Responsible Office: Office of Cybersecurity |
Last Review: 08/18/2022 Next Review: 08/18/2024 |
Contact: Chris Madeksho |
Phone: 901.448.1579 Email: mmadeksh@uthsc.edu |
Purpose
The purpose of this Practice is to provide access via Virtual Private Network (VPN) connections to the UTHSC network from remote hosts, untrusted hosts, and remote networks via VPN to minimize the potential exposure from unauthorized access to UTHSC resources. This standard is also designed to meet compliance requirements for data regulated by federal or state law. This includes, but is not limited to, security requirements and safeguards for the Family Educational Rights and Privacy Act (FERPA), Health Insurance Portability and Accountability Act (HIPAA), or Gramm- Leach-Bliley Act (GLBA).
Scope
This practice applies to all remote access via VPN connections to the UTHSC network from remote and/or untrusted devices and networks.
Definitions
UTHSC ITS – Information Technology Services of UTHSC
VPN – “Virtual Private Network”, is a tool used to connect securely to the UTHSC network from off-campus in order to access internal resources.
Responsibilities
UTHSC Information Technology Services (ITS) is responsible for managing and maintaining the VPN applications.
UTHSC Community members given access to UTHSC resources are responsible for abiding by this Practice when using the UTHSC VPN.
The Office of Cybersecurity is responsible for granting exceptions to VPN access and maintaining a list of users authorized to access UTHSC via the VPN.
Practice
- Only approved UTHSC faculty/staff and authorized third parties (customers, vendors, etc.) may utilize the benefits of VPNs.
- VPN is a “user managed” service, meaning that the user is responsible for selecting an Internet Service Provider (ISP), coordinating installation, installing any required software, and paying associated fees.
- VPN Access is granted on an “as needed” basis. Access may be granted to groups of users when a need is well documented. All other persons must to apply for VPN access using the VPN Access Request Form found in TechConnect. Instructions on requesting access is found on the VPN website (https://uthsc.edu/vpn/).
- Users with VPN privileges must ensure that unauthorized users are not allowed access to UTHSC internal networks via the user’s VPN.
- Dual tunneling (also called split tunneling) is NOT permitted; only one network connection is allowed. All traffic during the VPN connection will go through the UTHSC network and will be subject to the same controls as Intranet traffic.
- VPN Concentrators/Gateways are installed and managed by the UTHSC Information Technology Services (ITS).
- For workstations (desktops and laptops), only the ITS approved VPN client may be used.
- Any device and/or network connected via VPN to the UTHSC network is subject to the policies, standards, and practices that apply to UTHSC-owned equipment, i.e., devices must be configured to comply with all UTHSC Security Policies and must accept any Network Access Control agents required for enforcement of these policies and standards.
- All computers connected to UTHSC internal networks via VPN, or any other technology must use up-to-date anti-virus software.
- All computers connected to UTHSC internal networks via VPN must have the latest operating system security patches applied.
- VPN use is controlled minimally using password management and two- factor authentication.
- Failure to comply with this policy will be reported as an information security violation and may result in loss of network and system privileges for the computer and/or disciplinary action per Practice-InfoSec-GP-001.04- Information Security Violations for the individual violating the policy.
- Exceptions to this Practice should be requested using the process outlined in GP-001.02 Security Exceptions and Exemptions to ITS Standards and Practices.
References
- AC-001-Access Control
- AC-002-Authentication
- AC-002.02-Password Management and Complexity
- GP-001.02 Security Exceptions and Exemptions to ITS Standards and Practices
- Practice-InfoSec-GP-001.04-Information Security Violations