Remote Access Policy

Policy number 12-10
Responsible office Information Technology
Enforcement official
Enforcement official
Campus Information Security Committee
Classification Board of Trustees-delegated Policy
Category Information Technology and Data Security

Statement of policy

Security requirements for accessing WMU data remotely.

Summary of contents/major changes

Purpose

The purpose of this policy is to state the requirements for remote access to computing resources and data hosted at Western Michigan University using Virtual Private Network (VPN) technology. Learn more about WMU's VPN.

Definition

For the purpose of this document, remote access is defined as any faculty, staff, student, consultant, vendor, or any third party affiliate connecting to a Western Michigan University network using a non-University controlled network, device, or service.

A VPN is a secured private network connection built on top of a public network. It provides a secure encrypted connection, or tunnel, over the Internet between an individual computer/device and a private network such as WMUnet. Use of a VPN allows members of the WMU community to securely access WMU network resources from off campus as if they were on campus.

Summary and scope

This policy provides the security requirements for all Western Michigan University employees who are manipulating/accessing University data classified as confidential/restricted from remote locations. 

This policy does not apply to authorized and authenticated access to email, GoWMU, E-learning, and/or any University publicly accessible websites.

Requirements and Practices for all Remote Users

  • WMU employees and authorized third parties using the VPN must ensure that unauthorized users are not allowed access to internal University networks and associated information/data.
  • All individuals and machines connecting remotely are subject to the University's acceptable use policy.
  • All individuals connecting remotely shall only connect to or have access to machines and resources they have permission and rights to use.
  • All devices connecting remotely shall have current anti-virus software and all operating system and application updates and patches. Firewalls should be enabled if possible.

 Additional requirements exist for remote work:

  • The machine/device can be trusted. This means that the machine/device must be built and maintained in a manner that creates confidence in the security of the machine. Home machines used for remote work should use caution when used with applications prone to malware infections, such as peer-to-peer, gaming, and free (untrusted) software downloads. The use of Web kiosks and other un-trusted machines for accessing any form of University confidential/restricted data or for entering a BroncoNetID and password, or other University related credentials is an extremely dangerous practice and is a violation of this standard. Use of mobile devices to access email and other campus resources remotely should also be used with caution. Many of the same risks found with PC’s apply to these devices.
  • The user is approved by the unit/department to work remotely.
  • All reasonable efforts are made to protect University data, keeping it in-house, on secured servers and devices wherever possible.
  • Users who connect remotely to University systems that contain confidential/restricted data are required by University policy to use the campus VPN to maintain security of University data.
  • Users needing access to their work desktop machines, or who need wider access to campus resources, must use the VPN in conjunction with an approved remote access technology such as VNC or other products that have gone through the OIT Product Review Process.

References

References
History
Effective date of current version March 1, 2015
Revision history
Sunday, March 1, 2015 - 5:26pm Reviewed and approved: Campus Information Security Committee.
Proposed date of next review April 1, 2020