Syracuse University's Remote Access Security Standard defines required tools and practices to ensure that faculty and staff can access University data from remote locations in a secure manner. University Data, which is fully defined in the Information Security Standard, can generally be grouped into three, broad categories:
- Confidential Data: This category includes the most sensitive data (example: Social Security numbers) and requires special protection.
- Enterprise Data: This category also includes sensitive information (example: business records) that must be protected.
- Public Data: This information is generally widely disseminated and can be accessed without higher levels of security protection.
Different security requirements apply to each of the categories of data. The objective of the University's security standards is to keep University data on internal, secure systems whenever possible and apply high levels of security in the rare cases when sensitive data must be moved out of internal systems.
Level 1 or Minimum Computer Security Requirements:
The requirements below apply to all computers that are used to access University data from remote locations. Faculty and staff who only need to meet these minimum requirements include those who only need SU "public" services. Such services include www.syr.edu and other public web sites, Myslice "self service" functions, Outlook/Exchange e-mail, and departmental Terminal Servers, among others.
Terminal server is easy to use and enables all University data to remain on internal, secure systems.
At a minimum, all remote computers must:
- Be built and maintained by the employee or by University IT staff. University employees should not access University data from public workstations, Web cafes, kiosks, etc. Such public machines are not secure and may result in employees' login credentials (NetID and password) being compromised.
- Computers must be running antivirus software that is automatically updated on a daily basis.
- Computers must be updated with the latest operating system security patches and be set to automatically update the operating system on a regular basis.
ITS also highly recommends that all employees, who use their own computers to access University data, adhere to the following safe computing practices:
- Use a personal firewall.
- Use spyware removal software.
- Download and apply security updates for common applications, such as Adobe Acrobat, Quick Time, Firefox, Microsoft Office, and AIM. These applications are often used as a gateway for attacks from the Internet against personal computers and for obtaining private information stored on the computer.
- Be extremely careful about downloading software from "freeware/shareware" Web sites. Software that is not provided by a reputable vendor often contains spyware and other malicious code.
Level 2 Computer Security Requirements:
Faculty and staff members who need remote access to their desktop computers, to MySlice administrative functions, or to other protected services are required to use the University's VPN service. Details about connecting to University resources with the VPN can be found on the ITS Secure Connections to Campus Resources web page. VPN builds an encrypted, virtual tunnel from a client's computing device to the University's network, and, by doing so, protects the privacy of the data that is exchanged over the Internet between the device and the SU network. It also provides access to services not directly available from the Internet.
IMPORTANT NOTE: Level 2 Computer Security Requirements presume that all of the enterprise and confidential data which the employee can access remains within campus boundaries (on campus servers). If that is not the case, then the employee is required to adhere to Level 3 Computer Security Requirements.
Level 3 Computer Security Requirements (Maximum Requirements):
These requirements apply to faculty and staff who directly access enterprise and/or confidential data and/or transport such information off campus, either by using a remote computer or device, a laptop computer, or any type of removable media.
Requirements for those who need direct, remote access to file shares containing enterprise data or other access that may bring the data onto the remote computer:
- The user of the remote computer must normally work with "user rights." Full "administrator" or "root" privileges can only be used when needed to install software or to make system changes. This will greatly reduce the chances of malicious software taking control of the machine.
- The computer must be managed by University IT staff.
- Whole disk encryption must be applied to the system and must be installed by University IT staff. In some limited cases, this requirement can be waived. Exceptions to this requirement are outlined in the University's Information Security Standard (hotlink to http://its.syr.edu/security/standards/ITSecurity-standard.pdf.
Requirements for access to confidential data:
- Whole disk encryption may not be waived.
- Approval for such access/transport must be granted by the data custodian or delegate.
IMPORTANT NOTE: Level 3 security access should only apply to a small number of SU staff and even fewer faculty members. Level 3 security requirements currently apply to all staff members who need access to confidential data. The requirements are currently being waived for faculty members until a new process is implemented for determining when a faculty member is handling highly sensitive information that requires the highest levels of security protections.
Technical Note: When high-level security access involves Windows file shares, IT staff will need to customize the computer's VPN/SURA configuration. By default, staff members do not have access to AD file shares that hold home directories or other departmental shares. Faculty members currently do have such access.
For complete information on handling removable media, please review the following University standards: