Remote Access Policy
Remote access to technical resources via VPN (Virtual Private Network) has been commonplace for several years now. Typically, a remote user connecting from home or anywhere outside the campus network uses a broadband provider such as Comcast or Verizon and is on the provider’s network. By invoking the VPN software, which requires user authentication with College credentials, the remote computer is made to appear as though it is on the Wellesley College network. As a result, the computer from home will have very similar access to the technical services that a computer on the College network has.
This policy is necessary because we have an obligation to protect College resources and we have very little knowledge of the remote computer and how secure it is.
The purpose of this policy is to define standards for connecting to the Wellesley College network from any host. These standards are designed to minimize the potential threat to Wellesley College information technology resources and thereby protect secure college data.
This policy applies to all Wellesley College employees, contractors and agents (hereafter referred to as “user”) with a Wellesley College-owned or personally-owned computer or workstation used to connect to the Wellesley College network. This policy applies to remote access connections used to do work on behalf of Wellesley College including reading or sending email and viewing intranet web resources.
It is the responsibility of Wellesley College users with remote access privileges to Wellesley College’s network to ensure that their remote access connection is given the same consideration as the user's on-site connection. It also their responsibility to protect their user credentials to prevent unauthorized users from accessing the Wellesley College network. Any user authorized with remote access bears responsibility for the consequences should the access be misused.
Secure remote access must be strictly controlled. Control will be enforced via domain password authentication. For information on creating a strong domain password see Wellesley College’s Password Guidelines.
The login page for the VPN will explicitly state the responsibilities of the user, specifically the need to keep the operating systems and virus protection and malware protection software updated on the remote computer. For minimum configuration requirements, see the “Computing Resources for Remote Access”. The login page will also provide a link to the Wellesley College Acceptable Use Policy, which outlines general responsibilities a user must follow when accessing the network, whether remotely or on campus.
At no time should any Wellesley College user provide their login or email password to anyone, including family members. Wellesley College users with remote access privileges must ensure that their Wellesley College-owned or personal computer or workstation, which is remotely connected to the Wellesley College network, is not connected to any other network at the same time, with the exception of personal networks that are under the complete control of the user.
4.3 Additional Requirements for Accessing Secure Data Remotely
There is a group of users who have access to sensitive data such as personally identifiable information about others. In order to access such data remotely, they will be required to complete a mandatory online security awareness training and sign a statement agreeing to safeguard the data as required in the Written Information Security Program (WISP).
4.4 Additional Requirement for Contract Workers
Any contract worker requesting remote access privileges to the Wellesley College network, systems and data contained therein must submit a signed copy of the System Access Agreement for Contract Workers before he or she will be granted access. In signing the agreement, the contract worker acknowledges that he or she has read and agrees to abide by this Remote Access Policy and the Wellesley College Acceptable Use Policy. If the contract worker will have access to secure data, he or she will be required to complete the online security awareness training as outlined in section 4.3 above.
Failure to abide by the responsibilities outlined in this policy will result in the user’s remote access capability being revoked until he or she produces proof that the problems have been remedied. Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. Any contractor that violates this policy will have access privileges revoked immediately and will be subject to fines that are at a minimum equivalent to any and all damages incurred by the College. He or she may additionally be subject to legal action.
6.0 Policies Cross-Referenced
7.0 Effective Date
This policy was implemented 5/11/11 and revised 10/8/13.