Security Standards and Guidelines For Telecommuting or Accessing Restricted Information Resources.
This document provides security standards and guidelines for employees, contractors or other affiliates (collectively, “remote users”) who have been approved to work remotely from non-UT Arlington networks.
As a general rule, the information security standards for accessing, storing, manipulating, transmitting or otherwise handling UT Arlington information remain the same irrespective of the network from which it is being accessed. Similarly, the standards for protecting UT Arlington information resources (e.g. desktop and laptop computers, portable computing and storage devices, servers, UT Arlington network, etc.) are the same, irrespective of the physical location of these devices and how they are being accessed.
Remote users are required to ensure that the computers they use to access the UT Arlington network or any UT Arlington information resources are protected from malware or other vulnerabilities that could affect the security, stability, performance and availability of any University information resource. Similarly, confidential and controlled information that is accessed or generated by remote users should be secured in a manner consistent with University policy and standards.
These security standards and guidelines apply to all UT Arlington employees, contractors or other affiliates accessing UT Arlington information or IT resources that are not accessible from non-UT Arlington networks.
STANDARDS, GUIDELINES AND PROCEDURES
Section I. General
- UT System policy requires all UT Institutions to follow Encryption Practices for Storage of Confidential University Data on Portable and Non – University Owned Computing Devices.
- University confidential data must be stored on an encrypted device. Please see the official UT System memos at Encryption of all Laptop Computers and Encryption of University Desktop Computers.
- Neither UT System nor the University requires staff or faculty to use personal devices to conduct University Business. In fact, faculty and staff are strongly encouraged not to do so. In addition to the security concerns, it potentially subjects the entire content of the personal computing device to a subpoena, litigation hold or public records request. All faculty and staff who are required to work remotely as part of their duties are encouraged to use a UT Arlington issued device that is configured to meet UT Arlington security standards, including full disk encryption.
- Personal or non-University owned computers containing University information are subject to subpoenas, litigation holds and open records; there is no expectation of privacy where University data on non-University owned computers is concerned.
- All vendors and contractors must use remote methods of accessing University systems and information as described in Section III (A)(2) below. University data must not be copied, transmitted, stored or otherwise handled on vendor or contractor owned computers unless appropriate contractual agreements are in place with the University.
- If faculty or staff choose to use a personal computer to conduct University business, they are responsible for ensuring that the security and integrity of the data are maintained in accordance with System security requirements. This includes the requirement to ensure that the device is encrypted pursuant to the University requirements.
- Remote users are responsible for insuring that UT Arlington information resources and data are only accessed by authorized individuals. Family members or other unauthorized individuals must not be allowed to access UT Arlington information resources or data. Computers remotely connected to the UT Arlington network or information resources must not be left unattended.
- All remote connections must be terminated as soon as remote work related to UT Arlington business or support is completed.
Section II. Authorization, Centralized Authentication and Network Access Control
- All remote users accessing UT Arlington resources must be authorized to do so.
- All remote users accessing UT Arlington information resources must use a uniquely assigned NetID to access the University network. Sharing NetID passwords is against UT Arlington policy.
- Unless alternative methods are approved by the Information Security Office, all remote users must use UT Arlington Office of Information Technology (OIT) provided Virtual Private Network (VPN) software and VPN servers to access information technology resource that is restricted to the campus network.
Section III. Guidelines for remotely accessing university information
- Where possible remote users should conduct university business on university owned computers using the following methods:
- Use a University issued encrypted computer (laptop, desktop, tablet, or other similar device).
- Remotely connect to University owned computers after establishing an approved VPN connection using approved methods such as Remote Desktop Connection, SSH, Citrix or any other encrypted protocol that allows both processing and storage of data on the University owned computer.
- Where it is not possible to use a University owned computer to conduct university business, the personally owned or non-university owned computer must maintain minimum security standards as outlined below.
Section IV. Minimum Standards for Computing Devices Accessing the UT Arlington Network Remotely.
In order to protect the UT Arlington network and information, all computers remotely accessing UT Arlington information resources must meet the following minimum requirements:
- The operating system must be updated and patched to ensure that the latest security patches have been installed.
- The computer must have anti-malware (antivirus) software installed and must be up-to-date with the latest scan engine and anti-malware definitions. Antivirus software must be set to perform weekly full scans.
- All applications (including, but not limited to, web browsers, productivity software, document readers, etc.) installed on the computer must be patched and up-to-date.
- All computers used to store UT Arlington data must be encrypted with full disk encryption following UT Arlington standards for encryption.
- All computers used to store UT Arlington data must be set up with separate user profiles and permissions in order to properly separate and protect University data. Access to University data should be restricted in a manner that will not permit unauthorized access by non-University employees (including, but not limited to, family members who are not University employees and do not have a business need to access University data. The password that is set for such profiles should conform to the University’s standard for complexity, expiration and reuse.
- All University data must be backed up to encrypted storage or locations that are approved by UT Arlington.