University of South Alabama VPN Policy

I.  Purpose

The purpose of this policy is to provide guidelines for remote access via Virtual Private Network (VPN) connections to the USA network.

II.  Scope

This policy applies to all USA Faculty and Staff utilizing a VPN to access the USA network.

III.  Policy

USA Virtual Private Network (VPN) service enables remote systems to connect to specified internal network resources directly.  Approved VPN users must abide by all guidelines described in this policy.

  • User access to VPN is subject to an approval process, and may only be granted with the combined authorization of the requestor’s dean or department head, the administrator(s) of the resources to be accessed, and the USA Director of Information Security.
  • The data owner (or designee) will review the request to determine if VPN access is appropriate for fulfillment of the employee’s job responsibilities and consistent with University data security policies.
  • It is the responsibility of the employee with VPN privilege to ensure that unauthorized persons are not allowed access to their VPN session or credentials.
  • Remote user-owned computers connected to the VPN service are subject to the same policies that apply to on-campus access, and should employ similar data security practices.
    • VPN User computers should have Anti-Virus software installed, an active firewall, and the operating system and all applications should have all updates applied. To run a health check on your system, please visit the “Tools” section at http://www.southalabama.edu/infosec .
    • Public wireless systems should only be used when absolutely necessary.
    • Public, shared use computers should NOT be used for VPN.
    • Computers accessing the VPN service should be dedicated to the VPN user and any personal computer used for VPN should require a logon.
    • VPN access to Banner or other systems which contain confidential data may be subject to additional approvals and restrictions.
    • RDP (Remote Desktop Protocol) access via VPN to employee workstations is not allowed.
  • Only VPN client applications authorized by the Computer Services Center (CSC) shall be used to connect to the VPN service.
  • All VPN connections are logged and associated with the user.
  • Use of VPN connections for collecting, downloading, or transferring confidential data, or to access resources for which the VPN user is not authorized, is prohibited. Per the USA Information Security Policy, it is a violation to store confidential data on portable storage devices, including USB keys and portable disks, unless such data is encrypted.
  • To request VPN access please contact the CSC Helpdesk .

 IV. Enforcement

This policy regulates the use of all VPN services to the USA network and users must comply with the Computer Use and Information Systems Security Policies .  VPN services will be terminated immediately if any suspicious activity is observed.  Service will remain disabled until the issue has been identified and resolved. Any USA employee found to have intentionally violated the VPN Acceptable Use Policy will be subject to loss of VPN privileges. By choosing to use the USA VPN service, you hereby agree to all terms and conditions listed above. Further information is contained in the University’s Information Security Policy, which may be accessed on the Information Technology Computer Policies section located at http://www.southalabama.edu/csc or in the main A-Z index at www.southalabama.edu/a-z.

 

Policy Creation Date: 11/16/2016

Revisions:      12/8/16 – In Policy (III) replaced Dean or Department head with data owner (bullet 2).                                                             7/17/17 – In Policy (III) added Remote Desktop Protocol restriction (bullet 4, sub-bullet 6).