Syracuse University's Secure Access Standard defines required tools and practices to ensure that faculty and staff can access University data from remote locations in a secure manner. University Data, which is fully defined in the Information Security Standard, can generally be grouped into three, broad categories:
Different security requirements apply to each of the categories of data. The objective of the University's secure data access standards is to keep University data on internal, secure systems whenever possible and apply high levels of security in the rare cases when sensitive data must be moved to or viewed on unmanaged systems.
Level 1 - Basic Minimum Computer Security Requirements:
The requirements below apply to all computers that are used to access University data.
At a minimum, all devices used to access University data must:
Desktops and Laptops:
Mobile Devices (smartphones/tablets):
ITS also highly recommends that all employees, who use their own computers to access University data, adhere to the safe computing practices.
Level 2 - Elevated Access with managed device - Computer Security Requirements:
Faculty and staff members who need access to university resources while using their university managed devices fall into this category. For this type of acecss:
IMPORTANT NOTE: Level 2 Computer Security Requirements presume that only university managed laptops are used to access campus and all of the enterprise and confidential data which the employee can access remains within campus boundaries (on campus servers/machines). If that is not the case, then the employee is required to adhere to Level 3 Computer Security Requirements.
Level 3 Elevated Access with an unmanaged endpoint (Maximum Requirements):
These requirements apply to faculty and staff who directly access enterprise and/or confidential data and/or transport such information off campus, either by using a remote computer or device, an unmanaged laptop computer, or any type of removable media.
Requirements for those who need direct, remote access to file shares containing enterprise data or other access that may bring the data onto the remote computer:
IMPORTANT NOTE: Level 3 security access should only apply to a small number of SU faculty and staff members.
Technical Note: When high-level security access involves Windows file shares, IT staff will need to customize the computer's VPN/SURA configuration. By default, staff members do not have access to AD file shares that hold home directories or other departmental shares. Faculty members currently do have such access.
For complete information on handling removable media, please review the following University standards:
Last Updated: 03/28/16