CORONAVIRUS, SAFETY PRECAUTIONS & TESTING
Remote Access Policy
RELATED COLLEGE POLICIES
Acceptable Use of Information Technology Resources Policy, Electronic Mail Policy, Password Policy, Privacy Policy
POLICY CATEGORY Information Technology Services (ITS) |
APPROVAL AUTHORITY President’s Leadership Team |
||
POLICY OWNER Vice President, Information Technology Services and Chief Data Officer |
POLICY STAKEHOLDER Data and Technology Council |
||
CONFIDENTIAL LEVEL Public, Internal, Confidential: Public |
|||
APPROVAL DATE 9/2019 |
EFFECTIVE DATE 9/2019 |
REVIEW FREQUENCY Annual |
PURPOSE/SCOPE
The purpose of this policy is to define the process and requirements for remote, direct, and secure connections to any system on the Bristol Community College (“Bristol” or “college”) network. These requirements are designed to minimize potential damages to the Bristol network, which may result from such remote access and/or unauthorized use of college resources. Damages include, but are not limited to, the breach of confidential, sensitive, or organizational information and intellectual property, damage to public image, damage to critical internal systems, the compromise of system functionality or the corruption of information integrity. This policy must be read in conjunction with the Acceptable Use of Information Technology Resources Policy.
This policy applies to all Bristol Community College employees, students, contractors, and third parties (“users”) who may access Bristol applications, systems or hardware remotely through a direct connection. The following persons (“users”) are authorized to use Bristol information technology resources: (1) current faculty; (2) current staff; (3) current students; (4) authorized contractors or vendors; and (5) authorized visitors. This policy does not apply to external facing systems designed to be used online via the internet. External facing systems are systems provided for employees and students to access email, files, or course materials. The applicable College policy/policies shall apply to external facing systems.
POLICY STATEMENT
All remote access to Bristol applications, systems, and hardware shall be authorized and approved in advance, and any access not explicitly authorized and approved is prohibited. Remote direct access to specific applications, systems, components, and technology infrastructure shall only be granted to users with a legitimate business or academic need for such access.
The level of access granted and privileges assigned shall be limited to the minimum required to perform assigned duties. Employees and third parties authorized to utilize remote connections shall ensure that unauthorized users are not allowed access to the Bristol internal network utilizing these connections. All individuals and machines, while accessing the network, including college-owned and personal equipment, are an extension of Bristol network.
All devices, including personally owned computers that are directly connected to the network via remote access technologies, must use current anti-virus software and patches. Security patches for installed operating systems, web browsers, and common applications shall be applied. A firewall must be enabled on each applicable device.
Remote access services may be used only to conduct college-related work. Personal, private, or commercial use of any service available remotely is not permitted. Users agree to protect Bristol information assets from unauthorized access, viewing, disclosure, alteration, loss, damage, or destruction. Remote access to data or services may not be used to copy private or personal information such as that residing on a privately-owned computer, to college file shares or other college-owned information systems. Remote access to data or services may not be used to store college information on a personal system, file share or other non-college owned system without prior approval from Information Technology Services.
ENFORCEMENT
Any employee found to have violated this policy, intentionally or unintentionally, may be subject to disciplinary action, up to and including loss of access rights, or termination of employment.
Any student found to have violated this policy, intentionally or unintentionally, may be subject to disciplinary action, up to and including expulsion from the college.
Any contractor or third party found to have violated this policy, intentionally or unintentionally, may be subject to legal action.
ROLES AND RESPONSIBILITIES
ROLE |
RESPONSIBILITY |
Information Technology Services |
|
All Users |
|
RELEVANT REGULATIONS
Framework CIS Critical Security Controls v6.1 |
Regulations and Requirements PCI DSS - MA 201 |
Supporting Standards and Procedures |
|
|
|
REVISION HISTORY
This section contains information on the approval and revision history for this policy.
Version Number |
Issued Date |
Approval |
Description of Changes |
1.0 |
3/2016 |
Massachusetts CIO Council |
Development and adoption of collaborative and standardized IT policies |
1.0 |
7/2016 |
Massachusetts Community College Counsel’s Office |
Recommendation on contents provided by college counsel |
1.0 |
12/2016 |
Standardized Control Framework |
Mapping of Controls from COBIT to CIS Critical Security Controls v6.1 |
1.0 |
9/2019 |
President’s Leadership Team |
Policy adoption |
Name:Jo-Ann Pelletier
Title:Vice President, Information Technology Services and Chief Data Officer
Phone:774.357.2412