VII:01:21 Remote Access Policy

Purpose

This policy covers the security and use of all Volunteer State Community College data, information, equipment, and resources within the IT environment al all locations by use of any end user device, including personal computers, workstations, laptops, tablets, mobile phones, and other mobile IT equipment. This policy is designed to minimize the potential cybersecurity exposure to Vol State from damages including the loss of sensitive, confidential, proprietary, or intellectual property information; damage to public image or reputation; and damage to Vol State internal IT systems.

Definitions

For the purposes of this policy, the following definitions shall apply:

  1. Dual-Homed – either an Ethernet device that has more than one network interface for redundancy purposes, or a firewall architecture for implementing cybersecurity measures.
  2. Information Technology Resources – all Volunteer State Community College information technology hardware assets, software assets, computing systems, networks, network components, facilities, services, data, and information, regardless of location, provider, management, medium, or how the resource is provided/delivered, that exists for the purpose of conducting business or academic activities. This includes, but is not limited to, computers, servers, mobile devices, email systems, internet access, cloud-based applications, databases, and any associated peripherals or support services.
  3. Public Key/Private Key – in the context of cryptography, this is a key pair used in the process of encrypting and decrypting messages and used in digital signatures.
  4. Split Tunneling – a computer networking concept which allows a mobile user to access dissimilar security domains. For example, a public network (the Internet) and a local area network (LAN).
  5. VPN – Virtual Private Network – a method employing encryption to provide secure access to a remote computer over the Internet.

Policy

  1. The Vol State computer resources are available to all authorized users (students, faculty, and staff) upon written application to and authorization by the Chief Information Officer (CIO). It is the responsibility of IT personnel to maintain a stable, operational computing environment for all users and to provide cybersecurity for all programs and data residing on available computer systems. Cooperation of all users in the form of ethical and responsible behavior is required so that all users can share resources freely and equitably.
  2. The computer resources at Vol State are available through non-local (remote) access on a limited basis. Due to the nature of this type of access, additional cybersecurity controls are required. Individuals requesting access to the systems through remote network connections shall agree to the following terms and conditions:
    1. Under no circumstances will a user authorized for remote access grant the use of or access to their account to any other party.
    2. Under no circumstances will a user authorized for remote access disclose Vol State node names or IP addresses to any other party.
    3. Under no circumstances will a user authorized for remote access store or record a username, password, passphrase, node name, or IP address on any electronic device unless the device has active full-disk encryption. Use of any password manager/vault is acceptable ONLY if it offers encryption of at least AES-256.
    4. Users authorized for remote access understand that their connection may be terminated at any time, possibly without warning due to a higher priority request for a shared resource. Under normal operations, reasonable efforts will be made to notify the user prior to the connection termination.
    5. Users understand that this policy in no way supersedes any other Vol State or Tennessee Board of Regents (TBR) policies, and that compliance with all Vol State and TBR policies and state/federal laws is required as a user of Vol State computer systems and IT resources.
    6. Users understand that approval for remote access to Vol State’s computer systems and IT resources in no way implies an obligation of Vol State to provide, install, test, or maintain any hardware or software at the user’s remote location or on the end user’s device.
    7. It is the user’s responsibility to formally request and provide justification for remote access by completing an IT Help Desk ticket.
    8. Users having remote access to Vol State computer systems and IT resources shall ensure their remote connection is given the same or greater cybersecurity considerations as if the user were on-site and directly connected to the systems and resources.
    9. Users having remote access to Vol State computer systems and IT resources understand that remote and general access to the Internet through Vol State’s systems and resources for any purpose by any party other than the legal user is prohibited.
    10. Users shall never provide their system credentials to anyone. IT Help Desk personnel will NEVER ask for a user’s password; they may, however, ask for a user’s username or id, which may be used to identify the user.
    11. Dual-homing and split tunneling are prohibited. Users having remote access must ensure their remotely connected end user device is not connected to any other personal network at the same time, except for personal networks (e.g., home network) that are under complete control of the user.
    12. Users must understand that all end user devices remotely connected to the Vol State computer systems and IT resources must use up-to-date anti-malware software.
  3. Remote access to Vol State computer systems and IT resources can lead to potential system failures, system degradation, data breach and/or malware. Unauthorized access may also place Vol State and its staff/faculty at risk for civil and criminal action, which may result in punitive measures for all involved parties. Both civil and criminal penalties may carry fines, jail time, or both.
  4. The Chief Information Officer (CIO) or their designee has the final authority to interpret the terms of this policy. The CIO or their designee may grant exceptions to this policy, in writing, based on an evaluation of the risks versus the benefits.

 

TBR Source:  none.

VSCC Source: September 1, 1983, President’s Cabinet; February 29, 2008, President’s Cabinet; August 13, 2025, President’s Cabinet.