{"id":69492,"date":"2026-02-02T14:37:01","date_gmt":"2026-02-02T22:37:01","guid":{"rendered":"https:\/\/policies.wsu.edu\/prf\/?page_id=69492"},"modified":"2026-02-20T16:25:11","modified_gmt":"2026-02-21T00:25:11","slug":"bppm-87-51","status":"publish","type":"page","link":"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-51\/","title":{"rendered":"87.51 Remote Access"},"content":{"rendered":"\n<h1 class=\"wp-block-heading wsu-font-size--xxmedium\">University Policies and Procedures Manual&nbsp;(previously Business Policies and Procedures Manual)<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">Remote Access<\/h2>\n\n\n<div class=\"wsu-row wsu-row--single\" >\r\n    \n<div class=\"wsu-column\"  style=\"\">\r\n\t\n\n<p><strong>UPPM 87.51<\/strong><\/p>\n<p><strong>For more information contact:<\/strong><br \/>\u00a0 \u00a0<a href=\"https:\/\/its.wsu.edu\/how-can-we-help-contact-its\/\">Information Technology Services<\/a><\/p>\n<hr \/>\n<div id=\"toc_container\">\n<h3>Contents<\/h3>\n<ul class=\"toc_list\">\n<li><a href=\"#One_0\">1.0 \u00a0\u00a0 Overview and Purpose<\/a>\n<ul class=\"toc_list\">\n<li><a href=\"#One_1\">1.1 \u00a0\u00a0 Information Assurance Policies Generally<\/a><\/li>\n<li><a href=\"#One_2\">1.2 \u00a0\u00a0 Specific Policy Overview and Purpose<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"#Two_0\">2.0 \u00a0\u00a0 Applicability<\/a><\/li>\n<li><a href=\"#Three_0\">3.0 \u00a0\u00a0 Roles and Responsibilities<\/a>\n<ul class=\"toc_list\">\n<li><a href=\"#Three_1\">3.1 \u00a0\u00a0 Chief Information Officer<\/a><\/li>\n<li><a href=\"#Three_2\">3.2 \u00a0\u00a0 Information Owners<\/a><\/li>\n<li><a href=\"#Three_3\">3.3 \u00a0\u00a0 Office of Information Security and Assurance (OISA)<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"#Four_0\">4.0 \u00a0\u00a0 Requirements<\/a>\n<ul class=\"toc_list\">\n<li><a href=\"#Four_1\">4.1 \u00a0\u00a0 General Requirements <\/a><\/li>\n<li><a href=\"#Four_2\">4.2 \u00a0\u00a0 Moderate- and High-Impact System Requirements<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"#Five_0\">5.0 \u00a0\u00a0 Training<\/a><\/li>\n<\/ul>\n<\/div>\n<h3 id=\"One_0\">1.0\u00a0\u00a0\u00a0\u00a0 Overview and Purpose<\/h3>\n<h4 id=\"One_1\">1.1\u00a0\u00a0\u00a0\u00a0\u00a0 Information Assurance Policies Generally<\/h4>\n<p>The purposes of the information assurance policies in UPPM Chapter 87: Information Technology and Security are to:<\/p>\n<ul>\n<li>Set requirements to ensure the privacy, confidentiality, integrity, and availability of Washington State University (WSU) data;<\/li>\n<li>Support institutional goals and strategies with appropriate methods for administratively, technically, and operationally protecting data; and<\/li>\n<li>Define the criteria WSU follows to meet requirements for protecting data, which are determined by Information Owners.<\/li>\n<\/ul>\n<p>The policies in this chapter comply with Federal Information Processing Standards (<a href=\"https:\/\/nvlpubs.nist.gov\/nistpubs\/fips\/nist.fips.199.pdf\">FIPS 199<\/a>), which are intended to help organizations achieve a common level of quality and interoperability in information technology (IT) by requiring categorization of systems as low-impact, moderate-impact, or high-impact for the stated security objectives of confidentiality, integrity, and availability. To determine the potential consequence of a loss event, the Federal Information Processing Standards:<\/p>\n<ul>\n<li>Define WSU Information Owners\u2019 impact categorization rating (Low, Moderate, or High);<\/li>\n<li>Dictate which security controls are mandatory based upon the categorization level;<\/li>\n<li>Define the strength, frequency, and formalization of those controls; and<\/li>\n<li>Influence audit burden and continuous monitoring rigor.<\/li>\n<\/ul>\n<p>See <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-01\/\">UPPM 87.01<\/a> for definitions, general information, and violations related to this policy, as well as additional information regarding roles and responsibilities.<\/p>\n<h4 id=\"One_2\">1.2\u00a0\u00a0\u00a0\u00a0\u00a0 Specific Policy Overview and Purpose<\/h4>\n<p>Ensuring secure and reliable remote access to WSU systems protects WSU data, facilitates WSU educational, research, and business operations, and is essential to support WSU\u2019s mission. This policy sets forth roles, responsibilities, and requirements for authorizing and managing remote access and ensuring the security of WSU\u2019s network and computer systems, including specific requirements for moderate- and high-impact systems.<\/p>\n<h3 id=\"Two_0\">2.0\u00a0\u00a0\u00a0 Applicability<\/h3>\n<p>This policy applies to all WSU system users who have contact with, or potentially may have contact with, WSU data, applications, and computing resources.<\/p>\n<p>Security control exceptions to policy statements in UPPM Chapter 87 are managed and maintained in accordance with <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-23\/\">UPPM 87.23<\/a>.<\/p>\n<h3 id=\"Three_0\">3.0\u00a0\u00a0\u00a0 Roles and Responsibilities<\/h3>\n<h4 id=\"Three_1\">3.1\u00a0\u00a0\u00a0\u00a0\u00a0 Chief Information Officer<\/h4>\n<p>The Chief Information Officer (CIO) of WSU, or designee, is responsible for administering this policy and reviewing it on an annual basis.<\/p>\n<h4 id=\"Three_2\">3.2\u00a0\u00a0\u00a0\u00a0 Information System Owners<\/h4>\n<p>WSU Information System Owners, or their delegates, are responsible and accountable for developing appropriate Standard Operating Procedures (SOPs) for this policy&#8217;s implementation.\u00a0<\/p>\n<h4 id=\"Three_3\">3.3\u00a0\u00a0\u00a0\u00a0 Office of Information Security and Assurance (OISA)<\/h4>\n<p>WSU\u2019s Office of Information Security and Assurance (OISA) shall maintain the <a href=\"https:\/\/its.wsu.edu\/documents\/2026\/01\/remote-access-standard.pdf\">standard (PDF)<\/a> associated with this policy and provide guidance for the associated procedures for the implementation of this policy (<a href=\"https:\/\/its.wsu.edu\/documents\/2026\/01\/remote-access-procedure.pdf\">see examples (PDF)<\/a>).<\/p>\n<p><strong>Note:<\/strong> While all units are required to adhere to the standard established by OISA (<a href=\"https:\/\/csrc.nist.gov\/pubs\/sp\/800\/53\/r5\/upd1\/final\">NIST SP 800-53<\/a>), procedural examples for implementation are optional.<\/p>\n<h3 id=\"Four_0\">4.0\u00a0\u00a0 Requirements<\/h3>\n<p>Remote access is managed in accordance with UPPM <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-03\/\">87.03<\/a> and <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-05\/\">87.05<\/a>.<\/p>\n<h4 id=\"Four_1\">4.1\u00a0\u00a0\u00a0\u00a0 General Requirements<\/h4>\n<p>Remote access to WSU internal systems must be authorized prior to allowing the connection.<\/p>\n<p>Usage restrictions, configuration and connection requirements, and implementation guidance are required\u00a0for each type of\u00a0permitted\u00a0remote access.\u00a0<\/p>\n<p>Remote access to WSU\u2019s\u00a0network must pass through managed interfaces consisting of boundary protection devices arranged\u00a0in accordance with\u00a0an organizational security and privacy architecture and <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-12\/\">UPPM 87.12<\/a>.<\/p>\n<p>Cryptographic mechanisms\u00a0must\u00a0be used to protect the confidentiality and integrity of\u00a0remote\u00a0sessions\u00a0in accordance with <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-33\/\">UPPM 87.33<\/a>.<\/p>\n<p>Employee systems authorized for remote access must be protected\u00a0in accordance with\u00a0<a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-10\/\">UPPM 87.10<\/a>.\u00a0<\/p>\n<h4 id=\"Four_2\">4.2\u00a0\u00a0\u00a0\u00a0 Moderate- and High-Impact System Requirements<\/h4>\n<p>In addition to the above, the following additional requirements apply to moderate- and high-impact systems.<\/p>\n<p>Remote access must be monitored and controlled in accordance with <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-50\/\">UPPM 87.50<\/a>.<\/p>\n<p>Remote access must\u00a0be routed through authorized and managed network access control points.\u00a0\u00a0<\/p>\n<ul>\n<li>The systems\u00a0must\u00a0authorize remote execution of privileged commands and limit remote access to security-relevant information.<\/li>\n<li>Access\u00a0restrictions and\u00a0rationale\u00a0are to\u00a0be documented in the system security plan.\u00a0\u00a0<\/li>\n<\/ul>\n<p>Remote user sessions must\u00a0be configured to\u00a0terminate\u00a0automatically when defined conditions or trigger events occur.\u00a0\u00a0<\/p>\n<h3 id=\"Five_0\">5.0\u00a0\u00a0\u00a0 Training<\/h3>\n<p>See <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-21\/\">UPPM 87.21<\/a> for training requirements related to UPPM Chapter 87.<\/p>\n<p>In addition to the requirements in <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-21\/\">UPPM 87.21<\/a>, Information System Owners are responsible for ensuring that users receive appropriate information security and privacy training commensurate with their roles, responsibilities, and authorized access to information systems under the Information System Owner\u2019s authority.<\/p>\n<p style=\"font-size: .8rem\">_______________________<br \/><strong>Revisions:<\/strong>\u00a0 Feb. 2026 (Rev. <a href=\"https:\/\/policies.wsu.edu\/prf\/bppm-manual-revisions\/bppm-revision-651\/\">651<\/a> &#8211; NEW).<\/p>\n\n<\/div>\r\n\n<\/div>","protected":false},"excerpt":{"rendered":"<p>University Policies and Procedures Manual&nbsp;(previously Business Policies and Procedures Manual) Remote Access<\/p>\n","protected":false},"author":49281,"featured_media":0,"parent":50633,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":[],"wsuwp_university_location":[],"wsuwp_university_org":[],"_links":{"self":[{"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/pages\/69492"}],"collection":[{"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/users\/49281"}],"replies":[{"embeddable":true,"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/comments?post=69492"}],"version-history":[{"count":7,"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/pages\/69492\/revisions"}],"predecessor-version":[{"id":69992,"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/pages\/69492\/revisions\/69992"}],"up":[{"embeddable":true,"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/pages\/50633"}],"wp:attachment":[{"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/media?parent=69492"}],"wp:term":[{"taxonomy":"wsuwp_university_location","embeddable":true,"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/wsuwp_university_location?post=69492"},{"taxonomy":"wsuwp_university_org","embeddable":true,"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/wsuwp_university_org?post=69492"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}