Remote Access Policy

RELATED COLLEGE POLICIES

Acceptable Use of Information Technology Resources Policy, Electronic Mail Policy, Password Policy, Privacy Policy

POLICY CATEGORY Information Technology Services (ITS)		APPROVAL AUTHORITY President’s Leadership Team
POLICY OWNER Vice President, Information Technology Services and Chief Data Officer		POLICY STAKEHOLDER Data and Technology Council
CONFIDENTIAL LEVEL Public, Internal, Confidential: Public
APPROVAL DATE 9/2019	EFFECTIVE DATE 9/2019		REVIEW FREQUENCY Annual

PURPOSE/SCOPE

The purpose of this policy is to define the process and requirements for remote, direct, and secure connections to any system on the Bristol Community College (“Bristol” or “college”) network. These requirements are designed to minimize potential damages to the Bristol network, which may result from such remote access and/or unauthorized use of college resources. Damages include, but are not limited to, the breach of confidential, sensitive, or organizational information and intellectual property, damage to public image, damage to critical internal systems, the compromise of system functionality or the corruption of information integrity. This policy must be read in conjunction with the Acceptable Use of Information Technology Resources Policy.

This policy applies to all Bristol Community College employees, students, contractors, and third parties (“users”) who may access Bristol applications, systems or hardware remotely through a direct connection. The following persons (“users”) are authorized to use Bristol information technology resources: (1) current faculty; (2) current staff; (3) current students; (4) authorized contractors or vendors; and (5) authorized visitors. This policy does not apply to external facing systems designed to be used online via the internet. External facing systems are systems provided for employees and students to access email, files, or course materials. The applicable College policy/policies shall apply to external facing systems.

POLICY STATEMENT

All remote access to Bristol applications, systems, and hardware shall be authorized and approved in advance, and any access not explicitly authorized and approved is prohibited. Remote direct access to specific applications, systems, components, and technology infrastructure shall only be granted to users with a legitimate business or academic need for such access.

The level of access granted and privileges assigned shall be limited to the minimum required to perform assigned duties. Employees and third parties authorized to utilize remote connections shall ensure that unauthorized users are not allowed access to the Bristol internal network utilizing these connections. All individuals and machines, while accessing the network, including college-owned and personal equipment, are an extension of Bristol network.

All devices, including personally owned computers that are directly connected to the network via remote access technologies, must use current anti-virus software and patches. Security patches for installed operating systems, web browsers, and common applications shall be applied. A firewall must be enabled on each applicable device.

Remote access services may be used only to conduct college-related work. Personal, private, or commercial use of any service available remotely is not permitted. Users agree to protect Bristol information assets from unauthorized access, viewing, disclosure, alteration, loss, damage, or destruction. Remote access to data or services may not be used to copy private or personal information such as that residing on a privately-owned computer, to college file shares or other college-owned information systems. Remote access to data or services may not be used to store college information on a personal system, file share or other non-college owned system without prior approval from Information Technology Services.

ENFORCEMENT

Any employee found to have violated this policy, intentionally or unintentionally, may be subject to disciplinary action, up to and including loss of access rights, or termination of employment.

Any student found to have violated this policy, intentionally or unintentionally, may be subject to disciplinary action, up to and including expulsion from the college.

Any contractor or third party found to have violated this policy, intentionally or unintentionally, may be subject to legal action.

ROLES AND RESPONSIBILITIES

This section provides details on the college personnel who will take part in the development, approval, and to whom the policy applies.

ROLE	RESPONSIBILITY
Information Technology Services	Ensure awareness and compliance with this policy; Review this policy periodically and update as needed in response to environmental and/or operational changes; Ensure that this policy and all component policies and procedures are maintained and implemented; Determine which employees need remote access to their resources; Ensure that individuals assigned to remotely access their applications are authorized and assigned duties require access capabilities; Ensure that the IT infrastructure is protected against unauthorized remote access.
All Users	Understand and adhere to this policy; Safeguard user IDs and passwords; Immediately report suspected violations of this policy to manager or Information Technology Services.

RELEVANT REGULATIONS

This section provides a crosswalk for this policy to the applicable best practice security frameworks, both within Massachusetts and at the national level.

Framework CIS Critical Security Controls v6.1	Regulations and Requirements PCI DSS - MA 201	Supporting Standards and Procedures
CSC 5 - Controlled Use of Administrative Privileges CSC 14 - Controlled Access Based on Need to Know CSC 16 - Account Monitoring and Control	PCI Requirement 2 - Do not use vendor-supplied defaults for system passwords and other security parameters PCI Requirement 8 - Identify and authenticate access to system components. PCI Requirement 12 - Maintain a policy that addresses information security for all personnel. MA 201 CMR 17:00 - Section 17.04	COBIT 5 DSS05 - Manage Security Services COBIT 4.1 - DS5.3 Identity Management DS5.4 User Account Management NIST Core Framework - PR.MA-2, PR.PT-3, PR-AC-3, PR-AC-4, PR.AT-2

REVISION HISTORY

This section contains information on the approval and revision history for this policy.

Version Number	Issued Date	Approval	Description of Changes
1.0	3/2016	Massachusetts CIO Council	Development and adoption of collaborative and standardized IT policies
1.0	7/2016	Massachusetts Community College Counsel’s Office	Recommendation on contents provided by college counsel
1.0	12/2016	Standardized Control Framework	Mapping of Controls from COBIT to CIS Critical Security Controls v6.1
1.0	9/2019	President’s Leadership Team	Policy adoption

POLICY CONTACT

Name:Jo-Ann Pelletier

Title:Vice President, Information Technology Services and Chief Data Officer

Email:jo-ann.pelletier@bristolcc.edu

Phone:774.357.2412

Contact Details

Information Technology Services

777 Elsbree Street
Fall River, MA 02720

Phone: 774.357.3333

Email: its@bristolcc.edu

Location: A209

Find a Course

Select your desired term, location and subject to begin your search.

UPCOMING EVENTS

Non-Discrimination Policy
Bristol Community College is committed to a policy of affirmative action and non-discrimination. Contact diversitytitleix@bristolcc.edu.

Title IX Coordinator
Gia Sanchez
777 Elsbree Street, D206
Fall River, MA 02720
phone: 774-357-2264 email: diversitytitleix@bristolcc.edu

Find us on:

Call us on: 774.357.2811774.357.2811