Remote Access User Standard
Download the PDF version of the Remote Access User Standard.
Standard Information
Responsible Offices
IT Security Office (ITSO)
Additional Information
- Data Stewardship (University Policy Number 1114)
- Responsible Use of Computing (University Policy Number 1301)
- Information Technology Security Program (University Policy Number 1311)
- Information Technology Security Standard (ITS.ITS-STD003)
Document Control Number
ITS.ITSO-STD006
Last Reviewed Date
3/14/2024
Applies To
This standard applies to all remote access users.
Purpose
The purpose of this standard is to define the user’s requirements for connecting to George Mason University’s network from any host. These standards are designed to minimize the potential exposure to George Mason University from damages which may result from unauthorized use of George Mason University resources. Damages include the loss of highly sensitive or University confidential data, intellectual property, damage to public image, and damage to critical George Mason University internal systems.
Definitions
Highly Sensitive Data: Data that (1) could lead to identity theft or exposure of personal health information if exposed, or (2) has been identified by a researcher, funding agency, or research partner as requiring a high level of security protection.
Two-Factor Authentication (2FA): 2FA service is a higher-security login process, which provides a second layer of protection to a user’s identity, as well adding protection to data, systems, and services.
Standards
Level One (Applies to students)
- Remote access by students is limited to the BYOD (Bring Your Own Device) network established by Information Technology Services (ITS).
Level Two (Applies to all Mason employees and contractors requiring remote access to George Mason internal networks):
- It is the responsibility of all users with remote access privileges to ensure that unauthorized users are not allowed access to George Mason internal networks.
- All University owned computers, which connect to George Mason internal networks via remote access technologies, must use the most current version of the centrally supported anti-malware endpoint protection software. All personally owned computers must use a current industry standard anti-malware endpoint protection software that is configured to automatically update.
- All hosts that connect to George Mason internal networks via remote access technologies must have current security patches applied to their operating systems and software applications.
- All hosts, including personal computers, which connect to George Mason internal networks via remote access technologies must use a host firewall.
- Two-Factor Authentication (2FA) is required to authenticate all remote access VPN sessions connection to George Mason internal networks.
Level Three (Applies only to users accessing highly sensitive data):
In addition to Level Two requirements, the following applies to all users who require access to highly sensitive data and/or systems. For more information on what is considered highly sensitive data see the following website: https://its.gmu.edu/service/highly-sensitive-data/
- All computers accessing data and/or systems classified as restricted-highly sensitive must be University owned and managed by ITS supported enterprise endpoint management systems.
- All hosts that store highly sensitive data must utilize enterprise-managed full disk encryption. Where required based upon legitimate business need the user must request and be approved to store highly sensitive data. To request the right to store highly sensitive data see: https://its.gmu.edu/service/highly-sensitive-data/.
Exceptions
See exceptions and exemptions section in the University IT Security Standards: IT Security Standards – Information Technology Services (gmu.edu)
Timetable for Review
This standard will be reviewed every 2 years at a minimum.
Revision History
Version | Date | Organization/Author | Description of Changes |
---|---|---|---|
2.0 | 6/26/2018 | IT Security Office | Updates |
2.1 | 12/11/2019 | IT Security Office | Annual Review; Minor Revisions (reformatting, updated hyperlinks, corrected software tool name) |
2.2 | 2/16/2021 | IT Security Office | Annual Review; Minor Revisions (reformatting, revised specifics with broad terminology) |
2.3 | 3/16/2023 | IT Security Office | Annual Review; Minor Revisions (reformatting and updated URLs) |
2.4 | 3/14/2024 | IT Security Office | Annual Review: Minor updates to clarify Level 2 and Level 3 Standards and DCN to reflect ownership. |