Responsible Office: Office of Cybersecurity	Last Review: 03/01/2025 Next Review: 03/01/2027
Contact: Chris Madeksho	Phone: 901.448.1579 Email: mmadeksh@uthsc.edu

Purpose

To provide access via Virtual Private Network (VPN) connections to the University of Tennessee Health Science Center (UTHSC) network from remote hosts, untrusted hosts, and remote networks via VPN to minimize the potential exposure from unauthorized access to UTHSC resources.

Scope

This practice applies to all remote access via VPN connections to the UTHSC network from remote and/or untrusted devices and networks.

Definitions

UTHSC ITS – Information Technology Services of UTHSC

VPN “Virtual Private Network” – a tool used to connect securely to the UTHSC network from off-campus to access internal resources.

Responsibilities

UTHSC Information Technology Services (ITS) is responsible for managing and maintaining the VPN applications.

UTHSC Community members given access to UTHSC resources are responsible for abiding by this Practice when using the UTHSC VPN.

The Office of Cybersecurity is responsible for granting exceptions to VPN access and maintaining a list of users authorized to access UTHSC via the VPN.

Practice

1. Only approved UTHSC faculty/staff and authorized third parties (customers, vendors, etc.) may utilize the benefits of VPNs.
2. VPN is a “user-managed” service, meaning that the user is responsible for selecting an Internet Service Provider (ISP), coordinating installation, installing any required software, and paying associated fees.
3. VPN Access is granted on an “as needed” basis. Access may be granted to groups of users when a need is well-documented. All other persons must apply for VPN access using the VPN Access Request Form found in TechConnect. Instructions on requesting access are found on the VPN website (https://uthsc.edu/vpn/).
4. Users with VPN privileges must ensure that unauthorized users are not allowed access to UTHSC internal networks via the user’s VPN.
5. Dual tunneling (also called split tunneling) is NOT permitted; only one network connection is allowed. All traffic during the VPN connection will go through the UTHSC network and will be subject to the same controls as Intranet traffic.
6. VPN Concentrators/Gateways are installed and managed by the UTHSC Information Technology Services (ITS).
7. For workstations (desktops and laptops), only the ITS-approved VPN client may be used.
8. Any device and/or network connected via VPN to the UTHSC network is subject to the policies, standards, and practices that apply to UTHSC-owned equipment, i.e., devices must be configured to comply with all UTHSC Security Standards and must accept any Network Access Control agents required for enforcement of these policies and standards.
9. All computers connected to UTHSC internal networks via VPN, or any other technology, must use up-to-date anti-virus software.
10. All computers connected to UTHSC internal networks via VPN must have the latest operating system security patches applied.
11. VPN use is controlled minimally using password management and two-factor authentication.
12. Failure to comply with this policy will be reported as an information security violation and may result in loss of network and system privileges for the computer and/or disciplinary action per IT0003-HSC-A.03-Information Security Violations for the individual violating the policy.
13. Exceptions to this Practice should be requested using the process outlined in IT0003-HSC-A.02-Security Exceptions and Exemptions to ITS Standards and Practices.

Policy History

Version #	Effective Date
1	09/30/2017
2	03/23/2020
3	08/18/2022
4	08/18/2022
5	03/01/2025 – new naming convention

References

1. IT0311-Information Technology Data Access, Management, and Recovery
2. IT0003-HSC-A.02-Security Exceptions and Exemptions to ITS Standards and Practices
3. IT0003-HSC-A.03-Information Security Violations
4. IT0311-HSC-A-Access Controls
5. IT0506-HAC-A-Authentication
6. IT0506-HSC-A.01-Password Management and Complexity