Remote Access and Virtual Private Network (VPN) Security Policy

Policy Name:  Remote Access and Virtual Private Network (VPN) Security
Policy Number: IT- 6003
Effective:  2021/05
Revised: Not applicable

Policy Statement

Policy

Approved Holy Family University employees and authorized third parties (contractors, vendors, etc.) may utilize the benefits of VPNs for remote access to the services on the internal Holy Family network.

Procedure:

  1. Remote access must be requested by opening a Help Desk request. Required approvals include the requestor’s vice president and the VP of Information Technology. Remote access consideration is intended for job functions that require remote access to the internal network.
  2. Remote access to the Holy Family Network is for the sole use of the individual only. The individual bears responsibility for the consequences should the access be misused.
  3. VPN Access will be set up and managed by Holy Family University network operational groups.
  4. Remote access is implemented and controlled through an IPSec Concentrator.  Only one VPN network connection is allowed at a time. Remote connections and VPN users will be automatically disconnected from Holy Family University's network after 30 minutes of inactivity (idle timeout) and a maximum connection time of 10 hours. The user must then log on again to reconnect to the network. Pings or other artificial network processes are not to be used to circumvent these limits to keep the connection open.
  5. Please review the following policies for details of protecting information when accessing the university network via remote access methods, and acceptable use of Holy Family University's network: 
    1. Information Security Policy

    2. Electronic Communications Acceptable Use Policy

Requirements:

  1. Holy Family Employees must use a Holy Family-owned and managed laptop or desktop to access the network by VPN. Employee personal devices are not allowed.
  2. Only IT-approved VPN client software may be used.
  3. Secure remote access and VPN use must be strictly controlled. Control will be enforced via password authentication, token device, or public/private keys with strong passphrases.
  4. The user is responsible for selecting their personal Internet Service Provider (ISP), coordinating installation, installing any required software, and paying associated fees.
  5. It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to Holy Family University internal networks. At no time should any Holy Family University employee, contractor, vendor, or agent provide their login or email password to anyone, not even family members.
  6. It is the responsibility of Holy Family University employees, contractors, vendors, and agents with remote access privileges to Holy Family University's network to ensure that their remote access connection is given the same security consideration as the user's on-site connection to Holy Family University and uphold the same security and privacy requirements for FERPA and HIPAA when working remotely. 
  7. Holy Family University employees and contractors with remote access privileges must ensure that their computer or workstation, which is remotely connected to Holy Family University's network, is not connected to any other network at the same time, with the exception of a personal/private network that is under the complete control of the user. For example, the user does not control the Starbucks wireless network.
  8. All computers connected to Holy Family University internal networks via VPN must include security software to detect and protect against viruses.
  9. Reconfiguration of a remote user's equipment for the purpose of split-tunneling or dual-homing is not permitted at any time
  10. Vendors using VPN connectivity with vendor-owned equipment must understand that their machines are a de facto extension of Holy Family University's network, and as such are subject to the same rules and regulations that apply to Holy Family University-owned equipment, i.e., their machines must be configured to comply with HFU IT’s Security Policies.
  11. Contractor or vendors performing work on Holy Family’s behalf must certify that their equipment meets the security and network requirements of Holy Family University, and must be approved by the Vice President of IT.
  12. Organizations or individuals who wish to implement non-standard hardware and security configurations for Remote Access to the Holy Family University production network must obtain prior approval from the Vice President of IT.

 

Definitions

VPN – Virtual Private Network