South Plains College

Information Services (SPC-IS)

 

Remote Access Standard: I-D(e)

Purpose and Benefits

This standard aims to establish authorized and secure methods for remotely accessing SPC resources and services.

Major security concerns with remote access include the lack of physical security controls, the use of unsecured networks, the connection of infected devices to internal networks, the availability of internal resources to external hosts, potential damage to resources, and unauthorized access to information. 

Scope

This standard covers remote access to all systems developed by or on behalf of SPC. This includes all development, testing, quality assurance, production, and other ad hoc systems.

Information Statement

Remote access is allowed when there is a clear, documented business need. Access may be permitted from SPC-issued or personally owned devices at the discretion of the SPC ISO and in accordance with the standards below. Such access must be limited only to the necessary systems.

Approved Methods of Remote Access

Approved methods of remote access to systems are listed in order of preference.

  1. Virtual Desktop - a server that offers access through a single centralized nonpersistent desktop. The user must authenticate using SPC-assigned credentials.
  2. Direct Application Access – accessing an application directly with the application providing its own security (HTTPS)
  3. Virtual Private Network (VPN) - a secure communication tunnel through which information can be transmitted between networks.

Required Controls

  1. All methods of remote access use SPC-assigned and managed credentials for administration and user access.
  2. Devices and software used for remote access must be approved after review by the Information Security Officer or designated security representative. Blanket approvals may be provided based on this review. VPN or VDI access software can be installed by contacting the SPC Help Desk
  3. The authentication credentials used for remote access are assigned by SPC and are granted the appropriate assurance levels.
  4. Remote access sessions must require re-authentication after 30 minutes of inactivity.
  5. Remote access sessions must not last any longer than 24 hours.
  6. SPC monitors systems for unauthorized remote connections and other anomalous activity and will take appropriate incident response action as per the Cyber Incident Response Standard: I-K(a).
  7. Remote access devices must be validated so that their configuration is compliant with the Secure Configuration Standard: I-J.
  8. Third-party VPNs are not permitted on SPC-owned devices.

Compliance

This standard shall take effect upon publication. Compliance with all SPC policies and standards is expected, and these may be amended at any time.

If compliance with this standard is not feasible or technically possible, or if deviation from this standard is necessary to support a business function, entities shall request an exception through the Information Security Officer’s exception process.

Related Documents

1 TAC § 202.74 (a)(2)

 

NIST Special Publication 800-113, Guide to SSL VPNs

NIST Special Publication 800-114, User's Guide to Securing External Devices for Telework and Remote Access

Texas Security Controls Standards Catalog Control Group: AC17, SI1

NIST Function Groups: PR.AC-3, PR.MA-2