Remote Access Policy
- Related Documentation
- Revision History
With the introduction of the various remote access applications, services and products, accessing the Keene State College Local Area Network from outside the campus security perimeter has become an area of concern with regards to Information Technology security. This policy addresses these issues.
The intent of the policy is to identify remote access methods and procedures to ensure an acceptable level of security to protect the KSC Information Technology resources. The resources include network infrastructure, KSC servers, KSC user workstations, financial data, student information, academic research data and other information necessary to support the academic mission and business functions.
The policy's guiding philosophy is to keep the protected KSC information within the KSC LAN. As such, it is designed to enable users' full access to authorized resources necessary to perform their jobs while minimizing the exposure of KSC IT resources to external threats. For example, copying or moving files containing protected KSC information from a system within the KSC LAN to a remote workstation is prohibited. All policy decisions not explicitly outlined in the policy, will be based on this philosophy.
The purpose of the KSC Remote Access Policy is to define standard approved remote access methods for connecting to KSC network resources by any/all authorized users. It establishes a guideline for managing and protecting the information resources and services on the KSC LAN enabling the use of hardware, software and procedures for implementing the policy.
This policy does not identify approved users or their authorization. It only identifies the method of access and authentication and defines the process for requesting access. Access privileges are granted by the Data Steward, Principal Administrator, or manager of the Business unit or application owner responsible for the information being accessed.
This policy applies to all KSC employees, faculty, staff, contractors, vendors and agents granted remote access privileges to the KSC network, the KSC network resources and KSC computers. It applies whether access from a KSC owned or non KSC owned computer or workstation.
Approved Access Types
Unauthenticated access to non sensitive resources
Examples of this include, web access to home pages, web access to faculty/staff personal web sites, web cameras, streaming media. Servers offering these services must be closely monitored network location and in a separate firewalled network, e.g. the DMZ, with access limited to only the service offered.
Authenticated secure employee access to resources
Examples of this include, secure web access to Exchange via Outlook Web Access.
Authenticated secure non-employee access to resources with proper approval
Authenticated employee access to resources protected by centrally managed encryption device
Examples of this include but are not limited to, access to faculty/staff network storage via the VPN/Terminal server solution, access to servers/workstations running specific user defined services such as campus safety and physical plant.
Authenticated non-employee access to resources protected by centrally managed encryption device
Examples of this include but are not limited to, contractor access to energy/power management resources.
Authenticated USNH employee access to resources protected by centrally managed encryption device
Unapproved Access Types
External services which proxy or tunnel over ports to obscure intent
Examples of this include but are not limited to, GoToMyPC.com
Client/Server implementations bypassing the established KSC remote access solution(s)
Examples of this include but are not limited to, PCAnyWhere.
- The Information Technology Group will provide campus wide remote access solution enabling access for authorized users.
- The KSC Computer and Network User Policy applies to remote users.
- Remote access is provided for KSC related activity only.
- There is no dialup capability for accessing the KSC LAN.
- Home users with dial up connections to their ISP may experience slow performance. Broadband connections, e.g. cable modem, DSL, etc. offer the best performance.
- Remote workstation/computer users are prohibited from reconfiguring any Keene State supplied client software.
- Remote workstations/computers are required to maintain up to date antivirus definitions which may be verified by the network at time of authentication.
- Remote workstations/computers are required to install the latest Operating System security patches which may be verified by the network at time of authentication.
- Users are authorized to access KSC secured resources remotely by their supervisor, Department Chair or other supervisory personnel, by filling out the Keene State College Remote Access Request Form.
- Multi-user systems, e.g. move computers where many family members have access, require special care. KSC Remote Users on such systems are required to log completely out of the remote access session when they have finished. For example, when connected to a VPN or other secure device via a software client, the user must disconnect the client session; or when remotely accessing via the SSL, completely closing the browser.
- Secure remote access will be controlled by password authentication and all session require encryption, e.g. public/private keys for secure HTTP (SSL) access or IPSEC for client based access.
- Split tunneling is strictly managed and will be enabled for remote users to map drives and/or access printers on their local subnets. The remote user must not enable split tunneling to any other networks.
- Remote access users must not remotely access the KSC LAN from a system with a dual home configuration.
- Non standard configurations must be approved by the KSC IT Group.
Any exceptions to this policy are reviewed and approved by the Security Manager in KSC IT Group.
For example, current systems are grandfathered. System out of compliance with this policy will not be affected until a major upgrade to the system or application is implemented. At that time, compliance will be required.
Violations of this policy may result in but are not limited to lose of remote access privileges. Other disciplinary actions may be taken by the appropriate governing department or individual, e.g. Human Resources, PA, Director.
|authentication||The process by which a user identifies themselves. Generally, username/password. However other authentication methods exist, smart card, public/private key, biometrics, etc.|
|authorization||The process by which a user is granted access to resources. Some authorization mechanism include Access Control Lists (ACL), permission, digital credentials.|
|Data Steward||The individual responsible for the integrity of data/information managed and maintained by a business unit, regardless of the storage mechanism or method.|
|Keene State College IP Address||Keene State College owns the class B network 22.214.171.124, IP address range from 126.96.36.199-188.8.131.52|
|Keene State College Service||Any approved application running on a KSC college network device, generally a server, offering network access to resources or information.|
|Protected KSC information||Electronic information/data and files, printed materials, images, etc. necessary to the academic mission and business functions. This includes any of the above, protected by federal, state and local statutes or identified as such by KSC.|
|network resources||Networked devices, e,g, computers, printers, etc, networked application services, general LAN access.|
|remote access||The process employed by users or systems trying to access a Keene State College (KSC) computer, KSC service running on a KSC computer or general access to the KSC Local Area Network (LAN) initiated from a computer with a non KSC IP address.|
- Keene State College Computer Network Use Policy
- Keene State College Data Policy
- Remote access request Form
1.0 10/19/2006 Original document