ITS Remote Access Control Policy
Policy Statement
To protect all University owned and/or operated information resources and all University information, all access will be strictly controlled to ensure that access is only granted for valid University purposes in a manner that adequately protects such resources according to industry best practices.
Reason for Policy
Controlling access to information resources is crucial in order to allow the University to properly protect all information resources and University information from unauthorized access, modification and dissemination. To help the owners of University information resources and University information establish adequate protections, this policy sets forth the minimum required standards for granting access to such resources and information through remote access
Entities Affected By This Policy
Any individual, group or department that owns, operates or maintains an information resource on the University network, or an information resources containing any University information.
Contacts
Questions regarding this policy in general should be directed to:
EIU Information Security 217-581-1939
Mobile Devices
This policy applies to employees, faculty, student workers, and any other user who utilizes the network or computing resources provided by EIU for business-related usage via a personally or state-owned device owned device such as Laptops, mobile smartphones, tablet computers.
Access Enforcement
- Any information resource containing non-public and/or protected information must be configured in a way that ensures that non-authorized individuals (as defined by the owner), including the general public, do not have access to such information
- All authentication mechanisms employed by University information resources must occur over encrypted communications channels (eg SSL/TLS)
Information Flow Management
- Information resources containing non-public and/or protected information are prohibited from communicating over non-University controlled networks (eg Internet) except where such communication is done over an encrypted medium (eg VPN, SSL/TLS)
Remote Access
- Remote access of any non-public and/or protected information resource over non-University networks will be strictly controlled
- Any access granted to users for internal information resources via remote access will be based upon the needs of the individual
- All faculty and staff at Eastern Illinois University are granted permission to utilize Eastern’s remote access capabilities. All other users must request access through the documented process to properly assess their needs.
- All remote access over non-University controlled networks (eg Internet) must use encrypted communications (eg VPN, SSL/TLS) from a computer that meets the minimum security requirements of a University-owned computer
- All remote access will be monitored and recorded with the records kept for a period of at least 30 days
Disk Encryption
- Eastern Illinois University owned and issued laptops are required to be encrypted when the department job assignment is mandated to meet compliance with the Gramm-Leach-Bliley Act (GLBA). The mobility of laptops inherently exposes more risk, and an increased need for confidentiality of the potential data stored on them. Faculty, Staff, and Student Workers assigned EIU owned laptops, are obligated to work with EIU ITS to confirm they are meeting this compliance requirement. Existing legacy systems and applications containing protected information which cannot use modern encryption because of technology limitations, must have compensating controls established and approved by EIU Information Security. All departments are subject to annual risk assessments to ensure any noted risk(s) are addressed via compensating controls to protect the data in lieu of encryption. Any exceptions will be reviewed periodically and removed when a suitable solution is available.
Virtual Private Network (VPN) Account Process
For All Non-EIU Faculty and Staff
- Users will request a VPN account by contacting Networking Systems or User Services Help Desk.
- Network Systems or The Help Desk will contact the Information Security Office for approval.
- Information Security Office will request user’s supervisors’ approval and review the user’s request
- If approved, Networking Systems will work with the user to setup the VPN account
Last Date Reviewed: 06/13/2024