The purpose of this policy is to define the minimum requirements for eligible employees to use University owned and non-University owned computing devices for remote access.
Remote Access: Remote access is the ability to get access to University information technology (IT) resources and systems without directly connecting to the University's wired network.
- Remote Access to University IT Resources and Systems: The university will approve standards for remotely accessing university IT resources and systems.
- Remote Access Usage Requirements:
- All computing devices used for remote access to the University IT resources and systems must meet minimum security standards, including those stated in the Malware Protection Policy. (Guidelines for meeting these requirements are available in items 1-4 of the "Protecting Your Computer" documents for Personal Computers, Macs and Handheld Devices)
- Users remotely accessing the University's IT resources and systems are responsible for selecting their own Internet Service Provider (ISP) and maintaining compliance with the contracts and policies of their ISP.
- Users must not attempt to bypass security controls implemented for remote access solutions, including inactivity time limits.
- Users should be aware that encryption technologies, which may be installed on devices used for remote access, are protected by U.S. government export restrictions. Further details may be found in the Encryption Policy.
- Eligible employees using non-University owned computing devices for remote access must be aware of the following requirements:
- In the event a non-University owned computing device used for University business is involved in the investigation of a security incident, the employee may be required to release the device to law enforcement or the Commonwealth of Virginia Computer Security Incident Response Team (COV CIRT) for forensic purposes.
- The COV CIRT is obligated to report any illegal activity uncovered during a security incident investigation, whether the activity is related to the incident being investigated or not.
While all investigations are confidential, the remote user concedes any expectation of privacy related to information stored on a personally owned computing device involved in a security incident.
The University regards any violation of this policy as a serious offense. Violators of this policy are subject to disciplinary action, in addition to possible cancellation of IT resources and systems access privileges. Users of IT resources and systems at Longwood are subject to all applicable local, state and federal statutes. This policy does not preclude prosecution of criminal and civil cases under relevant local, state, federal and international laws and regulations.
Approved by the Board of Visitors, September 12, 2008.
Revised and approved by the Board of Visitors, March 27, 2009.
Revised and approved by the Board of Visitors, March 26, 2010.