Remote Access to IT Resources (VII.B.4)
Volume VII: Information Technology
Chapter B: Security
Responsible Executive: Vice President for Information Technology
Responsible Office: Office of the Vice President for Information Technology
Date Issued: May 24, 2005
Date Last Revised: November 18, 2011
TABLE OF CONTENTS
Statement of Policy
Reason for This Policy
Individuals and Entities Affected by This Policy
Who Should Know This Policy
Web Site Address for This Policy
Related Documents, Forms, and Tools
History and Updates
Remote access to Purdue University IT Resources must be accomplished in a manner that enables business, academic, and research activity, while preventing unauthorized access and protecting University IT Resources.
Remote access to IT Resources, unless otherwise specifically denied, is permitted under this policy. Nothing in this policy prevents university IT Resource owners, central and departmental IT units, or other designated individuals from implementing policies, standards, or guidelines related to Remote Access to university IT Resources or computing device use within their areas of responsibility.
Controlled access to IT Resources is essential for Purdue University to continue its mission of learning, discovery, and engagement. This policy describes the appropriate measures necessary for accessing Purdue University IT Resources from Remote Hosts.
This policy is guided by the following objectives:
- Preserve Purdue University’s ability to operate and maintain its IT Resources;
- Protect the security and functionality of university IT Resources and the data stored on those resources;
- Safeguard the privacy, property, rights, and data of users of university IT Resources;
- Preserve the integrity and reputation of the University;
- Comply with applicable federal, state, and local laws; and
- Comply with applicable university policies, standards, guidelines, and procedures.
This policy covers students, faculty, staff, and all individuals or entities using any university IT Resource and all uses of such IT Resources.
Department Heads and Chairs
Faculty and Staff
Non-employee users of Remote Access to university IT Resources
Purdue University information security policies institute controls that are used to protect Purdue University data and IT Resources. While every exception to a policy or standard weakens protection for IT Resources and underlying data, occasionally exceptions will exist. The Security Policy Exception Procedure must be used when requesting an exception to Purdue University information security policies. The Chief Information Security Officer, or his or her designee, will approve or deny any request for an exception.
|Policy Clarification||ITaP Networks and Securityemail@example.com|
All tangible and intangible computing and network assets provided by or for the University to further its mission of discovery, learning, and engagement. Examples of such assets include, but are not limited to, hardware, software, wireless access, network bandwidth, mobile devices, electronic information resources, printers, and paper.
Protected Health Information
Health information in any form that can be connected to a patient, including the individual's past, present, or future physical or mental health or condition, the provision of healthcare to the individual, or the past, present, or future payment for the provision of healthcare to the individual.
Access to Purdue University IT Resources from an electronic or other device not directly connected to the Purdue University wired or wireless networks, but not including accesses to such IT Resources where Remote Access is considered a primary function and normative use. For example, use of a Web browser to remotely access a Purdue University Web page is not covered by this policy.
An electronic or other device used for Remote Access.
Any user of IT Resources from a Remote Host.
Ensure that reasonable measures have been taken to secure the Remote Host used to access Purdue University IT Resources.
Prior to accessing IT Resources, follow this policy and any related standards and security requirements for any Remote Host. Remote Users must also follow any guidelines, procedures, or other requirements for Remote Access issued by their departmental IT units and/or owners of the IT Resource(s) to be remotely accessed.
Follow applicable university policies pertaining to data security and use, including but not limited to, the University’s Data Handling Requirements and any guidelines issued by the HIPAA Privacy Compliance Office for Remote Access to Protected Health Information.
Centralized and Departmental IT Units and IT Resource Owners (and designees)
Ensure that reasonable measures have been taken to secure university IT Resources within their areas of responsibility that are to be remotely accessed.
Implement and monitor compliance with this policy and related standards on university IT Resources within their areas of responsibility.
ITaP Networks and Security will facilitate the establishment and maintenance of standards and technical reference materials to support this policy and post such information online.
Departmental IT units must follow standards issued by ITaP Networks and Security in support of this policy. Departmental IT units may also issue additional guidelines, procedures, or other requirements as necessary to secure departmental IT Resources which are to be remotely accessed. Specific reference materials for implementing security measures may vary from campus to campus or department to department.
In the event that an IT unit does not believe it can fulfill the requirements of this policy or its related standards and guidelines, the unit must request a policy exception using the Security Policy Exception Procedure.
Violations of this policy may result in disciplinary action or sanctions in accordance with university policy and procedures and applicable state and federal laws.
University IT policies:
Standards supporting the implementation of this and other university IT policies:
Security Policy Exception Procedure:
HIPAA Privacy Compliance Office:
November 18, 2011: Policy number changed to VII.B.4 (formerly V.1.6) and website address updated.
March 1, 2010: Significant revisions have been made to update this policy from its original interim version (issued May 24, 2005). It also has been formatted in the current policy template.
There are no appendices to this policy.