University Policy 8130
Download a Printable Version of Policy 8130
Effective Date
December 2013
Last Revision Date
January 22, 2021
Responsible Party
Associate Vice President and Chief Information Officer, (208) 426-5775
Chief Information Security Officer, (208) 426-5701
Scope and Audience
This policy applies to all Boise State employees, authorized students, affiliates, and third parties.
Additional Authority
- University Policy 8000 (Information Resource Use)
- University Policy 8060 (Information Privacy and Security)
- Minimum Security Standards for Systems
1. Policy Purpose
To state the requirements for secure Remote Access to Information Technology (IT) resources provided by Boise State University.
2. Policy Statement
University employees, authorized students, affiliates, and authorized third parties (“entities”) will use the Boise State provided VPN technology when accessing University-provided electronic resources remotely. The VPN connection is made via a User-Managed Service with appropriate University Log-In Credentials and the Boise State Multi-Factor Authentication (MFA) service.
This policy aims to minimize the potential exposure to Boise State from damages which may result from unauthorized use of University resources. Damages include the loss of protected data, intellectual property, damage to public image, and damage to critical Boise State Information Technology systems.
3. Definitions
3.1 Authorized Third Party
Any individual, entity, or vendor providing services to the University who is not employed by the University.
3.2 Chief Information Security Officer (CISO)
The individual responsible for protecting confidential information in the custody of the University; the security of the equipment and/or repository where this information is processed and/or maintained, and the related privacy rights of University students, faculty, and staff concerning this information.
3.3 Internet Service Provider (ISP)
A business or organization that offers user(s) access to the Internet and related services.
3.4 Log-in Credentials
University-assigned username and private personal password and the Boise State Multi-Factor Authentication service.
3.5 Remote Access
The ability to log-in to a network from a distant location.
3.6 User-Managed Service
A service where the user is responsible for selecting an Internet Service Provider (ISP), coordinating installation, installing any required software, and paying associated fees.
3.7 Virtual Private Network (VPN)
A secure connection to a private network through a public network.
3.8 Multi-Factor Authentication (MFA)
Authentication using two or more different factors to achieve authentication. Factors include: (1) something you know (e.g., password/username); (2) something you have (e.g., cryptographic identification device, token or code); or (3) something you are (e.g., biometric).
4. Responsibilities and Procedures
4.1 Requirements
a. University employees, authorized students, affiliates, and entities must use the Boise State-provided VPN technology as outlined in the VPN Standards.
b. Secure Remote Access must be strictly controlled. Control is enforced via Boise State’s VPN gateway.
c. Log-in Credentials must not be provided to another person.
d. Individuals and entities using secure Remote Access services must ensure their Boise State-owned/personal computer or device is not connected to another private business network while connected to the Boise State private network.
e. All systems connected to Boise State’s non-public networks via Remote Access must meet the requirements defined in the Minimum Security Standards for Systems.
f. Organizations or individuals who wish to implement non-standard Remote Access solutions to the Boise State production network must obtain prior approval from the Chief Information Security Officer.