VPN Access

Summary

Secure remote access to the University’s network is essential for maintaining the integrity and confidentiality of our data. A Virtual Private Network (VPN) provides a secure encrypted network connection over the Internet between authorized St. Mary’s University users and the University internal network. This policy outlines the guidelines and procedures for authorized users to connect to the University’s network remotely. By adhering to this policy, we ensure that all VPN connections are secure, encrypted, and used solely for university-related activities, thereby protecting our network from unauthorized access and potential security threats.

Purpose

The use of this service is designed to facilitate secure remote access to the campus network, in alignment with the University’s goals and mission. When a system connects remotely to the network via VPN, it effectively becomes an extension of the campus network and is subject to the same policies and regulations as any system directly connected to the campus.

This service is provided at no cost and exclusively to authorized users, limited to university-owned devices.

Scope

The Virtual Private Network (VPN) is a service provided by Information Services for authorized faculty, staff, contractors, consultants, and authorized third-party guests using VPNs to access the St. Mary’s University campus network (hereafter referred to as “users”).

Policy

Authorized St. Mary’s University users may utilize the benefits of VPNs, which are a ‘user-managed’ service. This means that the user is responsible for selecting an Internet Service Provider (ISP), coordinating installation, installing any required software, and paying associated fees.

Guidelines

• Request Process and Approval: VPN accounts are available to St. Mary’s University users upon official request for authorization.
• Device Usage Restrictions: VPN usage is restricted to university or company-owned devices, including those owned by third-party vendors contracted by the University. Users may not use personal devices to connect to the VPN.
• User Responsibility for Access Control: VPN users are responsible for ensuring that unauthorized individuals do not gain access to the University’s internal network. Users must take appropriate action if they suspect or detect unauthorized access.
• Security Measures for Connected Devices: All computers connected to the University’s internal network via VPN must have up-to-date antivirus software and operating system patches. The university periodically scans connected computers to ensure compliance, and devices identified as potential security threats may be blocked from the network until corrective action is taken.
• Inactivity Disconnection Policy: VPN users will be automatically disconnected from the University’s network after thirty (30) minutes of inactivity. Users must then log in again to reconnect to the network. This measure helps ensure network resources are efficiently utilized and reduces the risk of unauthorized access due to prolonged inactivity.
• Approved VPN Client Software: The approved VPN client software is FortiClient VPN, available for Windows, Mac OS, and iOS. St. Mary’s University users must contact the Technical Support Center (TSC) for proper installation or updates. Authorized third parties are responsible for downloading and installing the VPN software on their devices.
• Single Connection Limitation: Only one active VPN connection is allowed per user.
• Two-Factor Authentication (2FA) with FortiToken Mobile (FTM): VPN users will be assigned a unique token for FortiToken Mobile (FTM an event-based and time-based One-Time Password (OTP) generator application for mobile devices). FTM, in conjunction with login credentials, provides an added layer of protection by generating time-based authentication codes.
• VPN Access for Sponsored Third Parties: St. Mary’s University-sponsored third parties, such as software consultants or support personnel, must be sponsored by a department to gain VPN access. Additionally, third parties must complete and sign the Confidential Information Agreement and comply with the Third-Party Vendor Access Policy.
• Annual VPN Access Review: VPN access will be reviewed annually to ensure compliance with security policies and procedures.

Enforcement

Violation of this policy may result in the termination of the user’s VPN privileges. Users found in violation may face sanctions, including the loss of computer or network access privileges, disciplinary action, suspension, termination of employment, and legal action.

Certain violations may also constitute criminal offenses under local, state, and federal laws. The University will fulfill its responsibility to report such violations to the appropriate authorities.

Definitions

• Confidential Information Agreement: A document that third-party vendors must complete and sign to gain VPN access, outlining their commitment to confidentiality.
• VPN (Virtual Private Network): A service that allows approved St. Mary’s University users and authorized third parties to securely connect to the University’s internal network over the internet.