1. Purpose

The purpose of this policy is to define how the University of Florida controls Remote Access to university information systems and networks in order to prevent unauthorized use.

2. Applicability

This policy applies to all methods the university implements to allow remote access to its services, information systems and networks

3. Definitions

Information System means an individual or collection of computing and networking equipment and software used to perform a discrete business function. Examples include the eLearning System, ISIS, the EPIC electronic medical records system, a lab system and associated PC or the set of desktop computers used to perform general duties in a department.

Remote Access means a method allowing authorized users to interact with university information systems and networks via methods or networks not controlled by the university (e.g. The Internet). Examples of remote access include Virtual Private Networks (VPN), remote desktop and terminal sessions.

University of Florida IT Support Team means any member of the University of Florida Constituency that provides information technology support activities for a sub-set of University of Florida users.

4. Policy Statement

4.1. All methods the university provides to offer remote access to services and information systems must be assessed for security, approved, documented and controlled. The university will permit external network access only to approved remote access end points.

4.2. Remote access methods must employ appropriate security technologies to secure the session, as well as prevent unauthorized.

4.3. All members of the University of Florida Constituency are responsible for protecting remote access methods, devices and credentials assigned to them. Users are responsible for maintaining the security of computers and devices used to remotely access university resources.

4.4. Information Security Managers (ISMs) are responsible for documenting and implementing controls for all remote access methods implemented within their unit. ISMs are also responsible for monitoring of unit-implemented remote access methods for unauthorized use, and taking appropriate action upon discovery of unauthorized use, including notification of the UF Information Security Incident Response Team.

4.5. The Vice President and Chief Information Officer (CIO) is responsible for approval of remote access methods and resources.

4.6. The Vice President and Chief Information Officer (CIO) is responsible for implementing systems and specifications to facilitate unit compliance with this policy.

5. References and Related Information

Additional Resources

Standard Number: SEC-TS-003.03
Standard Family: Information Security
Standard Category: Technical Security
Standard Effective Date: 1-25-2017, Amended 7-18-2024 (substantive)

REMOTE ACCESS STANDARD

Purpose:

To establish usage and documentation requirements for remote access methods used at the University of Florida.

Standard:

1. Firewalls and other technology will be used to restrict Remote Access to only approved Remote Access mechanisms.
2. To be approved, Remote Access mechanisms must include the following technical capabilities:
   • a. Allow only identified, authenticated and authorized users to connect.
     • i. GatorLink accounts are used for authentication and identification
     • ii. When passwords are used for authentication they must be combined with Multi-Factor Authentication (MFA)
   • b. Provide for strong encryption of traffic.
   • c. Audit logs contain sufficient information to establish the following:
     • i. Event type (authentication, connection or disconnection)
     • ii. Date and time
     • iii. User associated with the event
     • iv. Remote and local IP addresses
     • v. Event success or failure
3. Interconnections to the UF Network require interconnection agreements. Access must be restricted to the minimum necessary to achieve the goals of the interconnection.
4. Documentation of remote access mechanisms includes:
   • a. Local and remote end points, and mechanisms intended to enforce connection only by intended end points.
   • b. Intended users (based upon role or group) and mechanisms to enforce those restrictions.
   • c. What university information systems and data remote users may access, and methods to enforce those restrictions.
   • d. Guidance provided to users of appropriate uses of the remote access method.
5. Remote access methods must be monitored for unauthorized use, and signs of unauthorized use promptly reported.
6. The following remote access methods have been approved:
   • a. UF Gatorlink VPN https://vpn.ufl.edu
   • b. UFHealth/Shands VPN https://vpn.ufhealth.org
   • c. EduVPN for access to HiPerGator

History

Policy History: New 12-14-2016