Remote Access VPN
Purpose
As a security measure, many of the University’s network resources are not made publically available to the Internet and access to those resources is restricted to users physically located on campus. The University’s VPN allows members of University community with a VPN account to securely access University network resources as if they were on the campus. Consequently, it is extremely important to safeguard VPN access to protect the University’s confidential data from unauthorized outside access.
Scope
University Policy
Definitions
Dual Factor Authentication: a security process in which the user is required to provide identification by means of a combination of two different sets of credentials.
Policy
SHU VPN accounts may be requested by individuals who have a business need to access
restricted SHU network resources from off campus. The form to request a VPN account
can be found on the University IT Services Web site [login required]. The application for a VPN account must be approved by the requestor’s
immediate supervisor and the University IT Services IT security group. Once approved,
the VPN account will be set up by University IT Services.
To help secure the University’s VPN accounts, once a user is issued a VPN account
the Technology Service Desk will no longer reset that user’s password via the phone;
a University or government ID will be required to reset the password for VPN account
holders. VPN account holders will be required to change their SHU password every sixty
(60) days.
Use of the VPN account requires dual factor authentication. The VPN account holder
will be required to register his/her mobile phone, tablet computer, phone line or
some other means of contact in order to verify their identity whenever they use the
VPN. The VPN account holder will need to have access to his/her registered mobile
phone, tablet computer, phone line or other verified device in order to start the
VPN. Only one active VPN connection is allowed per user. The VPN account holder should
disconnect the VPN when it is no longer needed. The VPN session will automatically
terminate after thirty minutes of inactivity.
The VPN account holder’s SHU issued computer will have additional security software
installed to help prevent inadvertent data loss. The VPN account holder should only
use their University-issued computer to access the SHU VPN. The VPN account holder
must make sure that their antivirus software, computer operating system and Internet
browser are up to date before using the VPN.
A VPN account will require annual re-authorization by the employee’s supervisor. A
VPN account will be automatically suspended if not used after 180 days. A VPN account
holder’s access to the system will automatically expire if they are no longer an active
employee in the University’s Banner system. This is generally at the end of the employee’s
last pay period. Whenever an employee with a VPN account leaves the University, the
employee’s supervisor should make arrangements with HR and University IT Services
to disable the employee’s VPN account at the time of their separation from the University.
VPN accounts may not be shared with others. If a VPN user suspects that his/her VPN
account, or any other University system, has been compromised, he/she must report
the security incident immediately to the Technology Service Desk (973-275-2222). The
Service Desk will document the incident and escalate the incident to SHU’s security
incident response team.
Enforcement and Limitations:
Any user found to have violated this policy may be subject to loss of certain privileges
or services, including but not necessarily limited to loss of VPN services.
SHU may, at any time and for any reason, change, terminate, limit or suspend this
service, in whole or in part. Access to the service is completely at the discretion
of Seton Hall University, and access to the service may be blocked, suspended, or
terminated at any time for any reason including, but not limited to, violation of
this policy, violation of the University’s Appropriate Use Policy, disruption of access
to other users or networks, or violation of applicable laws or regulations.
The VPN account holder is fully responsible for all his/her account activities (including
for any content, information and other materials you access or transmit via this service)
and agrees not to use this Service to engage in any prohibited conduct. Broadly stated,
prohibited conduct is any conduct that is unlawful, that violates University policy,
that is harmful to (or puts at risk) Seton Hall University or any other party or property,
that violates another party's intellectual property, privacy or other rights, or that
otherwise interferes with the operation of other University systems or property.
Seton Hall University reserves the right to amend or otherwise revise this document
as may be necessary to reflect future changes made to the I.T. environment. You are
responsible for reviewing this Policy periodically to ensure your continued compliance
with all Seton Hall University I.T. policies.
Additional Information
Related Policies
Responsible Offices
- Department of Information Technology
Approval
Approved
Approved by the Department of Information Technology.
Effective Date
August 20th, 2015