Remote Access User Standard

Download the PDF version of the Remote Access User Standard.  PDF file

Standard Information

Responsible Offices

IT Security Office (ITSO)

Additional Information
Document Control Number

ITS.ITSO-STD006

Last Reviewed Date

3/14/2024

Applies To

This standard applies to all remote access users.

Purpose

The purpose of this standard is to define the user’s requirements for connecting to George Mason University’s network from any host. These standards are designed to minimize the potential exposure to George Mason University from damages which may result from unauthorized use of George Mason University resources. Damages include the loss of highly sensitive or University confidential data, intellectual property, damage to public image, and damage to critical George Mason University internal systems.

Definitions

Highly Sensitive Data: Data that (1) could lead to identity theft or exposure of personal health information if exposed, or (2) has been identified by a researcher, funding agency, or research partner as requiring a high level of security protection.

Two-Factor Authentication (2FA): 2FA service is a higher-security login process, which provides a second layer of protection to a user’s identity, as well adding protection to data, systems, and services.

Standards

Level One (Applies to students)
  1. Remote access by students is limited to the BYOD (Bring Your Own Device) network established by Information Technology Services (ITS).
Level Two (Applies to all Mason employees and contractors requiring remote access to George Mason internal networks):
  1. It is the responsibility of all users with remote access privileges to ensure that unauthorized users are not allowed access to George Mason internal networks.
  2. All University owned computers, which connect to George Mason internal networks via remote access technologies, must use the most current version of the centrally supported anti-malware endpoint protection software. All personally owned computers must use a current industry standard anti-malware endpoint protection software that is configured to automatically update.
  3. All hosts that connect to George Mason internal networks via remote access technologies must have current security patches applied to their operating systems and software applications.
  4. All hosts, including personal computers, which connect to George Mason internal networks via remote access technologies must use a host firewall.
  5. Two-Factor Authentication (2FA) is required to authenticate all remote access VPN sessions connection to George Mason internal networks.
Level Three (Applies only to users accessing highly sensitive data):

In addition to Level Two requirements, the following applies to all users who require access to highly sensitive data and/or systems. For more information on what is considered highly sensitive data see the following website: https://its.gmu.edu/service/highly-sensitive-data/

  1. All computers accessing data and/or systems classified as restricted-highly sensitive must be University owned and managed by ITS supported enterprise endpoint management systems.
  2. All hosts that store highly sensitive data must utilize enterprise-managed full disk encryption. Where required based upon legitimate business need the user must request and be approved to store highly sensitive data. To request the right to store highly sensitive data see: https://its.gmu.edu/service/highly-sensitive-data/.

Exceptions

See exceptions and exemptions section in the University IT Security Standards: IT Security Standards – Information Technology Services (gmu.edu)

Timetable for Review

This standard will be reviewed every 2 years at a minimum.

Revision History

VersionDateOrganization/AuthorDescription of Changes
2.06/26/2018IT Security OfficeUpdates
2.112/11/2019IT Security OfficeAnnual Review; Minor Revisions (reformatting, updated hyperlinks, corrected software tool name)
2.22/16/2021IT Security OfficeAnnual Review; Minor Revisions (reformatting, revised specifics with broad terminology)
2.33/16/2023IT Security OfficeAnnual Review; Minor Revisions (reformatting and updated URLs)
2.43/14/2024IT Security OfficeAnnual Review: Minor updates to clarify Level 2 and Level 3 Standards and DCN to reflect ownership.