Virtual Private Network Policy Intends to Provide Guidance for Remote Network Access to University of Dallas Students, Staff, and Third-Party Affiliates

Version 2

02/24/2020

Virtual Private Network (VPN) Policy

Disclaimer This policy will apply in all locations where University of Dallas operate, including where local regulations do not exist, to all forms of information – both electronic and physical – and to all systems used to collect, store, process or transfer information.

1. Purpose 1.1. The Virtual Private Network policy intends to provide guidance for remote network access to University of Dallas students, staff, and third-party affiliates. It is the aim of the university to provide secure access to credentialed persons under proper governance and/or security architecture. 2. Scope 2.1. This policy applies to all University of Dallas employees, professors, instructors, contractors, consultants, temporary, and other workers including all personnel affiliated with third parties utilizing VPNs to access the University of Dallas network. 3. Policy 3.1. Approved University of Dallas staff members and authorized third parties (customers, vendors, etc.) may utilize the benefits of VPNs, which are a "user managed" service. This means that the user is responsible for selecting an Internet Service Provider (ISP), coordinating installation, installing any required software, and paying associated fees. 3.2. It is the responsibility of staff members with VPN privileges to ensure that unauthorized users are not allowed access to University of Dallas internal networks. 3.3. VPN use is to be controlled by the user’s Active Directory credentials, as managed by the user on university workstations or UD information technology. 3.4. When actively connected to the university network (hard-wired), VPN connections will be dropped. 3.5. VPN connectivity will be set up and managed by the University of Dallas network and information technology teams.

Virtual Private Network (VPN) Policy

3.6. All computers connected to the University of Dallas internal networks via VPN or any other technology must use the most up-to-date anti-virus software that is in alignment with the University of Dallas technical specifications, or usage will not be permitted. 3.7. Only pre-approved VPN clients by the university’s information technology team may be used.

4. Policy Compliance 4.1. Compliance Measurement 4.1.1. The information technology team will verify compliance to this policy through various methods, including but not limited to, periodic walk-thrus, video monitoring, business tool reports, internal and external audits, and feedback to the VPN policy committee 4.2. Exceptions 4.2.1. Any exception to the policy must be approved by the University of Dallas IT governance counsel. 4.3. Non-Compliance 4.3.1. A staff member found to have violated this policy may be subject to disciplinary action, up to and including termination of employment and/or academic discipline

5. Related Standards, Policies and Processes 5.1. NIST 800-77 5.2. University of Dallas General Acceptable Use Policy 5.3. University of Dallas Cloud Storage and Distribution of Sensitive Information Policy 5.4. University of Dallas Single Sign On Policy 6. Definitions and Terms Definitions of terms used in this policy can be found in the SANS Glossary located at: https://www.sans.org/security-resources/glossary-of-terms/

6.1. Virtual Private Network (VPN)- an access point into an entity where an individual can access a specific network for work or academic related functions only 6.2. IPsec- is a standard used to authenticate access into a virtual private network, it also provides encryption for data at rest and data in motion.

Virtual Private Network (VPN) Policy

7. Revision History

Date of Revision Responsible Summary of Change 2/2/2020 UD Policy Team Updated and converted to new format. 2/24/2020 Blake Palmer Updated phrasing and policy guidelines