University Policy Number 1313
Related Law & Policy:
- Policy 1114: Data Stewardship
- Policy 1301: Responsible Use of Computing
- Policy 1305: Requirements for Reporting Electronic Security Incidents
- Policy 1306: Banner and Related Administrative Systems Security
This policy applies to all academic and operational departments and offices at all university locations owned and leased. The policies and procedures provided herein apply to all university faculty, staff, students, visitors and contractors.
II. POLICY STATEMENT
Accessing from a remote location and logging into university information technology resources, such as servers, printers, routers, or computers, is only permitted through secure, authenticated and centrally managed access methods. Also, accessing university information that may be highly sensitive or restricted is only permitted through secure, authenticated and centrally managed access methods. Authorized users of the university’s computer systems, networks or databases are only permitted to remotely access these systems, networks or databases for conducting university-related business.
The purpose of this policy is to establish security controls over remote access to the university’s systems and data. This policy is intended to minimize the potential exposure to George Mason University from damages that may result from unauthorized use of university resources. Damages include the loss of university highly sensitive or restricted data, intellectual property, damage to public image, and damage to critical George Mason University internal systems. By complying with this policy, users will mitigate the risk of unauthorized individuals gaining access to the university’s networks and compromising the confidentiality, integrity and availability of sensitive systems and information resources.
An exception to this policy is the access of any university service that was set up by a responsible administrative unit to be accessed via the commodity Internet, rather than through a special centrally managed remote access service. Examples of exempt services include Patriot Web, the library’s electronic resources, most of the university’s web sites, e-mail, etc.
Remote Access to Highly Sensitive Data: Remote Access to systems that contain highly sensitive data as defined by the Data Stewardship Policy will conform to the additional requirements detailed in the Remote Access User Standard. Any suspected compromise or disclosure of highly sensitive data must be immediately reported to the IT Security Office, following procedures in University Policy Number 1305: Requirements for Reporting Electronic Security Incidents and for Data Breach Notification. Questions about possession or use of highly sensitive data outside the George Mason University environment should be referred to IT Security Office.
Permitted Uses: Authorized users are only permitted to use George Mason’s Remote Access resources to conduct university-related business. The use of George Mason’s Remote Access resources for private business or commercial activities not specifically allowed by University policy is prohibited. ITS-supported Remote Access System must comply with the Remote Access Device Standard.
Host: A device connected to the Internet or another Internet Protocol (IP)-based network. The device is usually a computer, but could also be a printer and other shared resource, personal digital assistant (PDA), cell phone, and other network appliance.
Remote Access: Any access to George Mason University’s network through a device, medium or network that is not controlled by George Mason University.
Users: All university faculty, staff, students, visitors and contractors who are authorized to remote access university resources must conform to George Mason University policies, procedures and standards when connecting to George Mason University’s network.
Information Technology Services: Information Technology Services is responsible for implementing, maintaining and developing standards for all remote access technologies.
Information Technology Security Office (ITSO): ITSO will maintain and update security requirements for remote access standards.
Access may be revoked at any time for reasons including non-compliance with security policies, request by the user’s supervisor or negative impact on overall network performance attributable to remote connections.
All requests for any exception to this policy must be formally assessed, approved and documented by the IT Security office. Approved exceptions must be periodically reviewed by the ITSO office. The exception will be granted for a period of no more than 1 year from the time the exception is granted. At the end of the year, the exception will be reviewed and either terminated or renewed for another period. Requests for exception may be revoked in the event of a security incident or policy violation using established incident response procedures.
Failure to honor the requirements set forth in this policy may result in disciplinary or administrative action.
VI. EFFECTIVE DATE AND APPROVAL
The policies herein are effective October 1, 2011. This Administrative Policy shall be reviewed and revised, if necessary, annually to become effective at the beginning of the University’s fiscal year, unless otherwise noted.
Maurice W. Scherrens
Senior Vice President
Peter N. Stearns
Date approved: September 26, 2011
Revised: January 29, 2013
Revised: February 17, 2017
Revised: July 6,2018