This policy is to define standards for remotely connecting to the Western Michigan University network from any device regardless if the device is University owned or personally owned. These standards are designed to prevent the unauthorized access and/or damage to University resources. These resources can include the access to sensitive or confidential data, intellectual property, damage to public image and damage to critical internal systems.
For the purpose of this document, remote access is defined as any faculty, staff, student, consultant, vendor, or any third party affiliate connecting to the Western Michigan University network using a non-University controlled network, device, or service.
Examples of remote access would include:
- Connecting to the University network using your home Internet service provider.
- Using a mobile device to connect to the University network either from on or off campus.
Summary and scope
This policy provides the security requirements for all Western Michigan University employees who are manipulating/accessing University data classified as confidential/restricted from remote locations. It also covers the transport of such data via mobile devices and other removable media.
This policy does not apply to authorized and authenticated access to email, GoWMU, E-learning, and/or any University publicly accessible websites.
Requirements and Practices for all Remote Users
Remote access (applies to all devices that are Internet-aware). The desktop/laptop security standard defines the following as required on any computer or mobile device used for working remotely:
- Antivirus software that has daily updates enabled.
- Security patches for installed operating systems (ideally with auto-update enabled), Web browsers, and common applications are applied in a timely manner.
Additional requirements exist for remote work:
- The machine/device can be trusted. This means that the machine/device must be built and maintained in a manner that creates confidence in the security of the machine. Home machines used for remote work should use caution when used with applications prone to malware infections, such as peer-to-peer, gaming, and free (untrusted) software downloads. The use of Web kiosks and other un-trusted machines for accessing any form of University confidential/restricted data or for entering a BroncoNetID and password, or other University related credentials is an extremely dangerous practice and is a violation of this standard. Use of mobile devices to access email and other campus resources remotely should also be used with caution. Many of the same risks found with PC’s apply to these devices.
- The user is approved by the unit/department to work remotely.
- All reasonable efforts are made to protect University data, keeping it in-house, on secured servers and devices wherever possible.
- Remote access technologies such as the University provided VPN may be required for access to University systems containing confidential/restricted data.
The final requirement can be achieved in various ways, and each user must employ the appropriate methods for accessing University data. Such remote access from mobile or home PC’s can generally be performed through one of two common approaches listed here by increasing access rights and/or increasing security requirements:
- If the user really only needs to access email or other public Web services, then no additional requirements exist. Direct access from the remote PC is acceptable. The email system will provides an encrypted network path and secure storage of messages.
- Users needing access to their work desktop machines, or who need wider access to campus resources, must use the campus VPN service. In most cases they will remote desktop into their office machine and proceed to run applications from that machine. Other acceptable remote access technologies include SSH, pcAnywhere, VNC, and Timbuktu (password protected and/or encrypted version). External hosted remote access tools such as GotoMyPC are not acceptable.
- Data classification policy
- Data encryption policy
- Data security responsibilities
- Mobile device policy
Revised: March 2010