This Standard supports and supplements the University of Central Oklahoma’s (“University” or “UCO”) Information Security Policy. The standard is mandatory and enforced in the same manner as policy. It will be periodically reviewed and updated as necessary to meet changes in legal and regulatory requirements.
The University recognizes that units and individuals at UCO operate in diverse and complex environments. In the event direct or in-person logon or interaction with a system is not feasible, UCO is committed to assisting individuals and units in the completion of their objectives while providing for appropriate protection of institutional information assets.
Remote Access for IT Personnel- Standard
Purpose
This Standard supports and supplements the University of Central Oklahoma’s (“University” or “UCO”) Information Security Policy. The standard is mandatory and enforced in the same manner as policy. It will be periodically reviewed and updated as necessary to meet changes in legal and regulatory requirements.
The University recognizes that units and individuals at UCO operate in diverse and complex environments. In the event direct or in-person logon or interaction with a system is not feasible, UCO is committed to assisting individuals and units in the completion of their objectives while providing for appropriate protection of institutional information assets.
Scope
This Standard applies to:
-
All divisions, colleges and units established by the University that exercise any information technology (IT) function relating to the mission of the University except for those specifically exempted in writing by the senior leadership (as defined in the information security policy) of the University.
-
Faculty, staff, and students; academic and administrative units; affiliated entities, agents, contractors, and volunteers of the University, members of the community who use and/or administer University computer and telecommunications systems, or any information system (IS) or system asset (as defined in the information security policy) that connects directly or indirectly to any University owned, leased, contracted, or operated computer or telecommunication system.
Standard Details
REMOTE LOGON AND INTERACTION DEFINED:
Remote logon and interaction is defined as any activity such as logon or user interaction with a University Information System (“IS”) (as defined by the information security policy) through the use of, but not limited to, SSH, SSL/TLS, RDP, VM (either persistent or non-persistent), or any other means used to gain access to an IS in order to conduct tasks
as an system administrator (SA), service owner, or person(s) responsible for the operation, maintenance, and upkeep of an IS.
REMOTE ACCESS AND INTERACTION:
Individuals who are authorized to remotely access or interact with University IS shall adhere to the following requirements for their access and interaction to be considered authorized and acceptable:
-
Authorized users must initiate, maintain, and terminate all remote access and interaction activity from within their individually assigned administrative workstation (“ADMIN VM”).
-
Authorized users will not share access to their ADMIN VM with anyone else nor use the credentials of anyone else at any time. Screen sharing for the purposes of performing authorized activity is permitted.
ADMINISTRATIVE VIRTUAL MACHINE:
Individuals who are authorized, as a part of their scope of work, to perform administrative functions or other actions requiring elevated or privileged level access to any IS, are authorized to have up to two (2) ADMIN VMs to support their job duties. This administrative workstation is to be used for interacting with systems or applications to which they are assigned. Use of MFA as an additional logon requirement is required.
It is the responsibility of the individual to request an ADMIN VM and supply all necessary information required for the build in the service request.
Standard Violations
-
Failure to comply with this standard or other University policies will result in disciplinary action, up to and including termination of employment and/or enrollment. All persons to whom these guidelines are applicable, as stated above, are responsible for adhering to these rules.
-
All supervisory personnel are responsible for ensuring that these guidelines are adhered to within their respective areas of responsibility. Any user may report University policy or law violations to their immediate supervisor, representative faculty or school personnel or using UCOMMENT.
Change Log
|
Version
|
Date
|
New
|
Original
|
|
|
|
|
|
|
|
|
|
|
Approvals
|
Approved By
|
Date
|
Description
|
|
Jeff Miller
|
February 9,
2023
|
Initial Policy Release
|