Policy No: 2039
Responsible Office: Information Security
Last Review Date: 11/15/2022
Next Required Review: 11/15/2027
|
VPN (Virtual Private Network)
1. Purpose
Provide guidelines for remote access via Virtual Private Network (VPN) connections to the USA network.
2. Applicability
This policy applies to all USA faculty, staff and non-employees (contractors, vendors, visitors, etc.) in the University General Division who utilize the campus VPN solution to access the USA network. It also applies to student workers who are allowed VPN access if approved by the Division Vice President.
3. Definitions
Virtual Private Network: A virtual private network extends a private network across a public network, and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. VPN services establish secure and encrypted connections to provide greater privacy.
Two-factor Authentication (2FA): A second layer of security to protect an account or system. Users must go through two layers of security before being granted access to an account or system. 2FA increases the safety of accounts by requiring two types of information from the user, such as a password, a hard token, a mobile device by use of an application, or fingerprint, before the user can log in. The first factor is the password; the second factor is the additional item.
4. Policy Guidelines
User access to VPN is subject to an approval process and may only be granted with the combined authorization of the requestor’s dean or department head, the administrator(s) of the resources to be accessed, and the USA Helpdesk, Networking and Information Security groups.
The data owner (or designee) will review the request to determine if VPN access is appropriate for fulfillment of the employee’s job responsibilities and consistent with University data security policies.
It is the responsibility of the user with VPN privilege to ensure that unauthorized persons are not allowed access to their VPN session or credentials.
Remote user-owned computers connected to the VPN service are subject to the same policies that apply to on-campus access, and should employ similar data security practices.
- VPN user computers should have Anti-Virus software installed, an active firewall, and the operating system and all applications should have all updates applied. For more information, please visit the Best Practices section on the Information Security website;
- All VPN connections require the user to use the USA approved two factor authentication (2FA) solution;
- Public wireless systems should only be used when absolutely necessary. Public, shared use computers should NOT be used for VPN;
- Computers accessing the VPN service should be dedicated to the VPN user and any personal computer used for VPN should require a logon;
- VPN access to Banner or other systems which contain confidential data may be subject to additional approvals and restrictions;
- Only VPN client applications authorized by the Computer Services Center (CSC) shall be used to connect to the VPN service;
- All VPN connections are logged and associated with the user;
- Use of VPN connections for collecting, downloading, or transferring confidential data, or to access resources for which the VPN user is not authorized, is prohibited. Per the USA Information Security Policy, it is a violation to store confidential data on portable storage devices, including USB keys and portable disks, unless such data is encrypted.
- VPN users must access the VPN service within 180 days of being granted VPN access. Users who do not access the VPN service within this time period will have their access revoked and must re-apply.
5. Procedures
To request VPN, access the USA home page and search the A-Z index for "Document Routing". Logon to the resource and choose Computer Center, and VPN Request (dropdown choice).
6. Enforcement
This policy regulates the use of all VPN services to the USA network and users must also comply with the USA Computer Use and Information Systems Security Policies. VPN services will be terminated immediately if any suspicious activity is observed. Service will remain disabled until the issue has been identified and resolved. Any user found to have intentionally violated this policy will be subject to loss of VPN privileges. By choosing to use the USA VPN service, users hereby agree to all terms and conditions listed above.
7. Related Documents
7.1 Computer Use (policy)
7.2 Information System Security (policy)