Anglia Ruskin University Information Security Policy 104 Staff Remote Access

brickborderSecurity

Nov 3, 2013 (3 years and 8 months ago)

68 views

ARU
-

Version 0.3
-

March 2009


1

Anglia Ruskin University Information Security Policy 104


Staff
Remote Access


A member of staff seeking access from a remote workstation or laptop
via a virtual
private network (VPN) connection
to
University
applications on which corporate data is
stored

must be subject to all security checks applied to other internal users.

This policy
is not intended to cover the use of web
-
based connections (such as Outlook Web
Access (OWA) and the like).


Only
remote access method
s provided by ISMS should be used to a
ccess University
facilities.




It is acceptable to connect a University issued laptop to a third party network (such as in
a home broadband, hotel, airport, or hotspot)
in order to

access the University network
remotely.


Where staff members are supplied
with a workstation or laptop computer for off
-
site use
by the University,
it is
their personal responsibility for

taking due care and consideration
to ensure that it is kept secure
.



Users of wireless mobile e
-
mail devices such as PDAs

must only use Unive
rsity
-
provided equipment and services

if they wish to have support or any level of service
agreement
, and must comply with all University requirements in their use.
Otherwise it is
the owner

s personal responsibility for such services.

If a wireless e
-
mail

device is lost or
stolen, the user must immediately notify
ISMS

so the device can be deactivated and the
user’s mail file protected. Additionally, users should not attempt to change the security
settings that are in place on the device.
PDAs that will be

used to store, transmit,
process, or access University systems, files, data, and/or e
-
mail
systems
should have
security controls in place designed to prevent compromise of the information. These
controls must include a power
-
on password and virus protect
ion software



Security mechanisms designed to protect remote work stations and laptops
,

as well as
the data contained on them
,

should be used where possible. These

security

mechanisms may include (but are not limited to)
:





disk and/or file encryption




p
ersonal firewall software

(such as Windows or Apple Mac)



virus protection software
(such as AVG; McAfee; Sophos; Norton)



operating system passwords,



p
assword protected screen savers



physical security controls



locking cables

(which can be obtained as part o
f the initial purchase)


It is permissible for personnel (contractors, employees or vendors) to connect their own
work stations, laptops, or other computer equipment to the University network, and a
visitor access mechanism has been implemented to facilita
te this. However, as use of
the University network and services should only be for work purposes, the appropriate
approach for University employees should be the supply of a University
-
purchased work
station for the purpose. This practice applies both to
in
-
office connections as well as
remote connections.

ARU
-

Version 0.3
-

March 2009


2


In the event that connection of a non
-
University device to the private network is
unavoidable, the following restrictions
apply:




Appropriate investigation and testing should be undertaken prior to co
nnection to
ensure that the machine’s hardware and software will not be detrimental to the
performance of the University’s network.

This can be facilitated by ISMS.



Anti
-
virus software, configured appropriately and regularly updated, should be
installed on

the machine
.

(such as AVG; McAfee; Sophos; Norton)




The machine must be running a supported operating system and be confirmed to
be patched (with relevant security and functionality patches) to the current level
of University workstations.

(i.e. Windows X
P to SP3; Mac OS10)



For contract staff, contract terms must include a provision for cessation of use
and de
-
installation of any University software
-

whether in
-
house or purchased
-

when the contract is terminated.



Arrangements should be made to ensure tha
t the University’s software
-

whether
in
-
house or purchased


is de
-
installed when the requirement for the connection
ceases, or beforehand, if employment or contract term ceases. (Responsibility
for this action rests with the person who, or business unit

which, made the
arrangements.)



A software based personal firewall
such as Windows or Mac Firewall

must be
installed and active on the system to be connected to the University network.



Users are discouraged from using their own personally owned work stat
ions to
undertake University
-
related work as those systems are not generally configured with
the same degree of protection mechanisms as a University system. When doing this,
the data, and in some cases applications, are transferred to the non
-
University
work
stations via a variety of routes such as:



diskettes



CD, DVDs



tapes and cartridges



via e
-
mail attachments



via USB memory devices

Appropriate steps must be taken, in adv
ance
(including encryption where appropriate)
,

to ensure that any potential risks to

the University’s information and interests are
identified and effectively addressed.