Remote Access Policy

RELATED COLLEGE POLICIES 

Acceptable Use of Information Technology Resources Policy, Electronic Mail Policy, Password Policy, Privacy Policy 

POLICY CATEGORY 

Information Technology Services (ITS) 

APPROVAL AUTHORITY 

President’s Leadership Team 

POLICY OWNER 

Vice President, Information Technology Services and Chief Data Officer 

POLICY STAKEHOLDER 

Data and Technology Council 

CONFIDENTIAL LEVEL Public, Internal, Confidential:  Public 

APPROVAL DATE 

9/2019 

EFFECTIVE DATE 

9/2019 

REVIEW FREQUENCY 

Annual 

PURPOSE/SCOPE  

The purpose of this policy is to define the process and requirements for remote, direct, and secure connections to any system on the Bristol Community College (“Bristol” or “college”) network. These requirements are designed to minimize potential damages to the Bristol network, which may result from such remote access and/or unauthorized use of college resources. Damages include, but are not limited to, the breach of confidential, sensitive, or organizational information and intellectual property, damage to public image, damage to critical internal systems, the compromise of system functionality or the corruption of information integrity. This policy must be read in conjunction with the Acceptable Use of Information Technology Resources Policy 

This policy applies to all Bristol Community College employees, students, contractors, and third parties (“users”) who may access Bristol applications, systems or hardware remotely through a direct connection. The following persons (“users”) are authorized to use Bristol information technology resources: (1) current faculty; (2) current staff; (3) current students; (4) authorized contractors or vendors; and (5) authorized visitors. This policy does not apply to external facing systems designed to be used online via the internet. External facing systems are systems provided for employees and students to access email, files, or course materials. The applicable College policy/policies shall apply to external facing systems. 

POLICY STATEMENT 

All remote access to Bristol applications, systems, and hardware shall be authorized and approved in advance, and any access not explicitly authorized and approved is prohibited. Remote direct access to specific applications, systems, components, and technology infrastructure shall only be granted to users with a legitimate business or academic need for such access.  

The level of access granted and privileges assigned shall be limited to the minimum required to perform assigned duties. Employees and third parties authorized to utilize remote connections shall ensure that unauthorized users are not allowed access to the Bristol internal network utilizing these connections. All individuals and machines, while accessing the network, including college-owned and personal equipment, are an extension of Bristol network.  

All devices, including personally owned computers that are directly connected to the network via remote access technologies, must use current anti-virus software and patches. Security patches for installed operating systems, web browsers, and common applications shall be applied. A firewall must be enabled on each applicable device. 

Remote access services may be used only to conduct college-related work. Personal, private, or commercial use of any service available remotely is not permitted. Users agree to protect Bristol information assets from unauthorized access, viewing, disclosure, alteration, loss, damage, or destruction. Remote access to data or services may not be used to copy private or personal information such as that residing on a privately-owned computer, to college file shares or other college-owned information systems. Remote access to data or services may not be used to store college information on a personal system, file share or other non-college owned system without prior approval from Information Technology Services.  

 ENFORCEMENT 

Any employee found to have violated this policy, intentionally or unintentionally, may be subject to disciplinary action, up to and including loss of access rights, or termination of employment.  

 Any student found to have violated this policy, intentionally or unintentionally, may be subject to disciplinary action, up to and including expulsion from the college.  

Any contractor or third party found to have violated this policy, intentionally or unintentionally, may be subject to legal action.  

ROLES AND RESPONSIBILITIES 

 This section provides details on the college personnel who will take part in the development, approval, and to whom the policy applies.  

ROLE 

RESPONSIBILITY 

Information Technology Services 

  • Ensure awareness and compliance with this policy; 
  • Review this policy periodically and update as needed in response to environmental and/or operational changes; 
  • Ensure that this policy and all component policies and procedures are maintained and implemented; 
  • Determine which employees need remote access to their resources; 
  • Ensure that individuals assigned to remotely access their applications are authorized and assigned duties require access capabilities;  
  • Ensure that the IT infrastructure is protected against unauthorized remote access.  

All Users 

  • Understand and adhere to this policy;  
  • Safeguard user IDs and passwords; 
  • Immediately report suspected violations of this policy to manager or Information Technology Services. 

RELEVANT REGULATIONS 

This section provides a crosswalk for this policy to the applicable best practice security frameworks, both within Massachusetts and at the national level.  

Framework 

CIS Critical Security Controls v6.1 

Regulations and Requirements 

PCI DSS - MA 201 

Supporting 

Standards and Procedures 

  • CSC  5 - Controlled Use of Administrative Privileges 
  • CSC 14 - Controlled Access Based on Need to Know 
  • CSC 16 - Account Monitoring and Control 

 

  • PCI Requirement 2 - Do not use vendor-supplied defaults for system passwords and other security parameters 
  • PCI Requirement 8 - Identify and authenticate access to system components. 
  • PCI Requirement 12 - Maintain a policy that addresses information security for all personnel. 
  • MA 201 CMR 17:00 - Section 17.04 
  • COBIT 5 DSS05 - Manage Security Services 
  • COBIT 4.1 - DS5.3 Identity Management  
  • DS5.4 User Account Management 
  • NIST Core Framework - PR.MA-2, PR.PT-3, PR-AC-3, PR-AC-4, PR.AT-2 

REVISION HISTORY 

This section contains information on the approval and revision history for this policy. 

Version Number 

Issued Date 

Approval 

Description of Changes 

1.0 

3/2016 

Massachusetts CIO Council 

Development and adoption of collaborative and standardized IT policies 

1.0 

7/2016 

Massachusetts Community College Counsel’s Office 

Recommendation on contents provided by college counsel 

1.0 

12/2016 

Standardized Control Framework 

Mapping of Controls from COBIT to CIS Critical Security Controls v6.1 

1.0 

9/2019 

President’s Leadership Team 

Policy adoption 

POLICY CONTACT 

Name:Jo-Ann Pelletier 

Title:Vice President, Information Technology Services and Chief Data Officer 

Phone:774.357.2412