Penn Medicine
Academic Computing Services
Policy:
PMACS Remote Access Policy
Revision #
1
Implementation Date
Page
1 of 3
Last Reviewed/Update Date
Owner
David
Wargo
Approval
12/06/16
PMACS Remote Access Policy
1.
Purpose
The purpose of this policy is to define standards for remotely connecting to the
PMACS network from any computing device. The intent is to minimize the
potential for unauthorized access to the PMACS network and sensitive
information residing on the PMACS network. A remote access security breach
could result in the unauthorized access to sensitive information and potential
damage to critical infrastructure.
2.
Scope
This policy applies to all individuals including but not limited to employees,
contractors, vendors, and students, who would use a PSOM or personal
computing device to remotely connect to the PMACS network.
3.
Policy
All remote access into the PMACS network from any public or private network
must use PMACS approved technology and requires advanced approval using
the PMACS formal request process.
Remote access into the PMACS network will be directed through a PMACS
network centrally controlled and managed point of access, e.g. VDI, VPN
concentrator, SSL or SSH tunnel, firewall/vpn device.
VPN may be used as a means of accessing the PMACS network from a PMACS
managed device.
Individuals may not:
 Install devices or software that allow remote access to the PMACS
network such as modems, wireless access points, or VPN servers.
All individuals who are given remote access privileges to the PMACS network
must give their remote access connection activities the same consideration as
when they are physically on-site and connected to the PMACS network, that is:
 Established policies may not be violated.
 Illegal activities are prohibited.
 Outside business activities may not be performed.
Storage of confidential information on any non-PMACS managed device is
prohibited.
Confidential information may be temporarily stored on a PMACS managed
portable device with prior approval and if approved must be encrypted.
Business to Business remote access connections from external third parties must
be approved by the business owner and must comply with established policy.
Remote access solutions must ensure that:
 Strong authentication is enforced, i.e. complex passwords at a minimum.
 Remote access sessions are automatically disconnected from the PMACS
network after an established period of inactivity occurs or when the
established maximum length for a session has occurred.
 A warning banner, listing legal and policy requirements, displays before
the connection process starts.
 Access logs are reviewed regularly.
 The end user’s capability to download/copy sensitive information is
prohibited.
General User Requirements:
 An individual may not provide his/her login information to anyone, even
family members.
 When remotely connected to the PMACS network, individuals must
ensure that their device is not simultaneously connected to another
network, with the exception of a personal network, which is under
complete control of the individual.
 Non-PMACS network e-mail accounts, e.g. Hotmail, Gmail, AOL, may not
be used to conduct business, in order to ensure that official business is
never confused with personal business.
 Any device that connects to the PMACS network via remote access must
have:
o Anti-virus software installed, operating at all times, in real-time scan
mode, and be current with AV signature files.
o A security update capability enabled so security updates can be
applied to remediate discovered vulnerabilities.
o A host based firewall installed and running.
Violations:
Violations of this policy are to be referred to management to initiate a formal
review process. Individuals or departments must not investigate violations
independently. Individuals found to be in violation of this policy may be subject to
loss of access privileges or other disciplinary action.
4.
University of Pennsylvania / University of Pennsylvania Health
System Computing Policies
All Perelman School of Medicine users must also comply with either the
University of Pennsylvania Information Systems & Computing (ISC) and / or
University of Pennsylvania Health System (UPHS) Information Services policies.
To review the ISC policies, please visit http://www.upenn.edu/computing/policy/.
To review the UPHS Information Services policies,
http://uphsxnet.uphs.upenn.edu/policy/health/is/is_alpha.html.
please
visit