination and/or expulsion.

Who Should Know This Policy

  • President
  • Provost
  • Executive Vice President and Treasurer
  • Chancellors
  • Vice Presidents
  • Deans
  • Directors/Department Heads
  • Principal Investigators
  • Faculty
  • Business Office Staff
  • Administrative and Professional Staff
  • Clerical and Service Staff
  • All Employees
  • Undergraduate Students
  • Graduate Students

Related Documents

IT Resource Acceptable Use Policy
http://www.purdue.edu/policies/pages/information_technology/v_4_1.html

Secure Computing Best Practices Document for Electronically Stored Information
http://www.itap.purdue.edu/security/procedures/dataHandling/electrStored.cfm

VPN Instructions
http://www.itap.purdue.edu/connections/vpn/

Contacts

Subject

Questions about this policy

E-mail

itap-securityhelp@purdue.edu


Definitions

Word Definition
IT Resource A computing asset provided by the University to further its mission of discovery, learning, and engagement. Examples of such assets include, but are not limited to, network bandwidth, computers, mobile devices, printers, and paper.
Protected Healthcare Information Health information in any form that can be connected to a patient. Health information includes the individual's past, present, or future physical or mental health or condition, the provision of healthcare to the individual, or the past, present, or future payment for the provision of healthcare to the individual.
Private Network Any class A, B, or C IP-based network that employs non-routable addresses as specified in IETF RFC 1918.
Remote User Any user of IT Resources from an off-campus location.
Restricted Data Information protected because of protective statutes,policies, or regulations. This level also represents information that isn't by default protected by legalstatute, but for which the information owner has exercised their right to restrict access.
Sensitive Data Information whose access must be guarded due to proprietary, ethical, or privacy considerations. This classification applies even though there may not be a civil or legal statute requiring this protection.
VPN Virtual Private Networking. A mechanism that encrypts the traffic between the VPN Server and the remote computer and allows the remote computer to obtain an onsite IP address.