PURPOSE:
This Remote Access Policy outlines the standards and procedures for granting and managing remote access to Idaho College of Osteopathic Medicine (ICOM) institutional resources. The purpose of this policy is to ensure secure and authorized remote access while protecting institutional data, systems, and networks from unauthorized access, data breaches, and other security threats. This policy aims to balance the need for flexible remote access with the institution's commitment to data security, regulatory compliance, and maintaining a secure IT environment.
SCOPE:
This policy applies to all forms of remote access to ICOM institutional resources, including but not limited to:
- Access from off-campus locations to on-campus systems and networks (if applicable)
- Access from any location to cloud-based services and SaaS applications used by the institution
- Access from institutionally owned devices and personally owned devices (BYOD)
- All methods of remote access, including but not limited to VPNs, remote desktop protocols, web-based access to applications, and mobile device access, and Secure Enterprise Browsers.
This policy applies to all individuals who are authorized to access institutional resources remotely, including but not limited to:
- Faculty
- Staff
- Administrators
- Students (where remote access is required for specific academic or institutional activities)
- Affiliates
- Contractors
- Vendors
DEFINITIONS:
- Remote Access: The ability for authorized users to access ICOM network resources and data from a location outside the physical boundaries of the ICOM campus network.
- VPN (Virtual Private Network): A technology that creates a secure and encrypted connection over a less secure network, such as the internet, often used to provide secure remote access to internal network resources.
- Remote Desktop Protocol (RDP): A protocol developed to provide a user with a graphical interface to connect to another computer over a network connection.
- Secure Enterprise Browser: A specialized web browser designed to enhance security and control for accessing web-based applications and cloud services. Secure Enterprise Browsers typically enforce security policies, provide data loss prevention features, isolate Browse sessions, and offer centralized management and auditing capabilities.
- HTTPS (Hypertext Transfer Protocol Secure): A secure version of the HTTP protocol, used for secure communication over a computer network, widely used on the Internet. HTTPS encrypts the communication between the user's browser and the web server.
- Multi-Factor Authentication (MFA): A security system that requires more than one method of authentication from independent categories of credentials to verify the user's identity for a login or other transaction.
- BYOD (Bring Your Own Device): Refers to personally owned devices (like laptops, tablets, and smartphones) that are used by faculty, staff, or students to access institutional resources and data.
- Endpoint: A device that users interact with directly to access systems, such as computers, laptops, tablets, and mobile phones.
- Untrusted Network: A network that is not under the direct control or security administration of ICOM, such as public Wi-Fi networks in coffee shops, airports, or hotels.
- Secure Network: A network that is under the direct control and security administration of ICOM or a trusted partner, typically utilizing encryption and other security measures.
- Remote Desktop Gateway: A service that allows authorized users to connect to internal network resources using the Remote Desktop Protocol (RDP) through a secure, managed gateway server.
- SaaS Application (Software as a Service): A software delivery model in which software is hosted by a vendor and made available to customers over a network, typically the internet, usually on a subscription basis.
POLICY:
Authorization for Remote Access: Remote access to institutional resources will be granted only to authorized individuals with a legitimate business or academic need, based on their role and responsibilities. Remote access must be formally requested and approved by the user's supervisor or department head and authorized by the Chief Information Officer.
Acceptable Use of Remote Access: Remote access privileges are to be used solely for legitimate institutional business or academic purposes, consistent with the institution's Acceptable Use Policy and all other relevant policies. Unauthorized or inappropriate use of remote access is strictly prohibited.
Security Requirements for Remote Access: All remote access connections must adhere to the following minimum-security requirements:
- Multi-Factor Authentication (MFA): Multi-Factor Authentication is required for remote access (via VPNs, remote desktop, SaaS applications) to all sensitive cloud-based applications, including administrative portals, communication tools. MFA enforcement is applied as follows:
- MFA is required for all users remotely accessing sensitive applications.
- MFA is required for all administrators of critical systems, regardless of device ownership.
- Strong Passwords: Users must utilize strong passwords for all accounts used for remote access, in compliance with the institution's Password Policy.
- Device Security: Devices used for remote access (institutionally owned and BYOD) must meet minimum security standards, including:
- Up-to-date operating systems and security patches.
- Active and updated anti-malware software (where applicable to the device type).
- Enabled and active personal firewall (where applicable).
- Full disk encryption (for laptops and mobile devices storing sensitive data).
- Secure Network Connections: Remote access should be conducted over secure networks. Use of public, unsecured Wi-Fi networks for accessing sensitive institutional data is discouraged and should be avoided where possible. VPNs should be used when accessing sensitive data over untrusted networks (if VPN is the approved method - see Approved Methods for Remote Access), or a Secure Enterprise Browser should be used when accessing SaaS applications over untrusted networks.
Approved Methods for Remote Access: Only institutionally approved and supported methods for remote access are permitted. Approved methods may include:
- Virtual Private Network (VPN): IT approved VPN solutions will be the primary method for secure remote access to the institution's internal network and on-premises systems (if applicable). VPN should be used when accessing sensitive data or systems that require network-level security.
- Secure Web Browsing (HTTPS): Access to web-based applications and SaaS applications must be conducted exclusively over HTTPS to ensure data encryption in transit.
- Secure Enterprise Browser: Island Enterprise Browser may be used for secure access to designated SaaS applications and web-based institutional resources, especially when enhanced security and data loss prevention controls are required. Secure Enterprise Browsers provide features such as enforced security policies, data loss prevention, isolation of browsing sessions, and enhanced visibility and control over user activity within web applications.
Prohibited Remote Access Methods and Activities: The following remote access methods and activities are strictly prohibited:
- Use of unauthorized or unapproved remote access tools or methods, including unauthorized web browsers for accessing institutional resources when a Secure Enterprise Browser is required.
- Circumventing or disabling security controls for remote access (e.g., disabling MFA, bypassing VPN, bypassing Secure Enterprise Browser requirements).
- Sharing remote access credentials with anyone.
- Using remote access for personal or non-institutional purposes.
- Storing sensitive institutional data on personal devices used for remote access without proper encryption and security controls.
- Connecting personally owned devices known to be insecure or infected with malware to the institution's network or using them to access institutional resources.
Data Security During Remote Access: Users are responsible for protecting institutional data accessed remotely. This includes:
- Avoiding downloading or storing sensitive institutional data on personal devices unless absolutely necessary and in compliance with data security policies. When using a Secure Enterprise Browser, users must adhere to any data handling restrictions enforced by the browser.
- Encrypting any sensitive data stored locally on devices used for remote access.
- Practicing secure data handling procedures and protecting against unauthorized viewing or access to sensitive data while working remotely.
- Ensuring physical security of devices used for remote access to prevent unauthorized access.
- Logging off from remote access sessions and locking devices when not in use, and closing Secure Enterprise Browser sessions when finished.
Monitoring and Auditing of Remote Access: Remote access activities may be monitored and audited for security purposes, policy compliance, and to investigate suspected security incidents or policy violations. Audit logs of remote access connections and activities, including activity within Secure Enterprise Browsers, will be maintained and reviewed following guidelines provided in the Data Privacy Policy.
Incident Reporting: Any suspected unauthorized remote access, security incident, or policy violation related to remote access must be reported immediately to the IT Help Desk.
BYOD Remote Access Considerations: For personally owned devices (BYOD) used for remote access, users are responsible for ensuring their devices meet the security requirements outlined in this policy, including using a Secure Enterprise Browser when required. The institution may implement technical controls (e.g., device posture checks via MDM or endpoint security agents, and enforcement of Secure Enterprise Browser usage) to verify device compliance before granting access to certain institutional resources. Users understand that while accessing institutional resources remotely via BYOD, their activity within Secure Enterprise Browsers may be monitored for security and policy compliance following guidelines provided in the Data Privacy Policy.
POLICY EXCEPTIONS:
Exceptions to this Remote Access Policy may be granted in limited circumstances by the Chief Information Officer or designated authorization authority, with appropriate justification, risk assessment, and compensating security controls documented and implemented. Exceptions should be rare and subject to periodic review.
ENFORCEMENT:
Enforcement of this Remote Access Policy is the responsibility of all managers, supervisors, IT administrators, and users with remote access privileges, under the overall direction of the Chief Information Officer. Unauthorized remote access, failure to adhere to security requirements, or other policy violations may result in disciplinary actions, up to and including revocation of remote access privileges, suspension of network access, and termination of employment or access privileges, and potential legal consequences. The Information Technology Office will monitor compliance with this policy and investigate reported violations, including monitoring for proper use of Secure Enterprise Browsers.
POLICY REVIEW AND UPDATES:
This Remote Access Policy will be reviewed and updated at least annually, or as needed to reflect changes in remote access technology, security threats, regulations, institutional risk assessments, business needs, or best practices in remote access security. The Chief Information Officer is responsible for coordinating policy reviews and updates.
PRIMARY POLICY OWNER:
Chief Information Officer
APPROVAL:
Effective: 7/8/25
Last Reviewed: 7/8/25
Review Requirement: Annual