Remote Access Policy

Access to key information systems and services resident on the Colorado College network from the public Internet is a requirement for a significant portion of the Colorado College community. With the pandemic, health and safety necessities are a top priority for the College and take these risks seriously. Colorado College takes employee concerns seriously.

Responsible office
Information Technology Services
Responsible party
Vice President for Information Technology Services / CTO
Last revision
October 2021
Approved by
The Cabinet
Approval date
October 2021
Effective date
November 2021
Last review
October 2021
Additional references

Scope

All financial and administrative policies involving community members across campus, volunteers, and the Board of Trustees are within the scope of this policy. If there is variance between departmental expectations and the common approach described through college policy, the college will look to the campus community, volunteers and the Board of Trustees to support the spirit and the objectives of college policy.

Policy

Purpose

The intent of this policy is to identify remote access methods and procedures that will insure a high level of security for Colorado College IT physical assets and data. These include network infrastructure, College servers, College workstations, Financial data, HR data, student information, other forms of personal information and other information necessary to support the academic mission and business functions of the College. The policy will define standard approved remote access methods for connecting to Colorado College network resources by any/all authorized users. It will establish guidelines for managing and protecting information resources and services on the College LAN and enable the use of hardware, software and procedures for implementing the policy.

The policy's guiding philosophy is to keep Colorado College information within the Colorado College internal network. As such, this policy is designed to enable users' full remote access to authorized resources that are necessary to perform their jobs while minimizing the exposure of College IT resources to external threats. For example, copying or moving files that contain protected Colorado College information from a system on the College Local Area Network (LAN) to a remote workstation is prohibited. All policy decisions not explicitly outlined in the policy will be based on this philosophy.

This policy does not identify approved users or their authorization. It only identifies the method of access and authentication and defines the process for requesting access. The Data Custodians, Data Owners, or Managers of a Business unit or application administrators responsible for the information being accessed grant additional access privileges.

In order to provide ease of use the College offers Virtual Desktop Infrastructure (VDI) remote access service utilizing a VMWare platform. The service is maintained and administered by the ITS department and is available in two versions. One version provides full access to a user’s desktop and allows the user the same control over services that they would have while seated at their workstation using a virtual terminal client that requires a download and installation of the application. The other uses a browser based experience that offers the same compatibility.

This policy applies to all, faculty, staff, students, volunteers and contractors of Colorado College who require remote access to the College network while away from their on-campus space. These users are responsible for reading, understanding, and complying with this policy.

Responsibilities

It is the responsibility of Colorado College users to ensure that their remote access connection is given the same consideration as their on-site connection. For example, computers logged in via VDI should not be left unattended, or be used by unauthorized persons. It also their responsibility to protect their user credentials to prevent unauthorized users from accessing the Colorado College network from other devices. Any user accessing Colorado College resources remotely bears responsibility for the consequences should the access be misused.

Requirements

Remote access must be strictly controlled. Control will be enforced via domain password authentication. For information on creating a strong domain password and other information related to Multi-Factor Authentication please the ITS resource guides.

To use VDI, please review Colorado College’s “Connect from Off Campus” resource guide.

General responsibilities for the use of devices on Colorado College’s network (on-campus or remote) are included in the Acceptable Use Policy.

At no time should any Colorado College user provide their login or email password to anyone, including family members. 

Additional Requirements for Accessing Secure Data Remotely

For users that wish to access our secure resources remotely with elevated privileges, they will be required to submit a request via our ticketing system and complete a mandatory online data security training with the understanding of how to safeguard the institution’s data.

Additional Requirement for Contract Workers

Any contract worker requesting remote access privileges to the Colorado College network, systems and data contained therein must submit a signed copy of the System Access Agreement for Contract Workers and a Non-Disclosure Agreement before access will be granted.  In signing the agreement, the contract worker acknowledges that the individual or service provider has read and agrees to abide by this Remote Access Policy and the Colorado College Acceptable Use Policy. If the contract worker will have access to secure data, the individual that is provided a directory account will be required to have a CC department sponsor for authorization to access any CC resources.

Enforcement

Failure to abide by the responsibilities outlined in this policy will result in the user’s remote access capability being revoked until he or she produces proof that the problems have been remedied. Abusers of the college’s information technology resources will be subject to existing disciplinary procedures under current college policies in accordance with the abuser’s campus status. When appropriate or required by law, the college may request or provide assistance to law enforcement agencies to investigate suspected illegal activities.

Any contractor that violates this policy will have access privileges revoked immediately and will be subject to fines that are at a minimum equivalent to any, and all damages incurred by the College. The contractor or the vendor providing contract services may additionally be subject to legal action. 

Procedures

Definitions

Report an issue - Last updated: 11/02/2021