IT Resources Remote Access Policy
Version 1.2
For Students, Faculty, Staff, Guests, Alumni
Purpose
The purpose of this policy is to define standards for minimizing security risks that may result from unauthorized remote access to the University’s IT Resources.
Scope
This IT policy, and all policies referenced herein, shall apply to all members of the University community, including faculty, students, administrative officials, staff, alumni, authorized guests, delegates, and independent contractors (the “User(s)” or “you”) who use, access, or otherwise employ, locally or remotely, the University’s IT Resources, whether individually controlled, shared, stand-alone, or networked.
Policy Statement
- Users must only use remote access for approved business or academic support.
- Users who need remote desktop access to their University desktop (e.g., to work from home, access from a conference) must use University-approved software, LogMeIn, provided by IT Service Desk.
- The use of remote access software cannot be self-approved.
- You must make a request through IT Service Desk.
- Other than remote desktop access or VPN, users requesting remote access need approval from Information Security and Assurance.
- Only authorized users can enable the Windows™ Remote Desktop (RDP) and must access the IT Resource assigned to them utilizing the University’s centralized authentication system.
- Unless Fordham's Office of Information Technology provides the software, installing remote access software is prohibited.
- Information Security and Assurance may remove any unauthorized remote software installed on the University’s IT Resources. Any exceptions must be requested from Information Security and Assurance.
- All remote access is subject to audit per the Logging Standards Policy.
- Users must follow the password and authentication policies per the Password Management Policy and the Acceptable Uses of IT Infrastructure and Resources Policy.
- IT Resources must not have multiple interfaces concurrently active per the Dual-Homed Network Policy.
- Authorized remote User access provisioning and deprovisioning must follow the Provisioning and Deprovisioning Policy.
- Remote access should be granted only when needed and should be revoked immediately after no longer required.
- Users must follow the Clean Desk and Clear Screen Guidelines when using remote desktop access.
Definitions
Desktop, for this policy, includes but is not limited to laptops, notebooks, or any “personal computer” that can be accessed remotely.
IT Resources include computing, networking, communications, application, telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and any related materials and services.
Related Policies and Procedures
- Acceptable Uses of IT Infrastructure and Resources Policy
- Clean Desk and Clear Screen Guidelines
- Dual-Homed Network Policy
- Logging Standards
- Password Management Policy
- Provisioning and Deprovisioning Policy
- Virtual Private Network (VPN)
Implementation Information
| Review Frequency | Triennial |
|---|---|
| Responsible Person | Senior Director of IT Security and Assurance |
| Approved By | CISO |
| Approval Date | November 13, 2019 |
Revision History
| Version | Date | Description |
|---|---|---|
| 1.0 | 11/13/2019 | Initial document |
| 1.1 | 11/20/2020 | Annual review edits added related documents |
| 1.2 | 05/31/2023 | Updated policy statement |
Policy Disclaimer Statement
Deviations from policies, procedures, or guidelines published and approved by Information Security and Assurance (ISA) may only be done cooperatively between ISA and the requesting entity with sufficient time to allow for appropriate risk analysis, documentation, and possible presentation to authorized University representatives. Failure to adhere to ISA written policies may be met with University sanctions.