Policy Statement

Remote access is an extension of the network managed by the Office of Information Technology (OU IT).  All remote access will be centrally managed by the Office of Information Technology and will use appropriate security measures based on access requirements.

Web Address For This Policy

To be determined

Definitions

Information Technology and Security Definitions

Remote Access Usage and Restrictions

1. It is the responsibility of university staff, faculty, students, and third-parties with remote access privileges to the OU network to ensure that their remote access connection is given the same security consideration as the user’s on-site connection to the university.
2. All individual remote access users are responsible for protecting remote access connections, devices, and credentials in accordance with the Acceptable Use Policy.
3. Remote access via OU Virtual Private Network (OU VPN) must be used to connect to Protected On-Campus Resources and to access workstations or devices using Secure Shell (SSH) and Remote Desktop (RDP) from centrally-managed university-owned devices.  See Remote Access Standard for solutions.
4. Remote access via OU Virtual Desktop (OU VDI) must be used to connect to Protected On-Campus Resources and to access workstations or devices using SSH and RDP from personally-owned devices.  See Remote Access Standard for solutions.
5. Only approved tools shall be used for the purpose of providing remote support, maintenance, or administration of assets.  See Remote Access Standard for solutions.
6. SSH is considered a protected on-campus resource and is a network protocol that provides users with a way to access a remote computer.  SSH also refers to the suite of utilities that implement the protocol.  SSH remote access shall be accessible from the OU VPN or OU VDI services only.  SSH sessions must be configured in accordance with the Remote Access Standard and Encryption Standard.
7. RDP is considered a protected on-campus resource and allows users to connect to a computer located on the OU network.  RDP shall be accessible from the OU VPN or OU VDI services only.  RDP sessions must be configured in accordance with the Remote Access Standard.
8. A Site-to-Site VPN connection allows for data to be sent between two sites over the public internet in a secure, encrypted format.  Once a VPN “tunnel” has been configured between two sites, data sent between the two sites is sent through the tunnel instead of being sent in clear text over the internet.  All Site-to-Site VPN connections must be registered using the OU VPN Site-to-Site VPN request form.

Remote Access Authorization, Monitoring, and Management

1. All remote access, support, maintenance, or administration mechanisms must be authorized, monitored, and managed by OU IT.  Firewalls and other technology shall be used to restrict remote access to only approved mechanisms.  Remote access mechanisms must be reviewed and approved by the Cybersecurity and Infrastructure Advisory Committee (CIAC).  To be approved, mechanisms must include the following technical capabilities:
   1. Have a current OU IT Security Assessment on file with OU IT Governance, Risk, and Compliance (GRC).
   2. Require authentication through OU Authentication services (e.g., Single-Sign-On, Lightweight Directory Access Protocol [LDAP], or Federated Authentication).
   3. Utilize OU multi-factor authentication.
   4. Encrypt traffic and administrative web application interfaces in accordance with the Encryption Standard.
   5. Terminate remote sessions after sixty (60) minutes of inactivity.
   6. All remote access firewalls must be configured in accordance with the Firewall Management Standard.
   7. All remote access mechanisms must collect logs in accordance with System Logging Policy.
   8. All remote access firewalls must send logs, including authentication logs, to the OU IT central log repository for monitoring.

Remote Access Devices

Remote access systems, where possible, must scan for and verify compliance with minimum-security requirements defined in the End User Device Security Policy before granting access. Remote access clients must be monitored for updates and releases and updated within thirty (30) days of release, when made available by the vendor.  

Approved Remote Access Methods

Installing unapproved remote access software is prohibited.OU IT reserves the right to block systems operating unapproved remote access software.  Approved remote access methods are defined in the Remote Access Standard.

Third-Party Remote Access

Third-Parties must implement security measures comparable to OU minimum security requirements in accordance with the Remote Access Standard.

1. Third-Party Remote Access may be granted after the criteria defined in the Identity and Access Management Policy have been met.
2. Third-Parties granted a Privileged (Administrator) account on OU assets must align with the Privileged Access Management Policy.
3. The Third-Party Remote Access Asset Administrator must configure access in the following ways:
1. Computers used to administer OU information or resources must be properly secured with strong passwords, antivirus, security updates and physical security controls.
2. At no time should any OU third-party provide their username and password to anyone, including coworkers, third party staff, or OU staff.  Passwords used by third-parties to access OU information or information resources must follow the secure practices defined by the Password Policy. 
3. Any third-party that requires remote access to Category A, B, C, D1, or E information or information resources must designate a person to be the Point of Contact (POC) for their organization.  In the event the POC changes, the third party must designate a new POC.  The POC must be documented in the OU IT Vendor Register maintained by the OU IT Governance, Risk, and Compliance (GRC) team.
4. Third party remote access must be restricted to only the information or information resources that they support or maintain.
5. Third party remote access accounts must be disabled and inactive unless needed for support or maintenance activities.
6. Accounts used by Third-Parties for remote access must be created as Sponsored Accounts, in accordance with the Identity and Access Management Policy.
7. Third Party Service Asset Administrators will be responsible for enabling/disabling accounts and monitoring third party access to information or resources.
8. Third parties must notify Third Party Service Asset Administrators when contractors, vendors, or agents changes job responsibilities or terminates employment, or the key is compromised.
9. Third Party Service Asset Administrators must regularly review third party service logs and report Security Incidents when they occur.

Remote Access Exceptions

The Chief Information Officer acknowledges that under rare circumstances certain cases will need to employ systems that are not compliant with the Policy.  Such instances must be documented using the IT Security Exception Request Form and will require the approval of the Cybersecurity and Infrastructure Advisory Committee (CIAC).

References

1. National Institute of Standards and Technology Cybersecurity Framework (CSF), PR.AC-3
2. National Institute of Standards and Technology Special Publication 800-171, Protecting Controlled Unclassified Information: 3.1.1, 3.1.2, 3.1.15, 3.1.14, 3.1.18, 3.1.20, 3.13.9, 3.13.12
3. Health Insurance Portability and Accountability Act of 1996 (HIPAA), Security Rule §164.308(a)(4), 164.308(b)(1), 164.312(a)(2), 164.310(b), 164.310(c)
4. National Institute of Standards and Technology Special Publication 800-53 Revision 5, Security and Privacy Controls for Federal Information Systems, AC-17, AC-19, AC-20
5. Payment Card Industry (PCI) Data Security Standards 2.3, 8.1.5, 8.3, 8.5.1, 12.3.8, 12.3.9, 12.3.10
6. Gramm-Leach-Bliley Act (GLBA)
7. Cybersecurity Policy
8. End User Device Security Policy
9. Encryption Standard
10. Information Classification Standard
11. Remote Access Standard
12. Acceptable Use Policy
13. Identity and Access Management Policy