Remote Access Standard

Standard Number: 1.11.2.3.2
Category: Information Security
Owner: Information Technology Services
Effective: February 3, 2022
Revision History: Originally effective October 1, 2020
Review Date: February 2, 2025

1. Purpose, Scope, and Responsibilities
   

   1. The Information Security Policy indicates that one of the ways the University will protect the Confidentiality and Integrity of University Data is by providing secure access to University Technology Resources contained within the Campus Network when connecting through an External Network (“Remote Access”).
   2. The purpose of this Standard is to minimize the potential exposure and damages resulting from unauthorized access to University Technology Resources by establishing the requirements for Remote Access. This Standard is based on requirements within NIST Special Publication 800-171 and NIST 800-46 Guide to Enterprise Telework, Remote Access, and Bring Your Own Device Security.
   3. This Standard applies to any Authorized User accessing University Technology Resources from an External Network using Remote Access solutions.
   4. The Chief Information Officer, supported by the Chief Information Security Officer and the Executive Director of Enterprise Infrastructure, is responsible for the implementation of this Standard. Information Technology Services (“ITS”) Network Operations and Health Sciences Center Information Technology Services (“HSCITS”) will serve as the responsible units to ensure proper and appropriate access is granted to those seeking Remote Access to University Technology Resources.
   5. Information Security Services (“ISS”) will serve as an advisor to ensure this Standard establishes and maintains best security practices for Remote Access.
   6. All Authorized Users using Remote Access solutions are responsible for:
      1. Reading and adhering to all University technology policies and standards (“Technology Governance”);
      2. Adhering to the applicable requirements outlined in this Standard;
      3. Reporting all known abuse or violations of this Standard to the Chief Information Security Officer by email at defendyourdata@mail.wvu.edu or phone at 304-293-4457/304-293-4444;
      4. Ensuring that their Remote Access connection is given the same security consideration as their on-site connection to the Campus Network such as using an off-site network that is encrypted and limits access to only known people; Questions about securing your home office space should be directed to Academic and Administrative IT support unit; and,
      5. Never permitting an unauthorized user to utilize their credentials to facilitate Remote Access to University Technology Resources.
   7. University employees with a Remote or Hybrid work designation must have appropriate Internet connectivity speed to permit them to carry out University business via Remote Access. See Federal Communications Commission Broadband Speed Guide for more information.
   8. Failure to follow the requirements within this Standard may result in loss or denial of Remote Access privileges.

2. Remote Access Standards

   1. Remote Access to the Campus Network must be used by Authorized Users to connect to non-public facing University Technology Resources when working from a non-University location.
   2. Authorized Users must Authenticate to University Technology Resources using WVU Login credentials only for all Remote Access solutions. Authorized Users must never share their credentials to facilitate Remote Access Authentication for unauthorized individuals.
   3. Two-Factor Authentication (2FA) is required for all Remote Access solutions.
   4. All University Devices must meet the University-Owned Device Standard to be used as an entry point for Remote Access.
   5. All personally owned devices must meet the Bring Your Own Device (BYOD) Standard to be used as an entry point for Remote Access. Pursuant to the Acceptable Use of Data and Technology Resources Policy, use of a personal device by a University employee to conduct University business is permitted for de minimus use only.
   6. Pursuant to the Sensitive Data Policy, data classified as Sensitive must not be downloaded and/or stored on any device being used for Remote Access.
   7. Remote Access may NOT be permitted from some locations, such as embargoed countries. For more information about traveling to embargoed and sanctioned countries, contact the WVU Office of Export Control at exportcontrol@mail.wvu.edu.
   8. Remote activation of collaborative computing devices (e.g., networked white boards, cameras, microphones) located within High-Risk Security areas of the University is prohibited. See Access Control Standard and Protocols for more information.
   9. Pursuant to the Computer Security Incident Response Policy, Authorized Users must report any suspected, known, or imminent threat of a Security Incident while remotely accessing University Technology Resources to ITS immediately at defendyourdata@mail.wvu.edu or 304-293-4457.
   10. The University may block Remote Access in the following instances:
       1. University Technology Governance violation;
       2. Failure to adequately protect University data; or,
       3. Evidence of security compromise in WVU Login credentials and/or hardware or software used for access.
   11. Blocked access may be reinstated only after ITS/HSCITS has verified that the problem(s) that resulted in access being block have been adequately addressed and resolved.
   12. Authorized Users must never permit University Devices being used for Remote Access to be controlled or viewed remotely unless the user is required to accept the remote connection upon request using the device’s input method.

3. Virtual Private Network Access

   1. The University provides Virtual Private Networks (“VPNs”) (e.g., Global Protect) to permit access to University Information Systems and network folders on file servers (e.g., J: drive, N: drive) from off-campus locations.
   2. University VPNs will employ at minimum AES-128 CBC Advanced Encryption Standard to ensure confidentiality over remote connections.
   3. Remote Access to University resources via public networks is only permitted using the following approved VPN resources: Global Protect IPSEC VPN and Global Protect SSL VPN.
   4. All VPN solutions must be configured to prevent simultaneous non-remote connections (“Split Tunneling”).
   5. VPN access control points may only be established by ITS (“General VPN”) or HSCITS (“HSC VPN”). No other department or individual may implement VPN gateways to University Technology Resources.
   6. General VPN access is:
      1. Provided to all University employees;
      2. Provided to all University Devices;
      3. Provided to personally owned devices; and,
      4. Limited to users within the United States.
   7. General VPN must be utilized to access resources that are only available on campus (e.g., Applaud, network drives) and to access Sensitive Data.
   8. Privileged Access to University Information Systems requires use of more restrictive VPN which may be accessed only by specific Authorized Users using University Devices.
   9. HSC VPN access:
      1. Is only provided to HSC employees using approved HSC-managed University Devices; and
      2. May be provided to HSC employees when traveling abroad except for travel within embargoed countries.
   10. Authorized Users must always disconnect from a VPN solution when not utilizing it.
   11. The General VPN or HSC VPN must be used if connecting to University Information Systems using public Wi-Fi.
   12. After 180 minutes without traffic, an Authorized User will automatically be signed out of all VPN solutions and must reauthenticate.

4. Remote Desktop Access

   1. The University provides programs or operating system features that allow Authorized Users to connect remotely to a physical or virtual computer located on the Campus Network on which a remote computer resides (“Remote Desktop”).
   2. Remote Desktop access is subject to permissions granted by University Information System owners.
   3. Remote Desktop access solutions (e.g., Remote Desktop Protocol) are provided to permit Authorized Users access to computers located on-campus from an off-campus location.
   4. Remote Desktop access must be used by Authorized Users to access University Information Systems storing Sensitive Data and/or desktop applications on another University Device but not installed on the device being used for Remote Access.
   5. Use of third-party Remote Desktop services (e.g., gotomypc.com, logmein.com) is strictly prohibited unless the service utilizes Enterprise Directory Services and 2FA for Authentication. Authorized Users must never install or configure unapproved Remote Desktop solutions on their University Device that permits connections from other devices.
   6. Remote Desktop access is provided for both personal devices and University Devices.
   7. Remote Desktop access, or similar secure, approved solution, must be utilized when a personal device is the only option available to conduct Privileged Access to a University Information System.
   8. Remote Desktop access screen must be configured to lock and require user to re-authenticate if left unattended for more than 15 minutes.
   9. After no more than 180 minutes of inactivity, Authorized Users must automatically be signed out of Remote Desktop access and must reauthenticate.

5. SSH Gateway Access

   1. The University offers a Secure Shell (SSH) Gateway that provides targeted remote connections to specific shared Unix/Linux and Mac resources located on campus.
   2. All SSH connections must be made through the SSH Gateway. Any other use of the SSH Gateway or use of SSH connections outside of the SSH Gateway is strictly prohibited.
   3. Access to the SSH Gateway is available to University employees and individuals with Sponsored Accounts and must be approved by a supervisor or sponsor.
   4. Access to the SSH Gateway is provided to University Devices and personal devices.
   5. A University Device must be running a SSH server to successfully connect to it using the SSH Gateway.
   6. All files created within the SSH Gateway will be purged after 10 days of creation date/time. File limits will not be extended for any reason.
   7. SSH Gateway sessions that have no activity for eight (8) hours will be discontinued.
   8. Outbound connections from the SSH Gateway to an off-campus information system are prohibited.
   9. Graphical Applications Forwarding (X11 forwarding) within the SSH Gateway is permitted.
   10. Access to the SSH Gateway will be removed after one year of inactivity.

6. Third-Party Remote Access

   1. Vendors and contractors must have a University sponsor to utilize University Remote Access solutions.
   2. All third-parties granted Remote Access to University Technology Resources are responsible for ensuring the external networks used to access the WVU Campus Network are secure.
   3. The University does not guarantee a Remote Access connection to the Campus Network to any third-party.
   4. Connections provided to third-parties will be based on Least Privilege to conduct business relative to the contractual relationship established.
   5. Network to network connectivity is not permitted.

7. Remote Access Security and Monitoring

   1. Remote Access to University Information Systems must only be permitted through the approved access control points identified within this Standard. Establishment of any other Remote Access control point is prohibited.
   2. The University will retain a central Remote Access log that contains both successful and failed login attempts for a minimum period of ninety (90) days. Logs will include, at minimum, the following information:
      1. Event type (e.g., authentication, connection, disconnection);
      2. Date/time;
      3. Associated user;
      4. Remote and local IP address; and,
      5. Event success or failure.

8. Definitions

   1. “Authentication” means verifying the identity of a user, process, or device to allow access to a University Information System. ITS utilizes both Single Sign-On and Federated Identity authentication. Single Sign-On is when an individual uses the same WVU Login credentials to access University Information Systems.
   2. “Authorized User” means individuals authorized to access the Campus Network remotely, including, but not limited to vendors and University employees who have the employee work status of Remote Work Schedule or Hybrid Work Schedule who are working from anywhere other than their primary office location on the University campus.
   3. “External Network” means a network not controlled by Information Technology Services or Health Sciences Center Information Technology Services.
   4. “Privileged Access” means accounts that have administrative rights to perform functions that make changes to an overall system, network, database, or server. Privileged functions include, but are not limited to, installing updates, editing registry, managing default access accounts, changing file-level permissions, and modifying operating system, configuration, or application settings. Non-privileged access means access granted to users permitting them to conduct normal daily functions.
   5. “Split Tunneling” means the process of allowing a remote user or device to establish a non-remote connection with a system and simultaneously communicate via some other connection to a resource in an external network.
   6. “Two-Factor Authentication (2FA)” means a second form of authentication, such as mobile device, phone, or hardware token, is required when authenticating using WVU Login credentials. More information can be found at https://twofactor.wvu.edu.
   7. “University Technology Resources” means the Campus Network, University-owned hardware, software, and communications equipment, technology facilities, and other relevant hardware and software items, as well as personnel tasked with the planning, implementation, and support of technology. University Technology Resources can be broken into the following categories:
      1. Campus Network means the wired and wireless components and University Technology Resources connected to the network managed by the University. Excludes residence halls, University public/private partnerships, and other relationships the University may establish with institutions, including the City of Morgantown and WVU Medicine, through which the University provides IP addresses but does not manage the network.
      2. University Device means a server, computer, laptop, tablet, or mobile device used to enter or access University Data from a University Information System.
      3. University Information System means an application or software that is used to support the academic, administrative, research, and outreach activities of the University, whether operated and managed by the University or a third-party vendor.
   8. “Virtual Private Network (VPN)” means a protected information system link utilizing tunneling, security controls, and endpoint address translation giving the impression of a dedicated line.

9. Related Documents

   1. Information Security Policy
   2. Acceptable Use of Data and Technology Resources Policy
   3. Computer Security Incident Response Policy
   4. International Travel Security Standard
   5. Password Standard
   6. University Owned Devices Standard
   7. WVU Login Responsibility Statement
   8. Bring Your Own Device Standard
   9. NIST 800-46: Guide to Enterprise Telework, Remote Access, and Bring Your Own Devices (BYOD) Security
   10. WVU Remote Work Information
   11. Access Control Standards and Protocols