Remote Access Information Security Standard
Remote Access refers to the ability to access TU's resources using the Internet. Students, faculty and staff connecting remotely are responsible for using approved and secure methods to help safeguard university data.
In addition to the following remote access information security safeguards, any data covered by federal laws, state laws, regulations or contractual agreements must meet the security requirements defined by those laws, regulations, or contracts.
Definitions
- Data Classification – how TU categorizes data and guidance on the proper handling of that data.
- Remote Access – accessing TU's information systems using an internet connection (e.g., home network), or TU’s Wi-Fi network.
- Remote Access Solutions – methods used to access TU's resources: Remote Access Gateway-also referred to as Remote Desktop Protocol or Remote Desktop (RDG or RDP), Virtual Private Network (VPN) and Virtual Workspace (VW).
- University Devices (UD) - devices owned and managed by Towson University. Also referred to as TU device.
- Personal Devices (PD) – devices owned and managed by employees. Also referred to as Bring Your Own Device (BYOD).
- TU Internet-Facing Applications - the university's information systems, including Software as a Service (SaaS) applications, available over the internet via a web browser (e.g., PeopleSoft, Blackboard, Office365, etc.).
Safeguards
General Use
- Approved forms of remote access are Remote Access Gateway, Virtual Private Network and Virtual Workspace. Use Remote Access Gateway and Virtual Workspace whenever possible.
- Use secure Wi-Fi. Don’t access TU resources on free Wi-Fi.
- Faculty and staff should connect to the Virtual Private Network (VPN) with a university device only (i.e., TU issued laptop).
- Ensure the remote network (non-TU network) is secure.
- Authenticate with Duo Multi-Factor Authentication when using RDG, VPN, VW and accessing information systems with confidential data.
REmote access by device type
| Access Method | Data Classification: Public-Level 1 | Data Classification: Protected-Level 2 | Data Classification: Confidential-Level 3 |
|---|---|---|---|
| Remote Desktop Gateway |
TU device: yes, personal device: yes |
TU device: yes, personal device: yes |
TU device: yes, personal device: yes |
| Virtual Private Network |
TU device: yes, personal device: no |
TU device: yes, personal device: no |
TU device: yes, personal device: no |
| Virtual Workspace | TU device: yes, personal device: yes | TU device: yes, personal device: yes | TU device: yes, personal device: yes |
| Internet-facing Application (PeopleSoft, Stratus, etc.) | TU device: yes, personal device: yes | TU device: yes, personal device: yes | TU device: yes, personal device: no |
Handling Data
- Read and follow TU’s Data Use Standard (PDF).
- Do not access confidential data on public networks (e.g., coffee shop Wi-Fi).
- Do not save confidential data to local hard drives under any circumstance.
- If accessing information systems such as PeopleSoft from a personal device, do not save or export any confidential data.
- Accessing confidential data is not permitted from personal devices unless using Remote Access Gateway or Virtual Workspace.
- Do not store any protected or confidential TU data on personal devices.
Securing Devices
UNIVERSITY DEVICES
- University devices (such as laptops) are actively managed by the university to ensure a current operating system and proper protections such as antivirus, local firewall and up-to-date security patches are in place.
- University-owned desktops are not to be taken off campus.
- Only use a NetID to login to the UD (local user and/or administrator accounts are not permitted without an approved exception).
Personal Devices
- Use Microsoft 365 (web version) to access applications like Outlook, OneNote, etc.
- Make sure personal devices have a current operating system with up-to-date security patches (installed within 30 days of release).
- Have functioning antivirus software installed on the device.
Support
Questions, comments or requests for exceptions to this standard should be directed to the Office of Technology Services (OTS) by submitting a TechHelp service request.