Guideline for Remote Access

I. Purpose

The purpose of this document is to provide guidance for protecting university information resources from unauthorized access or disclosure when connecting remotely to university networks, systems, and devices that are otherwise not publicly available.

II. Scope

This guideline is applicable to UNC Charlotte faculty, staff, students and all authorized users granted access to university information resources via remote access. Every authorized user of university information resources has a responsibility to take appropriate measures to safeguard that information.

III. Contacts

Direct any general questions about this guideline to your unit’s Information Security Liaison. If you have specific questions, please contact OneIT Information Security Compliance at ISCompliance-group@uncc.edu.

IV. Guidelines

When authorized individuals have a business need to remotely access an on-campus desktop computer, or who need wider access to campus resources that contain confidential, sensitive and/or highly restricted information and may be accessible only via the campus network, they may be provided with access to the university’s VPN solution. The university’s VPN solution provides a mechanism for secure remote access and utilizes the university’s multi-factor authentication solution. Use of the university’s VPN solution may be combined with an approved remote access technology such as Remote Desktop Protocol (RDP) or Virtual Network Computing (VNC).

A. General Guidelines

Faculty/Staff and students granted remote access to university networks, systems, and devices should follow these security guidelines:

  • Faculty/Staff connecting remotely and student workers requiring remote access as part of their assigned job duties shall only connect from or have access to machines that are university-owned and managed and should be configured according to the applicable guideline (i.e., Guideline for Security of Endpoints, Guideline for Security of Applications, Guideline for Security of Systems).
    • NOTE: Non-student workers and affiliates (e.g., sponsored guests) connecting remotely should, at a minimum, be using a device configured with up-to-date anti-virus software and current operating system patches.
  • University information should be stored only on approved cloud storage or university network drives as outlined in the Guideline for Data Handling.
  • If teleworking or working remotely, ensure that unauthorized individuals (e.g., family members, friends) do not use the computer.

B. VPN Access

  • The university’s VPN solution must be utilized to access those resources that are only available via the campus network.
  • Privileged access to some university information systems may require use of a more restrictive VPN profile that may be accessed only by specific authorized users.
  • The university’s VPN solution should be used when connecting via public WiFi to university information systems containing sensitive data.
  • Authorized users should disconnect from the VPN when it is no longer needed.
  • The VPN session will automatically terminate after a period of inactivity.

C. Vendors and Contractors Remote Access

  • Requests from vendors and contractors for remote access to internal university information resources must be approved in advance by the Office of OneIT.
  • Vendors and contractors requiring remote access to university information resources must have a university sponsor and be approved for a sponsored guest account.
  • Vendors and contractors granted remote access to university information resources are responsible for ensuring non-university managed devices used to access campus resources are configured according to security best practices.

EXCEPTIONS: In order for Faculty/Staff to use a non-university owned or an unmanaged device, a Remote Access exception request must be submitted to the Office of OneIT for authorization.

Related Resources

ISO/IEC 27002 was adopted by The University of North Carolina at Charlotte in 2012. All standards and guidelines are based on this code of practice for Information Security Management.

Revision History

Initially approved by Information Assurance Committee 9/23/16
Updated and approved by Information Assurance Committee 3/1/23