AC-17 Remote Access
Description
Remote access is access to organizational information systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include, for example, dial-up, broadband, and wireless.
Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality and integrity over remote connections.
The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate security controls (e.g., employing appropriate encryption techniques for confidentiality and integrity protection) may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. Also, VPNs with encrypted tunnels can affect the organizational capability to adequately monitor network communications traffic for malicious code.
Remote access controls apply to information systems other than public web servers or systems designed for public access. This Control addresses authorization prior to allowing remote access without specifying the formats for such authorization. While organizations may use interconnection security agreements to authorize remote access connections, such agreements are not required by this Control.
Enforcing access restrictions for remote connections is addressed in AC-3.
Applicability
This Control applies to all individuals that remotely access Texas A&M University-Corpus Christi information resources from outside the Texas A&M University-Corpus Christi campus network.
This includes students, faculty, and staff members as well as guest account users, vendors, and research partners.
Implementation
TAMU-CC shall:
- Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed by the Information Resource Manager (IRM) approving only those methods for remote access to University information resources or Sensitive Information that encrypt all communications. Examples of such methods are Virtual Private Network (VPN), Secure File Transfer Protocol (SFTP), Transport Layer Security (TLS), and Secure Sockets Layer (SSL); and
- Custodians shall:
- Ensure devices and communications are encrypted for University information resources or Sensitive Information.
- Affirm their compliance with this policy in the annual risk assessment.
- Establish, document, and review usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed.
- All remote access connections (e.g., Virtual Private Network or Remote Desktop) must be authorized prior to allowing such connections.
- Office of Information Security (OIS) shall:
- Review affiliate accounts, which includes remote access used by non-student, non-staff, non-faculty personnel shall be reviewed annually.
- Networks shall:
- Enforce the requirement of multi-factor authentication (MFA) for remote access to TAMU-CC University resources.
Revision History
Last Updated: February 21, 2025
Previous Versions:
- June 29, 2023
- May 31, 2022
- March 25, 2021
- September 16, 2019