Location: Bowdoin / IT / Policies / VPN Policy

Virtual Private Network Policy

Policy Statement

All users wishing to establish a real-time connection with Bowdoin’s internal network through the Internet must employ a virtual private network (VPN) product approved by the Chief Information Officer (CIO) or Chief Information Security Officer (CISO) that can authenticate the user and encrypt all traffic exchanged.

Authority

This policy is approved by the CIO.

Summary

The purpose of this policy is to define standards for connecting to Bowdoin’s network from hosts on the Internet by using a VPN to the internal network. These standards are designed to minimize potential exposure to Bowdoin from damages which may result from unauthorized use of Bowdoin resources. Damages include the loss of sensitive or confidential data, intellectual property, damage to public image and damage to critical Information & Technology systems.

Applicability

This policy applies to all Bowdoin employees, contractors, consultants, temporaries and other workers utilizing VPNs to access the Bowdoin Network.

1. Remote Computer Security

Remote computers become an extension of the Bowdoin network, and therefore are subject to the same rules and regulations that apply to Bowdoin managed computers.

  • Software Security Patches. Remote computers must have up to date security patches for the operating system and applications that are installed.
  • Anti-virus Software. Remote computers must have up to date and active anti-virus software (this includes personal computers) and be free from viruses.
  • Remote Vulnerability Scanning. Remote computers using VPN technology are subject to being remotely scanned to determine that the software is current and that the system has been properly secured.  Computers that do not meet the requirements will be disconnected automatically from the Bowdoin network until a secure computing environment has been reestablished.
  • Non-Bowdoin owned equipment. Users of computers that are not Bowdoin owned equipment must configure the equipment to comply with Bowdoin’s VPN and Computer and Network Usage policies.
  • Approved VPN Client. Only VPN clients approved by the CIO or CISO may be used.

2. Responsibilities

Users
  • It is the responsibility of users with VPN privileges to ensure that unauthorized users are not allowed to access to Bowdoin internal networks.
  • By using VPN technology with personal equipment, users must understand that their machines are a de facto extension of Bowdoin’s network, and as such are subject to the same rules and regulations that apply to Bowdoin-owned equipment (i.e. their computers must be configured to comply with Information Security Policies).
  • Users are responsible for communications from their computers while connected to the VPN
VPN Administrator

VPN gateways and concentrators will be setup and maintained by a VPN administrator from the Network Operations group to meet minimum requirements.

  • The VPN requires the user to authenticate
  • All communication over the VPN is encrypted
  • All authentication attempts will be logged
  • VPN users will be automatically disconnected from Bowdoin’s network after 2 hours of inactivity. The user must reauthenticate to reconnect to the network. Pings or other artificial network processes are not to be used to keep the connection open.

3. Notification of Changes

Information & Technology will provide users with a copy of this policy (or link to it), and notify users of changes to this policy.

4. Enforcement

Any employee found to have violated this policy may be subject to disciplinary action according to HR policy.