Remote Desktop Standards


Scope

This standard applies to all employees, contractors, vendors and agents with a CUIMC-owned or personally-owned computer or workstation used to connect to the CUIMC network from remote locations or from insecure wireless locations on campus.

Purpose

This standard provides basic guidance designed to ensure that a user’s remote access connections to the CUIMC network are given the same security protection as a user's on-site connections.

Any system used for remote access must comply with applicable CU and CUIMC Policies and Procedures. This applies even if the device used for remote access is personally owned. This includes but is not limited to the following:

General Standards

  1. Applications for the software enabling remote access into the CUIMC network must be reviewed and approved by the user’s manager.
  2. All remote devices (workstations, laptops, tablets, etc.) must connect to the CUIMC network through the CUIMC Virtual Private Network (VPN). Any exceptions to the above must be reviewed by the CUIMC Information Security Office.
  3. Remote access tools must support strong, end-to-end encryption of the remote access communication channels.
  4. Each remote user must have an Active Directory (MC Domain/Dept. Domain) account.
  5. Generic or group user accounts shall not be used when working with remote desktops.
  6. Authorized users shall protect their login UNI and password, even from family members.
  7. While the remote CUIMC workstation is running on a device, no other remote network connections can be running.
  8. Data in the CUIMC network is considered proprietary. Remote users shall not copy any data from the CUIMC network into non-managed CUIMC devices connected to the remote device.
  9. The remote device must use up-to-date anti-virus and anti-spyware software. The anti-virus and anti-spyware software must not be disabled or circumvented during the remote desktop session.

Remote Device Configuration

It is recommended that the remote device configuration be secured by implementing the following:

Session Monitoring

The Remote Desktop Servers (RDS) should monitor all remote desktop sessions. Information on remote users, sessions, and processes should be captured and retained.

Remote desktop users should be aware that their sessions may be monitored when remotely accessing the CUIMC network or whenever they use CUIMC computer resources.

References