Remote Work Technology Guidelines: 9.16

ADMINISTRATIVE PROCEDURES

PURPOSE

This procedure outlines the requirements for secure access to Hillsborough Community College (HCC) information, networks, and computing resources by authorized remote workers. This arrangement is known as “teleworking” or “remote working.”

PROCEDURE

All College employees, contractors, or vendors (“users”) approved to work from remote locations must have been approved VPN Access Request form if the worker requires access to data classified as Restricted/Sensitive or needs access to the College’s network resources.

1. Compliance Requirements

   Users must maintain the same system security policies and procedures required when working on-site, including, but not limited to:

   • compliance with software license agreements.

   • hard disk encryption.

   • updated anti-virus software.

   • fully patched operating system software.

   • recommended timeouts for idle remote connections and pc logins.

   • adherence to the Hillsborough Community College AP-Acceptable Use Policy.

     Physical documents containing data defined in the Data Classification and Data Handling Policy as Restricted or Sensitive should not be brought to or stored at remote work locations or printed at remote working locations.

2. Alternative Work Sites

   At remote work locations, users working on college business must use an approved computer and network equipment. Personally owned remote work devices should require the remote worker to log in to the device under a profile specific to them and not used by any other person who may have access to the personal device.

   If a user intends to travel internationally, they must contact OIT to get pre-approval if remote access from international countries is expected.

   The approval will be made on a case-by-case basis. Examples of the criteria include the following:

   • Is the country identified as banned by our Risk Management Partners?

   • Is the country a participant in The Wassenaar Arrangement (governs the use of Export Controlled technologies internationally (e.g., Encryption)?

   • Is the user traveling in an official capacity for the college?

   • Does the user have access to data classified as Restricted or Sensitive according to the Data Classification and Data Handling policy?

3. Access Control

   Logging-Out - After a remote worker has completed a remote session with HCC systems, the worker must log off an established VPN connection and log out of the device.

   Encryption and Data Protection - All computers used for remote working (including laptops, notebooks, and other transportable computers) which contain data defined as Restricted according to the Data Classification Policy must consistently employ hard disk encryption for all data files. This essential control must be provided through software or hardware systems approved by the Office of Information Technology. Personal, handheld computers, tablets, laptops, smartphones, etc., must not be used to handle Restricted organizational information unless the device has been configured with the necessary controls (including encryption) approved by the Office of Information Technology.

   Sharing Access Devices and Systems - Remote workers must not share assigned access tokens, credentials, or passwords with anyone by the college’s Acceptable Use Policy. This means that a remote computer used for college business should be used exclusively by the user. Family members, friends, and others should not be permitted to use the device. Remote workers should never lend to others any handheld computer, laptop, tablet, smartphone, or another computer that stores information about Hillsborough Community College business activities.

4. Remote Access and Systems Management

   As part of connecting remotely to the organization’s network, it is required that any device used for that connection install and maintain software to ensure that the security controls are applied, and the management of the controls is maintained. Software that is covered by this policy includes, but is not limited to:

   • OIT-provided VPN software,

   • Malware and Threat Detection,

   • Vulnerability and Software compliance scanning.

     This procedure regulates all VPN services to the HCC network and must comply with the Acceptable Use Policy to use this service. To maintain security, VPN services will be terminated immediately if any suspicious activity is found. Services may also be disabled until the issue has been identified and resolved.

5. Violations

   Any violation of this policy may result in disciplinary action. Hillsborough Community College reserves the right to notify the appropriate law enforcement authorities of any unlawful activity and to cooperate in any investigation of such activity.

6. Definitions

   • Restricted Information – Any HCC-related data defined in the Data Classification and Handling Administrative Procedure as Restricted.

   • Mobile Computing Devices - Mobile computing assets include but are not limited to, laptops, notebooks, tablets, desktop computers, all personal wireless-enabled devices, including pagers, cellular phones, mobile email devices, PDAs, and other hybrid devices, and all portable storage media, including flash drives, smart cards, tokens, etc.

   • Password – An arbitrary string of characters chosen by a user to authenticate the user when he attempts to log on to prevent unauthorized access to his account.

   • Third-Party – Any non-employee of HCC contractually bound to provide services to Hillsborough Community College.

   • User - Any Hillsborough Community College employee or Third-Party authorized to access any Hillsborough Community College electronic information resource.

7. Reference

   • The Wassenaar Arrangement

   • 9.00 Acceptable Use

   • 9.08 Data Classification and Handling

HISTORY

New