Remote Access and VPN Standard
Posted by Joann Guilmett, Last modified by Joann Guilmett on 17 March 2020 05:33 PM
This Standard outlines requirements for safeguarding University System of New Hampshire (USNH) institutional information and information technology resources from unauthorized access, misuse, and/or compromise when that information and those resources are accessed from remote locations. Use of non-USNH networks to access these mission critical resources increases the risk that institutional information or the resources used to capture, store, process, transmit, or otherwise manage, it will be inadvertently exposed to unauthorized parties and/or compromised by malicious actors. The requirements defined here seek to mitigate those risks by informing USNH community members who need to access information and resources remotely of their responsibilities.
This Standard applies to any and all remote connections to USNH or component institution networks or information technology resources (e.g., O365, Banner HR, institutional Learning Management Systems (LMS)), regardless of who owns the endpoint device used to establish that connection or where the resource being accessed is hosted.
USNH community members, including employees, sponsored users, and students should be familiar with this Standard and understand how the requirements it defines apply to them.
In order to safeguard USNH information and information technology resources, USNH employees working remotely shall follow all USNH and component institution policies and standards, including the appropriate institutional Acceptable Use Policy.
Per USNH Policy, USNH employees shall be responsible for proper use and handling of any USNH or institutional information they have access to, regardless of where that access is initiated or what endpoint device is used for access.
Wherever possible, institutionally owned endpoint devices shall be used to conduct USNH and component institution business from remote locations. USNH employees working remotely shall NOT use a public device at a local library or other public place to conduct USNH business; Only USNH or USNH Employee owned devices may be used..
Institutionally owned endpoint devices shall not be used by non-USNH employees. It is not permissible, under any circumstance to allow a friend or family member to make use of a USNH owned device.
Endpoint devices used to access USNH or component institution resources from remote work locations shall have appropriate security controls enabled, regardless of whether those devices are institutionally owned or personally owned. These controls include but are not limited to:
USNH or component institution endpoint devices used at remote work locations shall be protected from theft, loss, damage, and misuse. Any compromise, loss, misuse, theft, or damage to a USNH endpoint device shall be reported to the PSU Helpdesk immediately.
Any institutionally owned endpoint device that is used to access institutional information classified as RESTRICTED or the information technology resources used to capture, process, store, transmit, or otherwise manage information with that classification shall be encrypted prior to being used for remote work. Faculty who are only interacting with RESTRICTED information that is considered student educational records protected by FERPA are exempt from this requirement.
Remote Connections to USNH Information Technology Resources
Connecting to a PSU or USNH network from a remote location increases the risk of information exposure or loss and account or device compromise, as it requires the use of networks that are not controlled by USNH or any of its institutions. To minimize these risks, USNH community members should use their institution’s Virtual Private Network (VPN) when connecting to a PSU or USNH network. Use of a VPN ensures that information transmitted across non-USNH networks is encrypted.
Remote access to certain USNH information technology resources requires use of a VPN. Employees who need access to these resources shall use the VPN provided by their institution for this purpose. (AC-17(3))
USNH employees shall not remain connected to any USNH network for longer than 12 hours. (AC-12)
Any device connecting to a USNH network shall be subject to monitoring, which may include but is not limited to, capturing and recording the following information:
Access to, Use of, and Storage of Institutional Information
USNH employees accessing USNH or component institution information technology resources from remote locations using a personally owned endpoint shall not download or otherwise store institutional information classified as SENSITIVE or RESTRICTED onto that endpoint device. (USNH Data Classification Policy: https://www.usnh.edu/policy/usy/vi-property-policies/f-operation-and-maintenance-property#6)
Additionally, USNH employees shall not transfer or store any institutional information with these classifications to or on any personal cloud storage service (e.g., Dropbox, Google Drive).
Institutional information classified as RESTRICTED shall not be stored, shared, or transferred via any removable storage media (e.g., external hard drives, USB drives) without media encryption.
USNH employees shall not transmit any USNH or component institution information via email using a personal email account and all restrictions on transmitting certain types of institutional information via email, even institutionally provided email, remain in effect during remote work. See PSU Email Use Policy / FIN-ITS-004.
Any misuse of, or unauthorized access to, institutional information, regardless of the format of that information, shall be immediately reported to the PSU ITS Helpdesk via the appropriate institutional reporting process.
5. Maintenance of Processes and Procedures Supporting This Standard
As part of the mandatory annual review of this Standard, the processes and procedures that support the requirements defined in this Standard shall be reviewed, and where needed, updated to ensure currency and continuous improvement.
Failure to comply with this Standard places the University System, its component institutions, USNH information, and information technology resources at risk which may result in disciplinary action. Disciplinary procedures shall be appropriate for the individual responsible for non-compliance (e.g., students, faculty, staff, vendors) as outlined in the relevant institutional regulations for that individual (e.g., Student Rights, Rules, and Responsibilities).
Employees who are members of institutionally recognized bargaining units are covered by the disciplinary provisions set forth in the agreement for their bargaining units.
7. Exceptions and Waivers
Requests for exceptions or waivers to this Standard shall be submitted to Information Security Services for review and approval by appropriate USNH and institutional leadership.
8. Roles and Responsibilities
USNH Community Members:
Access: The ability to make use of any information technology resource or to gain entry to a physical area or location.
Anti-malware Software: A program or tool that detects many forms of malicious software called malware (e.g., viruses and spyware) and prevents them from infecting computers. It may also cleanse already-infected computers.
Compromise: Unauthorized access to, disclosure, modification, substitution, destruction, or use of information or information technology resources.
Encryption: The transformation of data (called plaintext) into a form (called cipher text) that conceals the data’s original meaning to prevent it from being known or used.
Endpoint/Endpoint Device: An electronic computing device that connects to a network and communicates back and forth with that network. Endpoints include desktop computers, laptop computers, tablets, mobile devices, or any similar network enabled device.
Exception: A temporary exemption from being required to comply with a USNH or institutional Policy or Standard.
FERPA: FERPA, which stands for Family Educational Rights and Privacy Act, is a federal law that protects the privacy of student educational records.
Host-based Firewall: A firewall that runs on and protects an individual server or endpoint device instead of an entire network.
Information: Facts, data, or instructions in any medium or form.
Information Technology Resource: Any hardware, software, firmware, equipment, internet of things (IoT) devices, applications, information systems, etc. used to access, capture, store, process, utilize, integrate, interface with, transmit, or otherwise manage information.
Institutional Information: Information, in any format, created, collected, recorded, captured, stored, processed, transmitted, or otherwise managed by or for the University System and its component institutions, to conduct USNH business.
Institutionally Owned Endpoint: A computer or computing device intended for end-user use purchased by the University System or one of its component institutions.
Password: A trusted secret compromised of a string of characters (letters, numbers and other symbols) that are used as part of confirming the identity of a person, device, or information technology resource.
Patch: An update to an operating system, application, or other software issued specifically to correct particular problems with the software.
Personally Owned Endpoint: A computer or computing device purchased by a USNH community member using money that was not provided by or associated with USNH or one of its component institutions.
Remote Access: The ability for community members to access USNH information and information technology resources from external locations.
Removable Media: Any device whose primary purpose is to electronically store information that can be easily transported. Examples of removable media include USB flash drives, CD-ROM, DVD-ROM, external or portable hard drives, or any other portable computing device with storage capabilities.
RESTRICTED Information: per the USNH Information Classification Framework, includes information requiring specific security controls. It includes personally identifiable information like SSN and passport number, credit card information, and research information and information protected by regulations including FERPA, HIPAA, and GLBA.
Security Control: A safeguard or countermeasure prescribed for an information technology resource designed to protect the confidentiality, integrity, and availability of its information and to meet a set of defined security requirements.
SENSITIVE Information: Per the USNH Information Classification Framework, includes information that can be shared when there are valid administrative, academic, or business purposes to do so, but that cannot be shared publicly.
USNH Community Member: Any individual who has a relationship with the University System of New Hampshire or one of its component institutions including employees, students, applicants, prior students/alumni, donors, and sponsored users.
Virtual Private Network (VPN): A data network that enables two or more parties to communicate securely across a public network by creating a private connection, or “tunnel,” between them.
Waiver: A permanent (longer than one year) exemption from the requirement to comply with a Policy and/or Standard.
10. Related Policies and Standards
For USNH community members: Questions about this Standard, requests for additional information or training, or reports of violations can be directed to Information Security Services via the ISS Support Form.
All other requests can be submitted to the PSU, ITS Helpdesk.