Purpose

The purpose of the Remote Access Standard is to establish authorized methods for remotely accessing ISU systems, applications, and networks securely to ensure they remain secure, stable, and compliant with regulatory requirements through a structured approach to remote management.

Scope

This standard applies to all remote access¹ on systems owned or managed by or on behalf of the University ("systems"), including but not limited to servers, endpoints, appliances, and network devices. This standard is relevant to all University departments and units that manage, maintain, or use remote access systems including utilizing vendor management of these systems.

Standard

University teams and departments ("teams") managing systems or access within this standard's scope must meet the following criteria:

1. Remote access must have a documented business need.
2. Remote access services must utilize centrally-managed authentication services².
3. Remote access must utilize multi-factor authentication (MFA).
4. Remote access must utilize institution-approved and centrally-managed remote access solutions³.
5. Enabling remote access requires Chief Information Security Officer (CISO) approval, including contractually-required vendor access before agreement execution.
6. Unauthorized or personally-owned remote access software⁴ is prohibited on University systems and networks.

Exceptions

While this standard is intended to apply comprehensively, there may be instances where certain systems or support teams are unable to meet the full requirements. In such cases, exceptions must be formally requested and reviewed.

Requests for exceptions must be submitted to the Information Security Office through the University’s ticketing system or by emailing informationsecurityoffice@ilstu.edu. Each request must include:

• The information technology team and functional business units associated with the exception request
• Systems and firmware/software affected by the exception
• A detailed use case explaining why the exception is necessary and what compensating security controls, if any, will be implemented

The Information Security Office will review all exception requests in accordance with the Information Security Program's exception management process. Approval will be granted only when it is determined that operational needs outweigh the security risks, and where appropriate compensating controls are in place to mitigate those risks. All approved exceptions will be documented, periodically reviewed, and may be subject to additional security monitoring.

Additional Information

Footnotes

The following information provides supporting information referenced in the other sections of this document:

1. Remote access for the purposes of this standard is defined as access from an external/untrusted network (ex: Internet or vendor network) to any service, network, or network port that provides interactive session access to the operating system, firmware, or University network. For example, connecting to a VPN service (network remote access) or accessing an internal administration port (SSH, RDP, VNC, SNMP, etc.) from the Internet is classified as remote access, and accessing a web server with an Internet-facing IP address is not considered remote access. Services widely available on the Internet through a public gateway, such as a web gateway or proxy (ex: Citrix Netscaler/ADC), are also not considered remote access.
2. Centrally-managed authentication services for the purposes of this standard includes the enterprise-wide authentication services capable of performing authentication for other services. Examples are the University identity management solution, directory services, and single sign-on (SSO) services.
3. Centrally-managed remote access solutions are remote access solutions in use University-wide and securely managed by Technology Solutions. At the time of writing, ScreenConnect and the Cisco VPN service are centrally-managed remote access solutions.
4. Remote access software is software that allows users or systems to connect or control another system. The University maintains designated remote access solutions (ex: University-wide VPN solution and endpoint remote access software), and other unauthorized solutions must not be used. Examples of personal and commercial remote access software include Teamviewer, Anydesk, and SimpleHelp.

Roles & Responsibilities

Compliance

The Information Security Office will report on remote access status to ensure compliance with this standard and University policies. Systems out of compliance with this standard or the University Security Program policy will be escalated for remediation planning, and continued noncompliance may result in systems being segmented from the University network.

Supporting References

The following information provides supporting references that informed the development of this standard:

Appropriate Use Policy: https://policy.illinoisstate.edu/technology/9-2/

Information Security Program Policy: https://policy.illinoisstate.edu/technology/9-8/

NIST 800-46 Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-46r2.pdf

NIST 800-114 User’s Guide to Telework and Bring Your Own Device (BYOD) Security: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-114r1.pdf

CIS Controls v8.1: https://www.cisecurity.org/controls/v8-1

CIS Remote Access Standard: https://www.cisecurity.org/-/media/project/cisecurity/cisecurity/data/media/files/uploads/2020/06/Vulnerability-Scanning-Standard.docx

CIS Control v8 Guidance

Illinois State University leverages the CIS Controls framework, validated through the CIS Community Defense Model, to ensure our cybersecurity measures effectively mitigate the most prevalent real-world threats, including those identified in the MITRE ATT&CK framework, thereby enhancing our defenses against known adversary behaviors.

6.3 Require MFA for Externally-Exposed Applications: Require all externally-exposed enterprise or third-party applications to enforce MFA, where supported. Enforcing MFA through a directory service or SSO provider is a satisfactory implementation of this Safeguard.

6.4 Require MFA for Remote Network Access: Require MFA for remote network access.

6.7 Centralize Access Control: Centralize access control for all enterprise assets through a directory service or SSO provider, where supported.

6.8 Define and Maintain Role-Based Access Control: Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently.

12.7 Ensure Remote Devices Utilize a VPN and are Connecting to an Enterprise’s AAA Infrastructure: Require users to authenticate to enterprise-managed VPN and authentication services prior to accessing enterprise resources on end-user devices.