Remote Access Policy


Acceptable Use of Information Technology Resources Policy, Electronic Mail Policy, Password Policy, Privacy Policy 


Information Technology Services (ITS) 


President’s Leadership Team 


Vice President, Information Technology Services and Chief Data Officer 


Data and Technology Council 

CONFIDENTIAL LEVEL Public, Internal, Confidential:  Public 








The purpose of this policy is to define the process and requirements for remote, direct, and secure connections to any system on the Bristol Community College (“Bristol” or “college”) network. These requirements are designed to minimize potential damages to the Bristol network, which may result from such remote access and/or unauthorized use of college resources. Damages include, but are not limited to, the breach of confidential, sensitive, or organizational information and intellectual property, damage to public image, damage to critical internal systems, the compromise of system functionality or the corruption of information integrity. This policy must be read in conjunction with the Acceptable Use of Information Technology Resources Policy 

This policy applies to all Bristol Community College employees, students, contractors, and third parties (“users”) who may access Bristol applications, systems or hardware remotely through a direct connection. The following persons (“users”) are authorized to use Bristol information technology resources: (1) current faculty; (2) current staff; (3) current students; (4) authorized contractors or vendors; and (5) authorized visitors. This policy does not apply to external facing systems designed to be used online via the internet. External facing systems are systems provided for employees and students to access email, files, or course materials. The applicable College policy/policies shall apply to external facing systems. 


All remote access to Bristol applications, systems, and hardware shall be authorized and approved in advance, and any access not explicitly authorized and approved is prohibited. Remote direct access to specific applications, systems, components, and technology infrastructure shall only be granted to users with a legitimate business or academic need for such access.  

The level of access granted and privileges assigned shall be limited to the minimum required to perform assigned duties. Employees and third parties authorized to utilize remote connections shall ensure that unauthorized users are not allowed access to the Bristol internal network utilizing these connections. All individuals and machines, while accessing the network, including college-owned and personal equipment, are an extension of Bristol network.  

All devices, including personally owned computers that are directly connected to the network via remote access technologies, must use current anti-virus software and patches. Security patches for installed operating systems, web browsers, and common applications shall be applied. A firewall must be enabled on each applicable device. 

Remote access services may be used only to conduct college-related work. Personal, private, or commercial use of any service available remotely is not permitted. Users agree to protect Bristol information assets from unauthorized access, viewing, disclosure, alteration, loss, damage, or destruction. Remote access to data or services may not be used to copy private or personal information such as that residing on a privately-owned computer, to college file shares or other college-owned information systems. Remote access to data or services may not be used to store college information on a personal system, file share or other non-college owned system without prior approval from Information Technology Services.  


Any employee found to have violated this policy, intentionally or unintentionally, may be subject to disciplinary action, up to and including loss of access rights, or termination of employment.  

 Any student found to have violated this policy, intentionally or unintentionally, may be subject to disciplinary action, up to and including expulsion from the college.  

Any contractor or third party found to have violated this policy, intentionally or unintentionally, may be subject to legal action.  


 This section provides details on the college personnel who will take part in the development, approval, and to whom the policy applies.  



Information Technology Services 

  • Ensure awareness and compliance with this policy; 
  • Review this policy periodically and update as needed in response to environmental and/or operational changes; 
  • Ensure that this policy and all component policies and procedures are maintained and implemented; 
  • Determine which employees need remote access to their resources; 
  • Ensure that individuals assigned to remotely access their applications are authorized and assigned duties require access capabilities;  
  • Ensure that the IT infrastructure is protected against unauthorized remote access.  

All Users 

  • Understand and adhere to this policy;  
  • Safeguard user IDs and passwords; 
  • Immediately report suspected violations of this policy to manager or Information Technology Services. 


This section provides a crosswalk for this policy to the applicable best practice security frameworks, both within Massachusetts and at the national level.  


CIS Critical Security Controls v6.1 

Regulations and Requirements 

PCI DSS - MA 201 


Standards and Procedures 

  • CSC  5 - Controlled Use of Administrative Privileges 
  • CSC 14 - Controlled Access Based on Need to Know 
  • CSC 16 - Account Monitoring and Control 


  • PCI Requirement 2 - Do not use vendor-supplied defaults for system passwords and other security parameters 
  • PCI Requirement 8 - Identify and authenticate access to system components. 
  • PCI Requirement 12 - Maintain a policy that addresses information security for all personnel. 
  • MA 201 CMR 17:00 - Section 17.04 
  • COBIT 5 DSS05 - Manage Security Services 
  • COBIT 4.1 - DS5.3 Identity Management  
  • DS5.4 User Account Management 
  • NIST Core Framework - PR.MA-2, PR.PT-3, PR-AC-3, PR-AC-4, PR.AT-2 


This section contains information on the approval and revision history for this policy. 

Version Number 

Issued Date 


Description of Changes 



Massachusetts CIO Council 

Development and adoption of collaborative and standardized IT policies 



Massachusetts Community College Counsel’s Office 

Recommendation on contents provided by college counsel 



Standardized Control Framework 

Mapping of Controls from COBIT to CIS Critical Security Controls v6.1 



President’s Leadership Team 

Policy adoption 


Name:Jo-Ann Pelletier 

Title:Vice President, Information Technology Services and Chief Data Officer