Remote Access User Standard

Download the PDF version of the Remote Access User Standard.  PDF file

Standard Information

Responsible Offices

IT Security Office (ITSO)

Additional Information
Document Control Number

ITS.ITS-STD006

Last Reviewed Date

3/16/2023

Applies To

This standard applies to all remote access users.

Note to All Users

Helper-text in white table cells bound by “< >” are designed to help the user with content. Once the user starts typing, the helper texts will automatically be written over and removed. Texts in table cells shaded gray are fixed and shouldn’t be edited.

Purpose

The purpose of this standard is to define the user’s requirements for connecting to George Mason University’s network from any host. These standards are designed to minimize the potential exposure to George Mason University from damages which may result from unauthorized use of George Mason University resources. Damages include the loss of highly sensitive or university confidential data, intellectual property, damage to public image, and damage to critical George Mason University internal systems.

Definitions

Highly Sensitive Data: Data that (1) could lead to identity theft or exposure of personal health information if
exposed, or (2) has been identified by a researcher, funding agency, or research partner
as requiring a high level of security protection.

Two-Factor Authentication (2FA): 2FA service is a higher-security login process, which provides a second layer of
protection to a user’s identity, as well adding protection to data, systems, and services.

Standards

Level One (Applies to students)
  1. Remote access by students is limited to the BYOD (Bring Your Own Device) network established by Information Technology Services (ITS).
Level Two (Applies to all Mason employees and contractors requiring remote access to George Mason internal networks):
  1. It is the responsibility of all users with remote access privileges to ensure that unauthorized users are not allowed access to George Mason internal networks.
  2. All hosts, including personal computers, which connect to George Mason internal networks via remote access technologies, must use the most current version of the centrally supported anti-virus program for specific operating systems.
  3. All hosts that connect to George Mason internal networks via remote access technologies must have current security patches applied to their operating systems and software applications.
  4. All hosts, including personal computers, which connect to George Mason internal networks via remote access technologies must use a host firewall.
  5. Two-factor authentication (2FA) is required to authenticate all remote access VPN sessions connecting to George Mason’s internal networks.
Level Three (Applies only to users accessing highly sensitive data):

In addition to Level Two requirements, the following applies to all users who require access to highly sensitive data and/or systems. For more information on what is considered highly sensitive data see the following website: https://its.gmu.edu/working-with-its/it-security-office/highly-sensitive-data/

  1. All hosts must be University-owned and managed systems; all Windows and Mac hosts must be centrally managed by ITS-supported enterprise endpoint management systems.
  2. All hosts that store highly sensitive data must utilize enterprise-managed full disk encryption where available. Where required based upon legitimate business need the user must request explicit permission to store the data. Contact the ITS Support Center to request permission to store highly sensitive data: https://its.gmu.edu/knowledge-base/how-does-someone-begin-the-process-of-obtaining-authorization-to-store-highly-sensitive-data-hsd/.

Exceptions

None

Timetable for Review

This standard will be reviewed each year.

Revision History

VersionDateOrganization/AuthorDescription of Changes
2.06/26/2018IT Security OfficeUpdates
2.112/11/2019IT Security OfficeAnnual Review; Minor Revisions (reformatting, updated hyperlinks, corrected software tool name)
2.22/16/2021IT Security OfficeAnnual Review; Minor Revisions (reformatting, revised specifics with broad terminology)
2.33/16/2023IT Security OfficeAnnual Review; Minor Revisions (reformatting and updated URLs)