University Policies

Page tree

Versions Compared

Old Version 2

changes.mady.by.user Raghu, Rachana

Saved on

compared with

New Version Current

changes.mady.by.user O'Neill, Erin E.

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

ROWAN UNIVERSITY POLICY

 


Title: Remote Access Policy
Subject: Information

...

Security                                                     

...


Policy No: ISO:2013:

...

15                                                             

...

  
Applies: University-Wide
Issuing Authority:

...

Senior Vice President for Information Resources and Technology and Chief Information

...

Officer
Responsible Officer:

...

Information Security Officer
Adopted: 07/01/2013

...

Last Revision:

...

12/

...

12/

...

2025
Last

...

Review:

...

12/

...

12/

...

2025

I. PURPOSE

...

Rowan University provides secure remote access technologies that enable authorized users to remotely access the university network and its internal resources.

...

The purpose of this policy is to define standards for connecting to the Rowan University network from any remote host. These standards are designed to minimize the potential exposure to the University from damages which may result from unauthorized use of university resources. Damages include the loss of sensitive or confidential data, intellectual property, damage to public image, damage to critical internal systems, etc.

II. ACCOUNTABILITY

Under the direction of the President, the Chief Information Officer and the

...

Director of Information Security

...

shall implement and ensure compliance with this policy.

III. APPLICABILITY

...

This policy applies to all University employees, students, and affiliates including vendors and agents with a university owned or personally-owned computer or workstation used to connect to

...

B. Remote access implementations that are covered by this policy include, but are not limited to, dial-up modems, DSL, FIOS, VPN, SSH, WiFi and cable modems, etc. 

IV. DEFINITIONS

A. Cable Modem - Cable companies such as Comcast provide Internet access over Cable TV coaxial cable. A cable modem accepts this coaxial cable and can receive data from the Internet at over 1.5 Mbps.

B. Dial-up Modem - A peripheral device that connects computers to each other for sending communications via the telephone lines.

C. Digital Subscriber Line (DSL) - Is a form of high-speed Internet access used over standard phone lines.

...

the Rowan Network.

E. Remote Access - Connection to a data-processing system from a remote location, for example through a virtual private network.

...

G. Virtual Private Network (VPN) - Extends a private network across a public network, such as the Internet using secure communication.

H. Wi-Fi - Wireless networking technology that uses radio waves to provide wireless high-speed Internet and network connections. A Wi-Fi enabled device such as a PC, mobile phone, or PDA can connect to the Internet when within range of a wireless network.

V. REFERENCES

A. Information Security Policy

VI. POLICY

...

Remote access is provided for university related activity only. All devices that are used to connect to the

...

Rowan Network through an approved remote access technology are considered to be extensions of the

...

Rowan Network and are subject to all applicable university policies, standards and rules.

Students will not be granted remote access privileges.

Affiliates (personnel that are not faculty or staff at the University) who require remote access privileges will be granted access on a case by case basis. Affiliations may be requested by faculty and staff and are subject to an annual approval process.

The purpose of this policy is to define standards for connecting to the Rowan University network from any remote host. These standards are designed to minimize the potential exposure to the University from damages which may result from unauthorized use of university resources. Damages include the loss of sensitive or confidential data, intellectual property, damage to public image, damage to critical internal systems, etc.

B. Technology Configuration and Management

IV. DEFINITIONS

Refer to the Rowan University Technology Terms and Definitions for terms and definitions that are used in this policy.

V. POLICY

All University systems must comply with the following requirements:

  1. All university remote access technologies will be configured and managed by the
    2. university
  2. Division of  Information Resources & Technology (IRT)
    3. team.
  3. .
  4. All remote access must use university-approved, end-to-end encrypted protocols such as TLS x.x, IPsec, SSH, etc. 
  5. All university remote access technologies must be configured to automatically disconnect after a preset amount of inactivity and/or after a predetermined length of time.
  6. Remote access sessions will be logged and monitored in accordance with IRT standards and practices.
  7. All university remote access technologies must employ a secure multi-factor authentication mechanism in accordance with IRT standards and practices.
  8. Devices that are used to remotely connect to university administrative applications must also be managed by IRT.
  9. The following configuration requirements must be enabled on all devices that support them:
    1. Antivirus software must be installed and configured to scan on a recurring schedule.
    2. The latest antivirus definitions must be updated and installed on a recurring schedule.
    3. The latest available patches for the remote access device’s operating system and applications must be configured to automatically download and install on a recurring schedule.
  10. The deployment of new remote access technologies must be approved by the Information Security Office (ISO) and IRT management
    11. .

C. Authorization

    All new or current employees, faculty and staff that require remote access as a function of their job must have their supervising manager or director send an email to the university Helpdesk (support@rowan
  1. .
    2. edu) requesting access.
  3. All contractors and vendors that require remote access as part of their job requirements with the university must complete security awareness training and fill out and sign the university remote access request form and Non-Disclosure Agreement (NDR). Each request will be reviewed and approved by the ISO and IRT management.
  4. Any exceptions to the authorization process or access model must be reviewed and approved by the Chief Information Security Officer and Director of Networks & System Services.

D. Requirements:

    Non-University owned devices
  1. Non-Rowan-managed devices used for remote access cannot be used to store
    2. (
  2. or save
    3. ) data on any devices used for remote access. (Refer to university Data Governance Policy
  3. confidential data. (Review our data classification article for full details on data types and appropriate usage.)
  4. Remote access
    5. to internal university applications and networks is currently limited to Citrix technologies, authorized VPN technologies and Internet Web Access technologies. Remote access
  5. users must not share their login credentials and should take all reasonable efforts to avert accidental disclosure.
  6. In order to connect to remote access technologies from off campus a high-speed internet connection is recommended (i.e. cable modem, DSL, FIOS).
    7. Faculty, Staff and affiliates with remote access privileges
  7. Remote access users must ensure that their
    8. University owned or personal computer or workstation, which is
  8. remotely connected
    9. to the university network,
  9. workstation is not connected to any other external network at the same time.
  10. Students will be granted remote access privileges only from Rowan-managed systems.
  11. Affiliates that require a permanent remote access connection must be approved by the
    12. Chief
  12. Information Security
    13. Officer and Director of Networks & System Services, and must be configured to use VPN tunneling
  13. Office.

VII. NON-COMPLIANCE AND SANCTIONS

...

Violation of this policy may result in disciplinary action up to and including termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; dismissal for interns and volunteers.

...

 Any exceptions to this policy must be approved by the Information Security Office.


 

By Direction of the CIO:   Image Removed                                                                        

__________________________________

Mira Lalovic-Hand,
VP SVP and Chief Information Officer