UMGC Policy X-1.11 Remote Access

Purpose

UMGC (the "University") understands the need of its Users to access University Information Resources from remote environments. The purpose of this policy is to protect University Information and Information Resources by providing the standards for remote access to computing resources as well as protect the University from inappropriate use and unauthorized disclosure.

Scope

This policy applies to all Users who remotely connect with or to University Information Technology Resources to access University Information and Information Resources.

Definitions

Defined terms are capitalized throughout this Policy and can be found in the Information Governance Glossary.

1. When remotely accessing University Information or Information Resources, Users must follow University security policies at all times including the UMGC X-1.12 Acceptable Use Policy.
2. Users must only connect remotely to University Information Resources for approved business use.
3. Users must follow the password and authentication requirements per the UMGC X-1.10 Identity and Access Management Policy.
4. All remote Information Technology Resources regardless of ownership must have the following appropriate security protections: 1. Up-to-date anti-virus software 2. Up-to-date operating system and relevant security patches 3. Firewall software, if technically feasible.
5. Only University authorized software shall be used. The University may remove any unauthorized software installed on the University's Information Technology Resources.
6. Remote access through VPN must be activated only when needed and must be deactivated immediately after it is no longer required.
7. Any User who suspects or becomes aware of a device used for remote access is lost, stolen, or otherwise removed from the Users' control must contact the UMGC technical support service desk as soon as possible by calling 1-888-360-8682, or emailing servicedesk@umgc.edu, or contacting the Sr. Director, Information Security at infosec@umgc.edu.
8. Any method of re-routing University traffic beyond the intended endpoint is prohibited unless authorized.
9. Users are not permitted to download or store Information considered confidential or containing PII on their personal remote Information Technology Resources. This includes the transfer of such data to a personal (i.e., non-UMGC managed) cloud storage or any mobile storage device.
10. All remote access is subject to monitoring and audit.

Exceptions

Exceptions to this policy should be submitted to the Sr. Director, Information Security at infosec@umgc.edu for review and approval. If an exception is requested a compensating control should be documented and approved.

1. Suspected violations will be investigated and may result in disciplinary action in accordance with University codes of conduct, policies, or applicable laws. Sanctions may include one or more of the following:
   1. Suspension or termination of access
   2. Removal of devices determined to be using the University's networking resources inappropriately or in violation of the Acceptable Use Policy.
   3. Termination of employment
   4. Student discipline in accordance with applicable University policies
   5. Civil or criminal penalties
2. Report suspected violations of this policy to infosec@umgc.edu, or to the appropriate Data Steward. Reports of violations are considered Confidential Data until otherwise classified.
3. The University reserves the right to disconnect any resource from University networks until suspected Security Incidents are resolved.

1. USM IT Security Standards, v.5, dated July 2022
2. NIST SP 800-171r2 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”, dated February 2020
3. Cybersecurity Maturity Model Certification (CMMC), v.2.0, dated December 2021

1. UMGC Policy X-1.02 Data Classification
2. UMGC Policy X-1.04 Information Security
3. UMGC Policy X-1.05 Information Security Awareness and Training 
4. UMGC Policy X-1.06 Information Security Incident Response 
5. UMGC Policy X-1.12 Acceptable Use
6. UMGC Policy X-1.19A Account Management (UMGC Learner Community)
7. UMGC Policy X-1.19B Account Management (UMGC Workforce)