Body
1. Policy Statement
In order to remotely access the Massachusetts College of Art and Design (“MassArt”) network and systems, appropriate authorization and approval is required. MassArt faculty and staff involved in any aspect of requesting, authorizing, provisioning, or managing remote access technology and services must be familiar with this policy and observe all Technology department applicable rules and provisions.
Additionally, it is the responsibility of any individual accessing the MassArt network remotely to ensure that their actions – and any computer they use to connect to the MassArt network – are in compliance with College policies, including this policy document governing the use of remote access services and technology.
2. Assigned Roles
| Role |
Assigned Responsibilities |
| Deputy Chief Information Officer |
- Ensure Technology department staff authorize, manage, deploy, and support remote access services and technology in a manner consistent with this policy.
- Notify, and consult with, the Information Security Officer (ISO) on any suspected significant instances or patterns of non-compliance.
- Notify the Information Security Officer of any network infrastructure or process changes that necessitate an update of this policy.
|
| Chief Human Resources Officer |
- Ensure that the Office of Human Resources notifies the Technology department of employee terminations.
|
| Deans, Department Heads, and area Vice Presidents |
- Request remote access only for employees, contractors, consultants, or other MassArt-affiliated third-party service providers within their reporting structure who have a valid business justification for such access.
- Notify Technology department User Services in a timely fashion when any employee, contractor, consultant, or third-party service provider in their area authorized for remote access no longer needs that access.
- Notify Technology department User Services of any change in contractor, consultant, or third party service provider status which could impact the individual’s required level of authorization or access.
|
| Information Security Officer (ISO)* |
- Monitor this policy for compliance.
- Document, and communicate, any patterns, or significant instances, of non-compliance to the Chief Information Officer.
- Raise awareness in the user community of this policy through various training, educational, and awareness activities.
|
3. Rules, Responsibilities, and Prohibitions
There are two different remote access user services at MassArt:
Remote Network Access: The MassArt Virtual Private Network (VPN) is a service which allows end users to remotely** access the internal MassArt network over a secure encrypted channel. VPN access requires a request submitted by a Dean, Department Head, or area VP through the Technology department Service Management Portal on behalf of their employee (or MassArt-affiliated contractor or vendor). Once approved, VPN client software will be installed on the user’s off-campus computer by the Technology department. Users can then connect and authenticate via the VPN to obtain access to MassArt internal computing resources, such as servers, internal web pages, MassArt personal computers, and file shares.
The security network is a separate network which is strictly controlled and not available for general employee usage. Remote access into the security network requires Technology department supplied two-factor authentication.
Remote Access Only to an MassArt Desktop Computer Connected to the MassArt Internal Network: Only software approved by Technology department to enable employees to connect from an off-campus location directly into an MassArt owned and managed desktop computer connected to the MassArt network is allowed. Approved software requires appropriate approval and client software installed on the on campus computer connected to the MassArt network. Approved Software access will only be granted to the individual employee assigned to that MassArt personal computer and for no other computer (i.e., only one computer can be authorized per person). Exceptions may be made under extenuating circumstances, in which case strong business justification must be provided with the request by the employee’s Dean, Department Head, or area VP, and final approval obtained from the Chief Information Officer or Deputy Chief Information Officer.
The following rules apply to remote access services and technology:
3.1 Approval is a mandatory prerequisite for remote access. Each service requires a separate authorization, and is obtained by the requestor’s Dean, Department Head, or area VP submitting a request on behalf of their employee through the Technology department Service Management Portal. After the requisite approval has been obtained, the user will be authorized by the Technology department and sent instructions by email on how to set up and access their remote access account. Access to the security network requires additional access approval from the Director of Systems & Networking.
3.2 Minimum specifications of an off-campus computer which connects to the MassArt network:
3.2.1 Has the latest operating system and third-party software security patches installed.
3.2.2 Has a personal firewall enabled.
3.2.3 Runs an MassArt approved and supported operating system, web browser, and anti-virus program.
3.3 Session Timeouts: Remote access connections will be configured to timeout after fifteen (15) minutes of inactivity. Users will be required to reinitiate their connection after the session has timed out.
3.4 Remote Access Account Lifetime: Ongoing access to remote access services is dependent upon current, active affiliation with MassArt as indicated by the Payroll and Student Information Systems. Any person who is not on the MassArt payroll, such as MassArt-affiliated vendors and contractors, will only be granted remote access for a predetermined, finite duration, at the discretion of the CIO and the Deputy CIO, and for a finite term. VPN account access will be disabled either when the account lifetime period has expired or any earlier time at the request of the grantee’s Dean, Department Head, or area VP.
Extension of access privileges beyond the approved time period will require additional written approval and authorization by the grantee’s Dean, Department Head, or area VP. Network and system activity will be monitored, and periodic audTechnology department will be conducted, to verify that access has been deactivated for individuals no longer authorized to access MassArt network or computing resources. Any remote access account that has not been used to access the network within a thirty (30) day period may be disabled. If no request is received to reactivate the account within sixty (60) days of being disabled, the account may be deleted. When affiliation cannot be verified, remote access requests will be denied or access terminated.
3.5 Disabling Access: To ensure that only authorized remote access privileges are maintained, timely notification of any change in employee status which could impact the individual’s required level of remote access privileges must be provided to the Technology department by the Office of Human Resources.
Similarly, when any non-payroll employee, consultant, vendor, or other authorized third-party has a status change which could affect that individual’s required level of remote access privileges, then either the Dean, Department Head, or area VP in that individual’s area must notify the Technology department in a timely manner of that status change. Remote access accounts of such parties will automatically be disabled immediately upon contract expiration dates in situations where these dates are made known to the Technology department.
Technology department reserves the right to disable remote access to any user, account or system not in compliance with the standards and rules set forth in this policy document.
3.6 Monitoring: Access privileges will be periodically reviewed in order to verify that they match what the user was granted access to through the approval process. Active user accounts may be monitored by members of the Technology department department (as designated by the Chief Information Officer) in order to protect against unauthorized use of the campus computing network as set forth in the Acceptable Use Policy.
4. Related Documents
5. Enforcement of Policy Violations
Failure to comply with this policy, intentionally or unintentionally, may result in one or more of the following:
- Termination, without notice, of access privileges to information and technology resources.
- Disciplinary action, up to and including termination of employment.
- Civil or criminal penalties as provided by law.
6. Review and Revision History
|
Date
|
Name and Title
|
Annual Review or Revision Summary
|
| 012-03-2019 |
Bryce Cunningham, Information Security Officer |
First draft |
| 11-23-2024 |
Patrick O'Connor, Chief Information Officer |
Final Draft Approved |
| 01-29-2025 |
Patrick O'Connor, Chief Information Officer / Assistant Vice President, Technology |
Updated Branding, Reviewed |
*As of 01-29-2025, ISO duties and responsibilities are currently being performed by the Deputy CIO.
**Remote access means accessing the MassArt network from an off-campus location.
*** For documents originating within MassArt, such as policies or procedures, specify “MassArt”. For other relevant third-party documents, such as external standards to which MassArt subscribes, list the name of the organization that publishes the document.
|
Policy Number
|
Policy Owner:
Information Security Officer
|
|
Applicability:
- Assigned Roles
- Any person granted remote access to the MassArt campus computing network.
|
CIS Critical Security Controls:
- CSC 14 - Controlled Access Based on the Need to Know
- CSC 16 - Account Monitoring and Control
|
Approved by:
Patrick O’Connor, Chief Information Officer / Assistant Vice President, Technology |
Approved On:
11/23/2024 |