UMGC Policy X-1.11

Remote Access

Policy Category Policy No. & Title Policy Owner Effective Date Revision Number Revision Eff. Date Review Cycle

X
Information Governance, Security & Technology

X-1.11
Remote Access

VP of Information Security

July 1, 2021

N/A

N/A

Annual

  1. Purpose

    UMGC (the "University") understands the need of its Users to access University Information Resources from remote environments. The purpose of this policy is to protect University Information and Information Resources by providing the standards for remote access to computing resources as well as protect the University from inappropriate use and unauthorized disclosure.

  2. Scope

    This policy applies to all Users who remotely connect with or to University Information Technology Resources to access University Information and Information Resources.

  3. Definitions

    Capitalized terms shall have the meaning ascribed to them herein and shall have the same meaning when used in the singular or plural form or any appropriate tense.

    1. Availability: The principle of ensuring timely and reliable access to and use of Information based upon the concept of Least Privilege.

    2. Confidentiality: The principle of preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.

    3. Confidential Data: Data that requires restrictions on access and disclosure, including the protection of personal privacy and proprietary information.

    4. Data: Elements of Information in the form of facts, such as numbers, words, names, or descriptions of things from which "understandable information" can be derived.

    5. Data Steward: The UMGC employees, or designees, who are responsible for determining User access and assigning Data Classifications to data originating from or residing in their respective business units.

    6. Incident: An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.

    7. Information: Any communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual.

    8. Information Resources: Anything that is intended to generate, store, or transmit Information.

    9. Information Security Program: Provides a formal structure for (1) developing and maintaining University-wide security policies, (2) defines security principles that safeguard University computing resources, and (3) ensures compliance with internal and external regulations.

    10. Information Systems: Inter-related components of Information Resources working together for the collection, processing, maintenance, use, sharing, dissemination, or disposition of Information.

    11. Information Technology Resource: Any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by UMGC directly or by a third party under a contract with UMGC which requires the use of such equipment. The term includes computers, mobile devices, software, firmware, services (including support services), and UMGC's network via a physical or wireless connection, regardless of the ownership of the computer or device connected to the network.

    12. Integrity: Ensuring Records and the Information contained therein are accurate and authentic by guarding against improper modification or destruction.

    13. Remote Access (telework): The ability for a User to perform work from locations other than the University facilities.

    14. Personally Identifiable Information (PII): An individual's first name and last name, personal mark, or unique biometric or genetic print or image, in combination with one or more of the following data elements:

      1. A social security number.

      2. A driver's license number, state identification card number, or other individual identification number issued by a state government unit.

      3. A passport number or other identification number issued by the United States government.

      4. An Individual Taxpayer Identification Number; or

      5. A financial or other account number, a credit card number, or a debit card number that, in combination with any required security code, access code, or password, would permit access to an individual's account.

    15. University: University of Maryland Global Campus (UMGC)

    16. User: A member of the UMGC community, including but not limited to staff, faculty, students, alumni, and individuals performing services on behalf of the University, including third party vendors, Contractors, consultants, volunteers and other individuals who may have a need to access, use or control UMGC Data.

  4. Remote Access

    1. When remotely accessing University Information or Information Resources, Users must follow University security policies at all times including the Acceptable Use Policy.

    2. Users must only connect remotely to University Information Resources for approved business use.

    3. Users must follow the password and authentication requirements per the Identity and Access Management Policy.

    4. All remote Information Technology Resources regardless of ownership must have the following appropriate security protections: 1. Up-to-date anti-virus software 2. Up-to-date operating system and relevant security patches 3. Firewall software, if technically feasible

    5. Only University authorized software shall be used. The University may remove any unauthorized software installed on the University's Information Technology Resources.

    6. Remote access through VPN must be activated only when needed and must be deactivated immediately after it is no longer required.

    7. Any User who suspects or becomes aware of a device used for remote access is lost, stolen, or otherwise removed from the Users' control must contact the UMGC technical support service desk as soon as possible by calling 1-888-360-8682, or emailing servicedesk@umgc.edu, or contacting the VP of Information Security at infosec@umgc.edu.

    8. Any method of re-routing University traffic beyond the intended endpoint is prohibited unless authorized.

    9. Users are not permitted to download, or store Information considered confidential or containing PII on their personal remote Information Technology Resources. This includes the transfer of such data to a personal (i.e., non-UMGC managed) cloud storage or any mobile storage device.

    10. All remote access is subject to monitoring and audit.

  5. Exceptions

    Exceptions to this policy should be submitted to the VP of Information Security for review and approval. If an exception is requested a compensating control should be documented and approved.

  6. Enforcement

    1. Suspected violations will be investigated and may result in disciplinary action in accordance with University codes of conduct, policies, or applicable laws. Sanctions may include one or more of the following:

      1. Suspension or termination of access

      2. Removal of devices determined to be using the University's networking resources inappropriately or in violation of the Acceptable Use Policy.

      3. Termination of employment

      4. Student discipline in accordance with applicable University policies

      5. Civil or criminal penalties

    2. Report suspected violations of this policy to infosec@umgc.edu, or to the appropriate Data Steward. Reports of violations are considered Confidential Data until otherwise classified

    3. The University reserves the right to disconnect any resource from University networks until suspected Security Incidents are resolved.

  7. Related Policies/Standards

    1. Acceptable Use

    2. Account Management

    3. Data Classification

    4. Information Security

    5. Information Security Awareness and Training

    6. Information Security Incident Management

  8. Effective Date: This policy is effective as of the Effective Date set forth above.