Virtual Private Networking (VPN) Policy

Policy Name:  Virtual Private Network (VPN) services on the Pittsburg State University (PSU) network.

Policy Purpose:  This policy outlines the purpose and approved use of VPN services on the PSU network.

Scope:  This policy applies to all faculty, staff, and consultants using VPN services at PSU.

General Policy Provisions

In an effort to increase the security of information technology (IT) systems at PSU, the Office of Information Services (OIS) has limited access to many computing resources.  The VPN is designed to provide secure/encrypted access to computing resources on the PSU network.  It allows, among other things, a method to connect to PSU computing resources (e.g., administrative access and email) as if the user were locally connected to the PSU network.  This allows greater functionality and security than other remote access techniques.  Users should be aware that routing schemes, network configurations, and security measures can be changed without notice by OIS or by the user’s internet service provider (ISP) and may affect the user’s ability to do specific functions with the VPN.

Use of the VPN service at PSU is a privilege, which comes with responsibilities for both departments and users.  All other policies covering the use of PSU computing resources by authorized users are still in effect when they are accessed from remote locations, as are all regulations (e.g., HIPAA and FERPA) which protect the confidentiality and integrity of information entrusted to PSU’s stewardship.  Do not assume the confidentiality of information traveling through the VPN.

VPN Accounts

• VPN access is for users (faculty, staff, and consultants) who need access to campus computing resources that are not available from off-campus networks.
• User accounts are created at the request of a departmental representative or the employee’s supervisor. The employee must read and accept the conditions of this policy before using the VPN.
• VPN access for third parties (e.g., software consultants and support personnel) to support on campus systems must be requested by a PSU employee.  In addition, the third party must complete and sign a non-disclosure agreement with PSU.
• VPN access can be terminated by a departmental representative, the employee’s supervisor, or by the employee’s request.

OIS Responsibilities

• VPN access to PSU computing resources will be set up and managed only by the OIS Network and Systems group.  No other department may implement VPN services.
• OIS reserves the right to monitor for unauthorized VPNs and disable access of those devices performing non-sanctioned VPN service.
• All network activity during a VPN session is subject to PSU computing policies and may be monitored for compliance.
• OIS will provide the VPN client software and instructions for installing the software.

User Responsibilities

• By using the VPN with personal equipment, users must understand that while they are connected through VPN, their computers become an extension of the PSU network, and during the time they are connected, must follow the same guidelines established for the use of PSU owned equipment.
• Only VPN client software distributed by OIS may be used to connect to the PSU VPN.  Approved users can download the VPN client and installation instructions from GUS.
• Approved users are responsible for the installation of the VPN software.
• Users with VPN privileges must ensure that unauthorized people are not allowed access to computing resources located on the PSU network.
• The VPN is configured not to allow the bridging of networks (split tunneling).
• All computers, including personal computers, connected to the PSU network via VPN or any other technology must have:
  1. up-to-date virus-scanning software with current virus definitions installed
  2. all relevant security patches installed
  3. available firewall enabled

Consequences

Failure to abide by the requirements of this policy and/or any procedures that are developed to implement this policy may result in termination of the user’s VPN privileges.  Users may also be subject to sanctions, including the loss of computer and/or network access privileges, disciplinary action, suspension, termination of employment, dismissal from PSU, and/or legal action. Some violations may constitute criminal offenses under local, state, and federal laws.  PSU will carry out its responsibility to report such violations to the appropriate authorities.

Responsible Office:  Office of Information Services

Approved by Information Technology Council:  October 26, 2005

Signed by President Tom Bryant:  January 26, 2006

Effective:  January 26, 2006

Review Cycle:  Annual

VPN Guidelines