Remote Access Policy
Aberystwyth University (AU) recognises the importance of its staff, students and external colleagues being able to work efficiently and remotely away from its campuses. However, it is important that remote IT users ensure they work in a secure manner and do not cause increased risk to the University’s IT infrastructure, data security and reputation.
1.1. The purpose of this policy is to define standards for users accessing University resources remotely.
1.2 These standards are designed to minimise the potential exposure to the University from damage which may result from unauthorised use of University resources, including the loss of sensitive, personal or confidential business data, theft of intellectual property, damage to the public image of the institution, or corruption of critical University internal systems.
2.1 This policy is directed at those who utilise personal devices, or AU provided portable devices, such as laptops and mobiles devices, and who participate in mobile working.
2.2 This policy applies to those who access AU Systems from home or other remote locations using privately owned, third party owned, or University owned equipment. This includes University owned public spaces and meeting rooms.
2.3 This policy applies to any University resources that can be accessed remotely, for example, Microsoft 365, Word, SharePoint, OneDrive for Business, Teams and other cloud hosted software, applications, services and environments.
2.4 It is the responsibility of AU to ensure that appropriate technical facilities are available to enable compliance with this Remote Access Policy.
2.5 It is the responsibility of all staff, students and external colleagues to ensure that their behaviour and activities when using AU facilities is in accordance with the requirements of this policy.
3.1 Remote Access Principles
All users must adhere to the following principles:
1. Personal devices (including laptops, tablets, mobile phones, etc) that are used to remotely access AU information or services must comply with the Bring your own Device Policy.
2. AU owned devices that are used to remotely access AU information or services must comply with the Device Management Policy
3. Official and/or sensitive University files must not be downloaded and stored on non-University owned devices.
4. Secure remote access must be strictly controlled. Control will be enforced via one-time password authentication or public/private keys with strong pass-phrases. Please see guidance on creating a strong pass-phrase.
5. Access to services involving the processing of personal, special category and/or other sensitive information will require that your device storage is encrypted.
6. Working on confidential information must be avoided in public spaces, for example coffee shops or trains, due to the possibility of unauthorised individuals viewing or overhearing this information.
7. At no time should any University student, employee or external colleague provide their login or email password to anyone, including friends, family or University staff.
8. At no time should any University student, employee or external colleague allow a third person to access University resources via their credentials and must ensure that other members of their household do not violate any of the University policies, do not perform illegal activities and do not use the access for outside business interests. The registered user bears responsibility for all use made of their credentials.
3.2 Remote Access Services
Information Services provides the following facilities:
1. GlobalProtect access allows for staff and students access to their personal and shared drives from private devices. It also allows for remote desktop access to office PCs
2. GlobalProtect access allows for staff, students and external colleagues to access additional services with AU managed devices.
3. Microsoft 365 allows for staff, students and external colleagues to access Email, SharePoint, Teams and OneDrive services.
3.3 Awareness of Information Risks
Information that is held or processed on systems outside of AU management control is generally more exposed to being lost, corrupted, or even compromised, than information that is held or processed on systems within AU control. e.g.
- Laptop computers may be stolen, lost, or left on public transport.
- The security of devices outside AU premises, in terms of security updates and virus protection, may be lower than those within the University and exposure to hacking attacks and virus contamination may be higher.
- Physical security in the home may be lower than at AU premises, and maybe more prone burglary resulting in the theft of devices.
3.4 Device Theft
The loss of any AU provided devices must be reported to firstname.lastname@example.org as soon as possible.
3.5 Supporting Policies and Guidelines
All users should review the following Regulations and Guidelines for details of protecting information when accessing the corporate network via remote access methods, and acceptable use of the University's network:
This Policy is maintained by Information Services, was last reviewed in July 2022 and is due for review in August 2023