8.2.1.10 Remote Access Policy

Purpose

Remote access to the University of Oklahoma (OU) network is essential to maintain productivity and support University missions.Remote access provides a way for university users and support staff to share screens, access Information Technology (IT) services from home, and vice versa.  Remote access is defined as access to “non-public” data and IT from outside of the university’s hard wired and/or wireless networks.  Remote access tools can save significant time and money by eliminating travel and enabling collaboration, they also provide a back door into the network that can be used for theft of, unauthorized access to, or destruction of assets.  The purpose of this policy is to define the usage and restrictions for remote access, support, maintenance, and administration mechanisms.

Policy Statement

Remote access is an extension of the network managed by the Office of Information Technology (OU IT).  All remote access will be centrally managed by the Office of Information Technology and will use appropriate security measures based on access requirements.

Web Address For This Policy

To be determined

Definitions

Information Technology and Security Definitions

Remote Access Usage and Restrictions

It is the responsibility of university staff, faculty, students, and third-parties with remote access privileges to the OU network to ensure that their remote access connection is given the same security consideration as the user’s on-site connection to the university.  All individual remote access users are responsible for protecting remote access connections, devices, and credentials in accordance with the Acceptable Use Policy.

OU Network Zones

OU IT leverages network segmentation to logically separate information technology assets into groups and apply security controls accordingly. 

  1. IT Data Center Zones: network zones created to logically segment IT assets in OU IT Data Centers, such as file servers, data stores, Virtual Labs, or other applications, which require access from off campus.  
  2. Campus Zones: network zones created to logically segment IT assets in OU campus buildings, such as remote desktops, data stores, Virtual Labs, or other applications, which require access from off campus.  
  3. Research Zone: a public-facing network zone created to logically segment IT assets used for research that require external access.
  4. Remediation Zone: a network zone created to logically segment non-compliant IT assets and grant them access to OU IT security tools only for the purpose of remediating compliance issues.  

OU Virtual Private Network (VPN)

A Virtual Private Network (VPN) creates a means for private communication between geographically distributed locations. Staff and Faculty shall use the OU VPN for remote access from university-owned devices to IT Data Center, Campus, or Research Zones.  OU IT must configure the OU VPN in accordance with the Remote Access Standard.

OU Virtual Desktop Infrastructure (VDI)

A virtual desktop delivers a clean desktop with secure, encrypted access to internal IT assets when using a personally-owned device.  Staff, Faculty, Students, and external parties shall use the OU VDI for remote access from personally-owned devices to IT Data Center, Campus, or Research Zones.  OU IT must configure virtual desktops in accordance with the Remote Access Standard.

Secure Shell (SSH) for Research

Secure Shell is a network protocol that provides users with a way to access a remote computer and also refers to the suite of utilities that implement the protocol.  SSH access shall be permitted into the IT Data Center and Campus Zones after authenticating to the OU VPN or OU VDI.  SSH access shall be permitted into the Research Zone if the SSH server is registered and is compliant with the SSH Server Security Guideline.  SSH servers must be registered with OU IT using the SSH Server Asset Owner form and configured in accordance with the Remote Access Standard.

Site-to-Site VPN

A Site-to-Site VPN connection allows for data to be sent between two sites over the public internet in a secure, encrypted format.  Once a VPN “tunnel” has been configured between two sites, data sent between the two sites is sent through the tunnel instead of being sent in clear text over the internet.  All Site-to-Site VPN connections must be registered using the OU VPN Site-to-Site VPN request form.

Remote Support, Maintenance, or Administration

OU Zoom

Remote support using screensharing or Zoom’s Remote Support feature is accessible to OU staff, faculty, or students on any device from anywhere via https://oklahoma.zoom.us and requires a valid OU userid and password.  Zoom may be used to facilitate remote support or maintenance sessions with third-parties. 

OU Bomgar

Remote support for any device from anywhere and unattended remote access for university-owned devices on-campus is available through OU’s Bomgar service to Information Technology staff.Unattended remote access licenses are available for a fee.Access to remotely support or access workstations or devices requires a valid OU userid and password with PingID mulit-factor authentication.Users contacting the OU IT Service Desk may be directed to connect to a help using the https://remote.ou.edu client. 

OU SCCM Remote Control

Remote control may be used by authorized Information Technology staff assigned the Remote Tools Operators role to manage university-owned devices for which they are responsible.Remote control sessions must be configured to prompt the current user to accept or deny the session.Remote control sessions may permit access without a prompt, if a user is not logged in.Remote control sessions may only be initiated when the workstation or device is on-campus.Access to Remote Control requires a valid OU userid and password.

OU SCCM Remote Assistant

Remote assistant may be used by authorized Information Technology staff assigned the Remote Tools Operators roles to remotely access university-owned devices for which they are responsible.Remote assistance sessions prompt the current user to accept or deny the sessions.

Remote Access Authorization, Monitoring, and Management

All remote access, support, maintenance, or administration mechanisms must be authorized by the Cybersecurity and Infrastructure Advisory Committee.  Firewalls and other technology shall be used to restrict remote access to only approved mechanisms.  To be approved, mechanisms must include the following technical capabilities:

  1. Have a current OU IT Security Assessment on file with OU IT Governance, Risk, and Compliance (GRC).
  2. Implement the minimum security requirements in accordance with the Remote Access Standard.
  3. Encrypt traffic and administrative web application interfaces in accordance with the Encryption Standard.

Remote Access Device Security

Remote access systems into IT Data Center or Campus Zones, where possible, must scan for and verify compliance with minimum-security requirements defined in the End User Device Security Policy before granting access. Remote access clients must be monitored for updates and releases and updated within thirty (30) days of release, when made available by the vendor.  

Third-Party Remote Access

Third-Parties must implement security measures comparable to OU minimum security requirements in accordance with the Remote Access Standard.

  1. Third-Party Remote Access may be granted after the criteria defined in the Identity and Access Management Policy have been met.
  2. Third-Parties granted a Privileged (Administrator) account on OU assets must align with the Privileged Access Management Policy.
  3. Remote Access Asset Administrator must configure access in the following ways:
    1. Computers used to administer OU information or resources must be properly secured with strong passwords, antivirus, security updates and physical security controls.
    2. At no time should any OU third-party provide their username and password to anyone, including coworkers, third party staff, or OU staff.  Passwords used by third-parties to access OU information or information resources must follow the secure practices defined by the Password Policy
    3. Third party remote access must be restricted to only the information or information resources that they support or maintain.
    4. Third party remote access accounts must be disabled and inactive unless needed for support or maintenance activities.
    5. Accounts used by Third-Parties for remote access must be created as Sponsored Accounts, in accordance with the Identity and Access Management Policy.
  4. Remote Access Asset Administrators will be responsible for enabling/disabling accounts and monitoring third party access to information or resources.
  5. Third parties must notify Third Party Service Asset Administrators when contractors, vendors, or agents changes job responsibilities or terminates employment, or the key is compromised.
  6. Asset Administrators must regularly review third party activity logs and report Security Incidents when they occur.

Remote Access Exceptions

The Chief Information Officer acknowledges that under rare circumstances certain cases will need to employ systems that are not compliant with the Policy.  Such instances must be documented using the IT Security Exception Request Form and will require the approval of the Cybersecurity and Infrastructure Advisory Committee (CIAC).

References

  1. National Institute of Standards and Technology Cybersecurity Framework (CSF), PR.AC-3
  2. National Institute of Standards and Technology Special Publication 800-171, Protecting Controlled Unclassified Information: 3.1.1, 3.1.2, 3.1.15, 3.1.14, 3.1.18, 3.1.20, 3.13.9, 3.13.12
  3. Health Insurance Portability and Accountability Act of 1996 (HIPAA), Security Rule §164.308(a)(4), 164.308(b)(1), 164.312(a)(2), 164.310(b), 164.310(c)
  4. National Institute of Standards and Technology Special Publication 800-53 Revision 5, Security and Privacy Controls for Federal Information Systems, AC-17, AC-19, AC-20
  5. Payment Card Industry (PCI) Data Security Standards 2.3, 8.1.5, 8.3, 8.5.1, 12.3.8, 12.3.9, 12.3.10
  6. Gramm-Leach-Bliley Act (GLBA)
  7. Cybersecurity Policy
  8. End User Device Security Policy
  9. Encryption Standard
  10. Information Classification Standard
  11. Remote Access Standard
  12. Acceptable Use Policy
  13. Identity and Access Management Policy

Revision, Review, and Approval History

  • September 2023: OU IT Governance, Risk, and Compliance revised policy.  Opened for comments
  • November 2023: Comment period closed.
  • January 2024: Faculty and Staff Research Advisory Committee review.  Comments submitted.
  • April 2024: OU IT Governance, Risk, and Compliance revised policy.
16% helpful - 32 reviews
Print Article

Details

Article ID: 3049
Created
Tue 8/29/23 8:55 AM
Modified
Wed 5/1/24 8:55 AM

Related Articles (1)

02 - Information Technology and Security Definitions
The Information Technology and Security Policy Definitions includes defined terms relevant to OU's IT and information security policies and standards.