SP 6-10s – Remote Access
Colorado Community College System / System Procedure
SP 6-10s
APPROVED: January 28, 2021
EFFECTIVE: January 28, 2021
REFERENCES: Board Policy (BP) 6-10, Cyber Security Policy
APPROVED:
/ Joe Garcia /
Joseph A. Garcia
Chancellor
BASIS
This procedure documents requirements for employees, students, and external parties (vendors and contractors) connecting to Colorado Community College System and its Colleges’ (“CCCS”) Information Systems.
APPLICATION
This procedure applies to employees, personnel affiliated via third party contracts, and volunteers that have access to Information Systems and Assets that are owned or leased by CCCS.
DEFINITION
Remote Access
Remote access is defined as access to CCCS Information Systems by a user communicating through an external network to an internally secured network.
PROCEDURE
The System Chancellor delegates to the System Vice Chancellor for Information Technology (“IT”) responsibility for oversight of compliance with and implementation of this procedure. Further, the System Chancellor delegates to the College Presidents the responsibility to implement and compliance with this procedure at their respective institution.
General
CCCS employees are granted remote access rights through secure web portals or cloud-based solutions to email, file share, and other applications. To gain remote access rights directly to CCCS’s internal Information Systems from an external connection, users must utilize only System IT Department (“System IT”) or College IT Department (“College IT”) approved remote access solutions (e.g., VPN, VDI).
Requirements
- Remote access requests and approvals must be documented.
- Employees and external parties with remote access rights shall adhere to Acceptable Use of Information Resources Procedure and other CCCS procedures governing remote access.
- Remote access login and password information must be kept confidential and shall not be shared.
- Authentication traffic must be secured or encrypted.
- Remote access accounts shall be configured to automatically terminate connection if left idle for more than 120 minutes.
- Access to VPN is limited to CCCS managed or owned devices.
- CCCS employees, personnel affiliated via third party contracts, and volunteers shall complete information security awareness training prior to being granted remote access capabilities.
Remote Access for Third Parties
- Third party remote access requests can only be initiated by System IT or College IT. Third parties may NOT submit a request for remote access themselves.
- Remote access requests must include the following information:
- Third party name and contact information;
- Contact information of the CCCS employee responsible for the third party relationship;
- Remote access start date and duration of remote access; and
- Description of access required.
- Third party access to CCCS resources will be controlled using standard remote access technology (e.g., VPN or VDI).
- Third party remote access, no matter how frequent, will be considered temporary access and therefore limited to only scheduled dates and times.
- Third party user accounts shall only be enabled at times of scheduled remote access. Third party accounts shall be disabled when no longer in use.
- Third party accounts must be secured with a password that meets or exceeds CCCS password requirements set forth in Access and Authentication Procedure.
- Upon completion of work, third party accounts shall be disabled on associated devices and documented through the System IT or College IT ticketing system.
Monitoring of Remote Access
- Remote access accounts shall be monitored on a semester basis to ensure that remote access accounts are valid and that accounts that have reached their expiration dates have been deactivated.
REVISING THIS PROCEDURE
CCCS reserves the right to change any provision or requirement of this procedure at any time and the change shall become effective immediately.