Home

Remote use of Rutgers Resources


The purpose of the Remote Site Security Standards is to provide the data protection security necessary to comply with the Rutgers University Remote Site Policy. These standards are mandatory requirements and establish an effective baseline of appropriate system, administrative, and physical controls to safely and effectively secure a remote working environment. Specific information security guidelines are available to provide guidance on how to comply with these standards. 

These standards apply to all Rutgers University employees, or contractors with the university who have been provided with university owned equipment or utilizing personally-owned computer, or other equipment to connect to RUNet from a remote location or provide temporary data storage while not connecting to RUNet.

 

One of the most important aspects of information security is protecting critical information. Confidentiality, integrity and availability are the three predominant principles of information protection. Compromising these principles leaves systems and critical information in jeopardy.   Establishing remote site access creates the potential for security risks and threats that could result in damage to university integrity, cause financial loss to the university, and/or personal hardship to individuals. Threats are the accidental or adversarial attacks against the university, while risks are the realization of the threat based on its potential loss. Below are some of the security threats that should be considered when determining whether remote site access is feasible in your department.

 

·   The networks utilized are not controlled by Rutgers and may be more open. Physical loss of data residing on equipment used for remote site access

·   Access to data by those unaffiliated with the university, including family members, on shared devices in a household

·   Disgruntled users or employees who abuse the privilege of remote site access to acquire or steal university data

·   Intercepted or stolen data transmitted over an insecure network

·   Home devices may be subject to E-Discovery requests

 Standards for Operating from a Remote Environment

Operating Environment

1.  All hosts connected to RUNet via remote site access technologies must use current anti-virus software to ensure that equipment is protected from hackers and malware. Rutgers antivirus software for desktops and servers ( RADS ) is free and easily available to university faculty staff and students at home and on campus. RADS is supported by the university and includes protection against spyware, adware, malware, and grayware and includes a built-in firewall.

2.  All hosts connected to RUNet via remote site access technologies should employ a software or hardware based firewall. Note: the use of unified host endpoint protection products that incorporate this capability, such as RADS , satisfy this standard.

3.  All equipment should utilize operating systems and software that are currently supported by a legitimate vendor (i.e., Microsoft, Apple, Adobe, etc.).

4.  All hosts connected to RUNet must automatically or manually apply all necessary Operating System (OS) and application security updates or “patches” and keep the equipment up to date.

5.  Portable equipment, such as data sticks/flash drives, CDs, PDAs, phones, etc., containing sensitive data must be kept secure, and locked when unattended. These items are vulnerable to theft and loss. All current on campus processes, policies and procedures must be used for restricted data. When business practices and/or policies mandate, encryption is required. Contact Information Protection and Security for recommended tools and software.

6.  The wireless (wi/fi) preferences/settings for your computer and portable devices must not be set up to auto-connect to any wireless network they detect. Auto-connecting to unknown networks could put your computer and data at risk.

Home Wireless Networks

Home wireless networks are easy to set up and are often times provided by Internet Service providers. While they are extremely convenient to use, an insecure wireless environment opens up several risks that need to be addressed.

·   A person that is in close proximity to your home can use your Internet connection. 

·   A person that is in close proximity to your home may be able to access your computer. 

·   Information sent over the wireless connection can be stolen.

In order to help mitigate the risks associated with home wireless networks used for remote site access, the following wireless home networking configurations must be implemented.

·   WPA encryption should be enabled

·   The default SSID for your wireless router should be changed

·   The default Administrator Passwords and Usernames for your wireless router should be changed

·   MAC filtering should be utilized

Physical Security

1.  Hardware, software and data destruction of restricted materials must be done securely and disposed of at the termination of business need, and in conjunction with the Rutgers data disposal policy. Remote working arrangements should be equipped to facilitate this activity (shredder).

2.  Files must be backed up and tested on a regular schedule, and stored in a secured location.  

Additional Requirements for Restricted Data 

As a rule, users may not store any Rutgers restricted data on their personally owned devices. Restricted data includes data that Rutgers is required to protect under regulatory or legal requirements. Examples include student or employee identifiable information (i.e., name, SSN, birth date, home address, etc.), medical records, legal records, student records, police records, and credit card information. Restricted Data needs to be protected at the same level as required on campus. 

IT Security Guidelines for Domestic and International Travel

Definitions

Encryption: The process of converting information using an algorithm to make it unreadable to anyone except those possessing special knowledge, referred to as a key.

 

MAC: Refers to Media Access Control. A PC network card or device has a unique identifier defined to it called the MAC address that is used for identification purposes.

 

Patch: A patch is a piece of software designed to fix problems or update a computer application or operating system. Intruders often seek methods to take advantage of vulnerabilities resulting from these problems to penetrate systems.

 

SSID: Refers to Service Set Identifier, and is the name that identifies a particular wireless Local Area Network (LAN).

 

WPA: Wi-Fi Protected Access is a certification created by the Wi-Fi Alliance to indicate compliance with security protocol. Most newer Wi-Fi certified devices support the security protocols, out-of-the-box, as compliance with this protocol has been required for a Wi-Fi certification since September 2003. 

 

NOTE: Employees and units are responsible for security breaches involving NPPI (non-public personal information). The measures described will help reduce the number of security breaches and limit the cost, time, and negative publicity associated with such breaches. For more comprehensive information on NPPI and your department responsibilities please visit http://rusecure.rutgers.edu/nppi .