3.2.13 Remote Work
Purpose
This procedure outlines the requirements for secure access to Piedmont University information, networks, and computing resources by authorized remote workers. This arrangement is known as “teleworking” or “remote working.”
Procedure
All University employees, contractors, or vendors (“users”) approved to work from remote locations must have been approved VPN Access via a helpdesk ticket if the worker requires access to data classified as Restricted/Sensitive or needs access to the University’s network resources.
Compliance Requirements
- Users must maintain the same system security policies and procedures required when working on-site, including, but not limited to:
- Compliance with software license agreements.
- Hard disk encryption.
- Updated anti-virus software.
- Fully patched operating system software.
- Recommended timeouts for idle remote connections and pc logins.
Adherence to Piedmont University’s Acceptable and Appropriate Use Policy.
Physical documents containing data defined in the Data Classification and Data Handling Policy as Restricted or Sensitive should not be brought to or stored at remote work locations or printed at remote working locations.
Alternative Work Sites
At remote work locations, users working on university business should use an approved computer and network equipment. Personally owned remote work devices should require the remote worker to log in to the device under a profile specific to them and not used by any other person who may have access to the personal device.
If a user intends to travel internationally, they must contact OIT to get pre-approval if remote access from international countries is expected.
The approval will be made on a case-by-case basis.
Access Control
Logging-Out - After a remote worker has completed a remote session with Piedmont systems, the worker must log off an established VPN connection and log out of the device.
Encryption and Data Protection - All computers used for remote working (including laptops, notebooks, and other transportable computers) which contain data defined as Restricted according to the Data Classification Policy must consistently employ hard disk encryption for all data files. This essential control must be provided through software or hardware systems approved by the Office of Information Technology. Personal, handheld computers, tablets, laptops, smartphones, etc., must not be used to handle Restricted organizational information unless the device has been configured with the necessary controls (including encryption) approved by the Office of Information Technology.
Sharing Access Devices and Systems - Remote workers must not share assigned access tokens, credentials, or passwords with anyone by the university’s Acceptable and Appropriate Use Policy. This means that a remote computer used for university business should be used exclusively by the user. Family members, friends, and others should not be permitted to use the device. Remote workers should never lend to others any handheld computer, laptop, tablet, smartphone, or another computer that stores information about Piedmont University business activities.
Remote Access And Systems Management
As part of connecting remotely to the organization’s network, it is required that any device used for that connection install and maintain software to ensure that the security controls are applied, and the management of the controls is maintained. Software that is covered by this policy includes, but is not limited to:
OIT-provided VPN software,
Malware and Threat Detection,
Vulnerability and Software compliance scanning.
This procedure regulates all VPN services to the Piedmont network and must comply with the Acceptable Use Policy to use this service. To maintain security, VPN services will be terminated immediately if any suspicious activity is found. Services may also be disabled until the issue has been identified and resolved.
Violations
Any violation of this policy may result in disciplinary action. Piedmont University reserves the right to notify the appropriate law enforcement authorities of any unlawful activity and to cooperate in any investigation of such activity.
Definitions
Restricted Information – Any PIEDMONT-related data defined in the Data Classification and Handling Policy as Restricted.
Mobile Computing Devices - Mobile computing assets include but are not limited to, laptops, notebooks, tablets, desktop computers, all personal wireless-enabled devices, including pagers, cellular phones, mobile email devices, PDAs, and other hybrid devices, and all portable storage media, including flash drives, smart cards, tokens, etc.
Password – An arbitrary string of characters chosen by a user to authenticate the user when he attempts to log on to prevent unauthorized access to his account.
Third-Party – Any non-employee of Piedmont contractually bound to provide services to Piedmont University.
User - Any Piedmont University employee or Third-Party authorized to access any Piedmont University electronic information resource.
Reference
Acceptable and Appropriate Use
Data Classification and Handling