MENU
L3Harris Commons

VPN Access Policy

Applies to:Original Policy Date:Date of Last Review:Approved by:
Students, faculty, staff, consultants, contractors, agents, and authorized users August 2024 August 2024 Dr. John Nicklow, President

Policy Owner: Information Technology Department

Policy Purpose

This policy establishes the requirements and procedures for granting Virtual Private Network (VPN) access to university resources. It aims to enhance operational efficiency, ensure security, and comply with relevant regulations and standards by formalizing the process of requesting and approving VPN access. This policy supports the protection of university resources by encrypting data transmitted over the network, ensuring that only authorized users can access university systems and preventing unauthorized access or data breaches.

Policy Scope

This policy applies to all university faculty, staff, contractors, and students who require VPN access to university resources. Exceptions to this policy may only be granted by the CIO.

Policy Statement

All requests for VPN access must be submitted through the Identity Access Management tool. Requests must include a clear justification for the need for VPN access, the specific services or servers that need to be accessed, and the duration of access (temporary or permanent). For all students and contractors, we will also require the contact information of their sponsor. VPN access helps in protecting university data and compliance with relevant data protection laws.

Procedures/Guidelines

  1. Request Submission:
    • All VPN access requests must be submitted via the Identity Access Management tool.
    • The request must include:
      • Detailed justification for VPN access.
      • List of services/servers that need to be accessed.
      • Duration of access (specific period or permanent).
      • Contact information of sponsor.
      • Any additional information that supports the request.
  2. Review and Approval:
    • The Information Security Officer (ISO) and IT.
    • Requests will be evaluated based on necessity, security implications, and adherence to the university’s Information Security Program.
    • The requester will be notified of the approval or denial of the request.
  3. Access Provisioning:
    • Upon approval, VPN access will be provisioned by the IT department.
    • Access will be granted only to the specified services/servers and for the approved duration.
  4. Access Monitoring and Renewal:
    • VPN access will be monitored for compliance and security by the Security Operations Centre.
    • Temporary access will be reviewed upon expiration, and users must reapply if continued access is required.
    • Permanent access will be reviewed annually to ensure ongoing necessity.
  5. Revocation of Access:
    • The IT department reserves the right to revoke VPN access at any time if security concerns arise or if access is no longer justified.

Definitions

  • VPN (Virtual Private Network): A secure connection method used to protect data while it travels over the internet by encrypting it.
  • Security Operations Center (SOC): A centralized unit that deals with security issues on an organizational and technical level. It is responsible for monitoring, detecting, analyzing, and responding to cybersecurity incidents and threats in real-time.

Compliance Reference

  • Family Educational Rights and Privacy Act (FERPA): Ensures the privacy of student education records. VPN access must comply with FERPA to protect sensitive student data during remote access.
  • Gramm-Leach-Bliley Act (GLBA): Requires institutions to protect customer financial information. VPN access must comply with GLBA to safeguard financial and personal information.
  • Health Insurance Portability and Accountability Act (HIPAA): Ensures the privacy and security of health information. VPN access must comply with HIPAA to protect health data.

Responsibilities

  • IT Department:
    • Review and approve VPN access requests.
    • Monitor VPN access for compliance and security.
    • Provision VPN access.
    • Revoke VPN access if necessary.
    • Maintain records of VPN access.
  • End Users:
    • Submit detailed and accurate VPN access requests.
    • Comply with university policies and guidelines.

Enforcement

Violations of this policy, including unauthorized access or misuse of VPN privileges, will result in disciplinary action in accordance with university policies. This may include revocation of access.

Edit Page