Remote IT Support Security Policy

 
Document Number:
IT-0002
Status:
Published
Revision #:
Rev1.0
Published Date:
4/19/2022

General Information

Purpose:

This document details the requirements of the University's IT staff and users to safeguard data when providing remote IT support. 
 

Terms and Definitions:

Term:

Definition:

AES
Advanced Encryption Standard (AES), is a specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology (NIST) in 2001.
Remote IT Support
Means any action taken by Information Technology (IT) staff using tools and software to connect to and control another users device via the internet to; resolve technical problems encountered by the user, maintain, with appropriate updates and/or patches, any software program on the users computer.
SSL
Secure Socket Layer (SSL) is a secure protocol developed for sending information securely over the internet. SSL encrypts the data being transmitted so that a third party cannot "eavesdrop" on the transmission and view the data being transmitted.
User's device
A user's device includes University owned and non-owned equipment which is being used for the purposes of conducting University activities.  
 

Responsible Department or Functional Area:

Information Technology

Audience(s):

*All Employees
Policy Provisions
  • 1

    Description:

    At a minimum the University will only use remote control software tools that include SSL AES 256-bit end-to-end encryption for the protection of user's data.
  • 2

    Description:

    IT staff members must request permission to remotely control a users device.  Users may be required to provide connection/confirmation keys etc., to the IT staff member to allow the IT staff member to remotely control the user's device.

    Scope and Exceptions:

    In rare instances IT staff may be required to connect to a user's device to patch or remediate technical issues when the user is not present.  In such a situation, to ensure the user is not logged in and/or has not left any sensitive information open on their device, a restart of the user's device will be performed before the IT staff member connects for an unattended session.
    A detailed log of the activities undertaken during unattended session will be kept for audit purposes.
  • 3

    Description:

    It is the responsibility of users to protect  the data which they have been given permission to access, as some of this data may be sensitive and/or private.  Users must close all documents and applications open on their device, other than one for which they are seeking support, before providing permission to IT staff to remotely control their device.
  • 4

    Description:

    After users provide permission to an IT staff to remotely control their device, users ought to remain present during the entire support session.  Users may be required to show the IT staff and/or may receive instructions from the IT staff on the technical issue for which assistance was requested. 
  • 5

    Description:

    Other than the IP addresses of the IT staff member and user which are recorded, no other data will be collected or recorded during any remote control session unless explicitly agreed on by the IT staff member and the user in order to resolve technical issues with the users device.
 

Primary Author / Owner:

Name:

Email:

IT Director
[email protected]