Remote Access Policy
Arkansas Tech University
Purpose

The purpose of this policy is to define standards, procedures, and restrictions for connecting to Arkansas Tech University’s internal network(s) from external hosts via remote access technology, and/or for utilizing the Internet for business purposes via third-party wireless Internet service providers (a.k.a. “hotspots”). ATU’s resources (i.e. university data, computer systems, networks, databases, etc.) must be protected from unauthorized use and/or malicious attack that could result in loss of information, damage to critical applications, loss of revenue, and damage to our public image. Therefore, all remote access and mobile privileges for ATU employees to enterprise resources – and for wireless Internet access via hotspots – must employ only university-approved methods.

Scope

This policy applies to all ATU employees, including full-time staff, part-time staff, contractors, freelancers, and other agents who utilize university- or personally-owned computers to remotely access the organization’s data and networks. Any and all work performed for ATU on said computers by any and all employees, through a remote access connection of any kind, is covered by this policy. Work can include (but is not limited to) e-mail correspondence, Web browsing, utilizing intranet resources, and any other university application used over the Internet. Remote access is defined as any connection to ATU’s network and/or other applications from off-site locations, such as the employee’s home, a hotel room, airports, cafés, satellite office, wireless devices, etc..

Supported Technology

All remote access will be centrally managed by ATU’s Office of Information Systems and will utilize encryption and strong authentication measures. Remote access connections covered by this policy include (but are not limited to) DSL, VPN, SSH, cable modems, proprietary remote access/control software, etc..

The following table outlines ATU’s minimum system requirements for a computer, workstation, or related device to comply with ATU’s systems. Those who do not meet these requirements must upgrade their machines, or face being denied remote access privileges. 
 
PC and PC-Compliant Computers
Macintosh Computers
Handhelds, PDAs and Portables

Policy and Appropriate Use

It is the responsibility of any employee of ATU with remote access privileges to ensure that their remote access connection remains as secure as his or her network access within the office. It is imperative that any remote access connection used to conduct ATU business be utilized appropriately, responsibly, and ethically. Therefore, the following rules must be observed:

  1. General access to the Internet by residential remote users through ATU’s network is permitted. However, both the employee and his/her family members using the Internet for recreational purposes through university networks are not to violate any of ATU’s acceptable computer use policies.
  2. Employees will use secure remote access procedures. This will be enforced through public/private key encrypted strong passwords in accordance with ATU’s password policy. Employees agree to never disclose their passwords to anyone, particularly to family members if business work is conducted from home. 
  3. All remote computer equipment and devices used for business interests, whether personal- or university-owned, must display reasonable physical security measures. Computers will have installed whatever antivirus software deemed necessary by the Office of Information Systems. 
  4. Remote users using public hotspots for wireless Internet access must employ for their devices a university-approved personal firewall, VPN, and any other security measure deemed necessary by the Office of Information Systems. VPNs supplied by the wireless service provider should also be used, but only in conjunction with ATU’s additional security measures.
    *Hotspot and remote users must disconnect wireless cards when not in use in order to mitigate attacks by hackers, wardrivers, and eavesdroppers.
    *Users must apply new passwords every business/personal trip where university data is being utilized over a hotspot wireless service, or when a university device is used for personal Web browsing.
  5. Any remote connection (i.e. hotspot, ISDN, frame relay, etc.) that is configured to access ATU resources must adhere to the authentication requirements of the Office of Information Systems. In addition, all hardware security configurations (personal or university owned) must be approved by the Office of Information Systems. 
  6. Employees, contractors, and temporary staff will make no modifications of any kind to the remote access connection without the express approval of the Office of Information Systems. This includes, but is not limited to, split tunneling, dual homing, non-standard hardware or security configurations, etc. 
  7. Employees, contractors, and temporary staff with remote access privileges must ensure that their computers are not connected to any other network while connected to ATU’s network via remote access, with the obvious exception of Internet connectivity.
  8. In order to avoid confusing official university business with personal communications, employees, contractors, and temporary staff with remote access privileges must never use non-university e-mail accounts (e.g. Hotmail, Yahoo, etc.) to conduct university business.
  9. No employee is to use Internet access through university networks via remote connection for the purpose of illegal transactions, harassment, competitor interests, or obscene behavior, in accordance with other existing employee policies.
  10. All remote access connections must include a “time-out” system. In accordance with ATU’s security policies, remote access sessions will time out after 2 hours of inactivity, and will terminate after 16 hours of continuous connection. Both timeouts will require the user to reconnect and re-authenticate in order to re-enter university networks.
  11. If a personally- or university-owned computer or related equipment used for remote access is damaged, lost, or stolen, the authorized user will be responsible for notifying their manager and the Office of Information Systems immediately. The remote access user also agrees to immediately report to their manager and the Office of Information Systems any incident or suspected incidents of unauthorized access and/or disclosure of university resources, databases, networks, etc.
  12. The remote access user also agrees to and accepts that his or her access and/or connection to ATU’s networks may be monitored to record dates, times, duration of access, etc., in order to identify unusual usage patterns or other suspicious activity. As with in-house computers, this is done in order to identify accounts/computers that may have been compromised by external parties. 

Any questions relating to this policy should be directed to Ken Wester, director of the Office of Information Systems, at kwester@atu.edu.

Policy Non-Compliance

Failure to comply with the Remote Access Policy and Agreement may result in the suspension of remote access privileges, disciplinary action, and possibly termination of employment.