Body
Information Technology Remote Access and Work from Home Policy
A. Purpose/Policy Statement
- This Policy explains the limitations and sets forth the responsibilities incumbent upon La Salle employees who are accessing University Confidential Data while in off-campus locations and/or connecting to any of La Salle's Non-Public Computing Resources from off-campus locations.
- This Policy does not apply to data or resources specifically intended for public use or intended for general access by individuals affiliated with La Salle, including La Salle's public web site (www.lasalle.edu), the La Salle portal and Br. LUWIS (my.lasalle.edu), La Salle’s Office 365 for Business email (https://outlook.office365.com/owa/lasalle.edu/), or to La Salle's Canvas learning management system (lasalle.instructure.com).
B. Definitions
- Confidential Data: a term of convenience for all data included in the High-Risk Data or Medium-Risk Data categories, as defined below.
- Data Owner: the user whose University role implies primary responsibility for a data element or item. Data owners grant rights to access, update, transfer, and use the data they “own,” subject applicable laws and contracts and to the policies and restrictions delineated within this Policy. Data Owners are:
- Vice Presidents or the Provost (or their appointed designee) where data is primarily managed within departments reporting to that Vice President or where data is managed within a single Banner student information system module functionally associated with that Vice President;
- the Principal Investigator (PI) or, for student research, the Faculty Sponsor when Confidential Data is collected or maintained for academic research. It is the PI's responsibility to discuss protection requirements with the Chief Information Officer (CIO) to ensure that protection requirements can be met;
- the Chief Information Officer (or designee) in all other cases.
- High-Risk Data: any data that meets any one or more of the following criteria:
- data which, if compromised, could adversely impact the safety, privacy, welfare, financial health, or reputation of La Salle University, its employees, faculty, students, alumni, or affiliates;
- data which is protected or restricted by local, state, federal, or international law or by contractual agreements or data where such laws or agreements require the University to limit
- data pertaining to individuals who have exercised legally- or contractually-mandated disclosure opt-out provisions;
- data which is prohibited from disclosure by University practice or policy.
- Examples include, but are not limited to: aggregated or individual passwords, social security numbers, credit card numbers, drivers’ license numbers, student grades and disciplinary records, personal or enterprise financial records, private contact information, medical or health records, birth dates, and personal employment and payroll records.
- Examples of data which may be restricted by individual opt-out decisions include FERPA student Directory Information. Note that the possibility of students exercising their FERPA opt-out rights means that not just the data elements but also the specific records included in a data set must be considered to determine whether a data set must be considered High Risk Data.
- Low-Risk Data: data where the potential for adverse impacts to the University and to the individuals to whom the data pertains is low or non-existent. Low-Risk Data is generally public information or information that is releasable under University procedures for processing public records requests. While this Policy does not impose any specific restrictions or precautions for Low Risk Data, Data Administrators should be aware that even public information, such as names and job titles, can be used to facilitate social engineering attacks. Examples of this category of data include: the faculty and staff telephone directory, FERPA Directory Information where the student or students have not exercised opt-out privileges, course catalogs, class meeting times, and demographic statistics that cannot be associated with specific individuals.
- Medium-Risk Data: any data that fails to meet any of the criteria for High-Risk Data but still warrants careful stewardship due to the potential adverse impacts of disclosure or other compromise. Examples include, but are not limited to: home and campus addresses, personal telephone numbers, personal email addresses, places of birth, and University ID Numbers for students, employees, alumni, and other University affiliates. The University is under both ethical and practical obligations to safeguard Medium Risk Data from unauthorized access. Therefore, all of the precautions and restrictions applicable to High Risk Data must be applied to Medium Risk Data unless an exception is granted by the Data Owner. This includes:
- data designated or defined as “official-use only,” “non-public” and/or “proprietary;”
- data which is collected or accessed as part of faculty or student research which contains personally-identifiable information;
- data entrusted to the University under a reasonable expectation of privacy.
- Non-Public Computing Resources: include internal administrative data network resources such as individual network drives (P-drive folders), departmental common folders and other shared folders (H-drive folders), and remote access to administrative servers such as the Banner database, the Argos reporting system, or to the Banner 9 forms used by University administrative offices.
- Remote Access: any access to University Confidential Data or any connection to University NonPublic Computing Resources from any off-campus location, including the employee’s home, hotels and airports, vacation and conference locations, home offices or non-University work places, or other off-site locations.
- Safe Harbor Reporting Exception: an exception to normal statutory breach reporting requirements allowed when confidential data is encrypted using specific technologies which are accepted as effectively preventing any unauthorized access to the data.
- Virtual Private Network (VPN): an encrypted connection over the public Internet from a computing device at a remote location to La Salle’s internal administrative network. The encrypted connection helps ensure that sensitive data remains confidential and secure by preventing unauthorized individuals from viewing or altering the traffic.
C. Policy Procedures/Guidelines
- All tablet computers, laptop and desktop PCs, and other hardware used for Remote Access to NonPublic Computing Resources must meet the following standards:
- All tablet computers, laptop and desktop PCs must have La Salle-approved end-point protection (i.e., anti-virus) software installed and active and must have up-to-date virus signatures.
- All tablet computers, laptop and desktop PCs must have operating systems and all application software maintained at current software versions, supported by the software vendor, and must have all operating system, web browser, and application security patches and updates installed.
- Employees must immediately suspend all Virtual Private Network and Confidential Data access when their operating system or end-point protection/anti-virus software reports security problems, until those problems are resolved.
IT reserves the right to deny access to Non-Public IT Resources or University Confidential Data to any tablet computer or laptop or desktop PC that gives evidence of malware infection or does not have current operating system and software versions installed.
With the exception of faculty performing tasks directly related to their teaching assignments, all tablet computers, laptop and desktop PCs, and other hardware used for off-campus viewing, editing, or for any other access to University Confidential Data must also meet the preceding standards. In the case of faculty, the requirements for commercial anti-virus, current anti-virus signatures, operating systems, and application software are strong recommendations. Faculty are required to suspend activities following security alerts.
In addition, IT strongly recommends that all tablet computers, laptop and desktop PCs, and other hardware used for Remote Access to Non-Public Computing Resources or used for off-campus viewing, editing, or for any other access to University Confidential Data meet the following bestpractice standards:
- All laptop and desktop PCs should be configured with separate accounts for system administration and normal everyday use. The account with administrator privileges should only be used when required for installing software or other system administration tasks.
- All laptop and desktop PCs should have whole disk encryption enabled.
2. The only allowed method for accessing Non-Public Computing Resources is via the La Salle-managed Virtual Private Network (VPN). The use of non CIO-approved software for Remote Access to NonPublic Computing Resources is explicitly prohibited. In particular, applications such as Chrome Remote Desktop, GoToMyPC, LogMeIn, and all other ad hoc and/or third-party remote access
3. The use of non CIO-approved storage for University Confidential Data is also prohibited. In particular, transfer of University Confidential Data to personal cloud storage services such as Dropbox, Google Drive, or personal Microsoft OneDrive accounts is prohibited.
4. Virtual Private Network access is granted on a case-by-case basis, at the sole discretion of the Chief Information Officer (CIO). Off-campus access to University Confidential Data is granted on a caseby-case basis at the discretion of the University-designated Data Owner or Owners. Access will only be granted to employees where there exists a clear business justification for Remote Access privileges. The CIO and Data Owners retain the right to limit, temporarily suspend, or revoke Remote Access privileges at any time and without advance warning. La Salle Information Technology (IT) provides Virtual Private Network access on a good-faith, best-effort basis, but makes no guarantee as to the availability of these services. IT reserves the right to monitor and audit remote VPN sessions.
5. No person, other than the designated La Salle employee, may access La Salle's Confidential Data or Non-Public Computing Resources via Remote Access. No University Confidential Data may be shared with any person not specifically authorized to access that data.
6. No University Confidential Data may be stored on any removable media unless the storage media is La Salle owned, encrypted with CIO-approved AES 256-bit or better encryption (i.e., satisfies Safe Harbor Reporting Exception requirements), and unless that storage is specifically authorized by the Data Owner.
With the exception of faculty performing tasks directly related to their teaching assignments, the use of storage media that is not owned by the University and approved by the CIO for the storage, transfer, or backup of University Confidential Data is also prohibited.
7. Passwords used for encrypting University Confidential Data must meet the following minimum standards:
- Encryption Passwords for Electronic Documents Containing High-Risk Data:
- 12-character minimum Password length;
- at least one upper-case and at least one lower-case letter,
- at least one numeric digit and at least one punctuation mark or symbol;
- spaces not allowed.
- Encryption Passwords for Electronic Documents Containing Medium-Risk Data:
- 8-character minimum Password length;
- at least one upper-case and at least one lower-case letter,
- at least one numeric digit and at least one punctuation mark or symbol;
- spaces not allowed.
- Encryption Passwords for Electronic Documents Containing Low Risk Data:
- 8-character minimum Password length recommended;
- at least one upper-case and at least one lower-case letter recommended,
- at least one numeric digit or at least one punctuation mark or symbol recommended
- spaces not allowed.
Passwords must not contain English or foreign dictionary words, place names, and obvious transformations such as substituting ‘+’ for ‘t’ or ‘3’ for ‘E’. The reason for the restriction on dictionary words is that a common technique for compromising passwords involves programs that iterate through a dictionary of words, word combinations, and simple transformations until they find a match.
In addition, the following are examples of the types of information which must not be used for encryption passwords, for part of passwords, or as the basis of a password with letter substitutions or transformations such as reversing the letters in a name, word, or phrase:
- first, middle, last, maiden names, nicknames, or names of family members, friends, pets, or significant others;
- usernames for accounts, La Salle ID Numbers, or email addresses;
- birthdates, anniversary dates, telephone numbers, SSNs, or credit card numbers;
- patterns based on academic terms, months, or seasons (e.g. Fall2018);
- patterns based on the University name, department names, names of managers or other University personnel, buildings, or campus landmarks (e.g. lasalle123);
- patterns based on street address, brand of automobile, hobbies, high school or college, or other personal history, lifestyle, or interests.
8. Employees working from off-campus locations who must collect or revise University Confidential Data while off-line, either because of travel or other logistical or security considerations, must back up that University Confidential Data to the La Salle network or to their University-sponsored OneDrive for Business account as soon as they can access to secure network connection.
9. Employees granted Remote Access privileges must abide by all contractual obligations and comply with all Federal, State and Local Government Administrative Policies and Laws governing the handling of information, including FERPA, HIPAA, the Fair and Accurate Credit Transactions Act (Red Flags Rule), Gramm-Leach-Bliley, and the Pennsylvania Breach of Personal Information Notification Act.
10. Employees granted Remote Access privileges are required to maintain full compliance with the University’s Acceptable Use and Confidential Data Handling Policies at all times.
11. Employees issued University-owned tablet computers or laptop or desktop PCs must not allow nonLa Salle employees, including family members, to use the tablet, laptop, or desktop for any purpose.
12. Following the discovery of a breach, reasonable suspicion of a breach, or loss or theft of laptops, tablets, or storage media used for Remote Access, employees must immediately notify the CIO and their supervisor. In the event of a breach, employees agree to cooperate with cybersecurity forensic investigators and law enforcement officials. This cooperation specifically includes surrendering the laptop or tablet for whatever period of time should be required to conclude both the investigation and any resulting legal proceedings.
13. In the event that La Salle employment ends, employees must immediately return all La Salleprovided hardware, including PCs, laptops, tablets, and removable media. In the event of a breach involving data that has remained in the possession of a former employee, the former employee agrees to assume all legal and financial responsibility for all losses, expenses, and judgments resulting from that breach.
14. Annual Policy Review. This policy will be reviewed by the Chief Information Officer and Executive Director of IT Security and Compliance on an annual basis.
D. Responsible Office/Department
1. Information Technology
E. End Notes
1. Effective Date: September 1, 2018