Medical College of
Georgia Administrative Policies and Procedures
Office of Primary Responsibility: Information Technology Support &
Services
No. 2.4.09
Remote Access
1.0 Purpose
The purpose of this policy is to define standards for connecting to the Medical
College of Georgia’s (MCG) network from any remote host. These standards are
designed to minimize the potential exposure to MCG from damages that may result
from unauthorized use of enterprise resources. Damages include the loss of
sensitive or confidential data, intellectual property, damage to public image,
damage to critical internal systems, etc.
2.0 Scope
This policy applies to all MCG faculty, staff, students, contractors,
vendors and agents who connect to the MCG network. This policy also applies to
remote access connections used to do work on behalf of MCG, including reading or
sending email and viewing intranet web resources.
Remote access implementations that are covered by this policy include, but
are not limited to, dial-in modems, frame relay, ISDN, DSL, VPN, SSH, cable
modems, and all other mediums used for remote connectivity, except through web
interfaces.
3.0 Policy
3.1 General
3.1.1 It is the responsibility of MCG faculty,
staff, students, contractors, vendors and agents with remote access
privileges to MCG's network to ensure that their remote access connection is
given the same consideration as the user's on-site connection to MCG.
3.1.2 General access to the Internet for
recreational use by immediate household members through the MCG Network on
personal computers is not permitted. MCG faculty, staff, students,
contractors, vendors and agents bear responsibility for the consequences
should the remote access privilege be misused.
3.1.3 Please review the following policies for
details of protecting information when accessing the network via remote
access methods, and acceptable use of MCG’s network:
3.1.4 Remote access by MCG faculty, staff,
students, contractors, vendors and agents, and others not covered in this
document, may no longer use modems for remote access to the MCG internal
network. Exceptions to this rule are vendors who use modems for out-of-band
(OOB) support to ITSS server and network systems. Modem access for these
systems must be approved by ITSS Security Administration
3.2 Requirements
3.2.1 Secure remote access must be strictly
controlled. Control will be enforced via one-time password authentication or
public/private keys with strong pass-phrases. For information on creating a
strong passphrase see the Password Protection Policy.
3.2.2 At no time should any MCG faculty, staff,
students, contractors, vendors and/or agents employee provide their login or
email password to anyone, not even family members.
3.2.3 Faculty, staff, students, contractors,
vendors and agents with remote access privileges understand that their
MCG-owned or personal computer or workstation that is remotely connected to
MCG's internal network, shall not connect to any other network at the same
time. There are no exceptions.
3.2.4 Faculty, staff, students, contractors,
vendors and agents with remote access privileges understand that their
MCG-owned or personal computer or workstation that can be remotely connected
to MCG's internal network, shall not be shared by other individuals,
including family members
3.2.5 Routers for dedicated ISDN lines configured for access to the
MCG internal network must meet minimum authentication requirements of CHAP.
3.2.6 Reconfiguration of a home user's
equipment for the purpose of split-tunneling or dual homing is not permitted
at any time.
3.2.7 Frame Relay must meet minimum
authentication requirements of DLCI standards.
3.2.8 Use of non-standard connections (those
not defined in this policy) to the MCG network must be approved by both the
Network Operations and Security Administration departments of ITSS.
3.2.9 All remote hosts that connect to MCG’s
internal networks via remote access technologies must use the most
up-to-date anti-virus software.
3.2.10 All remote hosts that connect to MCG’s
internal networks via remote access technologies must use the most
up-to-date operating system security patches.
4.0 Related Documents
Date: 22 December
2005 | Rev. No. NEW |
Rev. Date: | No. 2.4.09 |