This policy applies to all Seton Hall University (SHU) faculty, employees, contractors, consultants, temporary employees, and third party service providers who use the University’s Virtual Private Network (VPN) to access the SHU Network.
- Dual Factor Authentication: a security process in which the user is required to provide identification by means of a combination of two different sets of credentials.
As a security measure, many of the University’s network resources are not made publically available to the Internet and access to those resources is restricted to users physically located on campus. The University’s VPN allows members of University community with a VPN account to securely access University network resources as if they were on the campus. Consequently, it is extremely important to safeguard VPN access to protect the University’s confidential data from unauthorized outside access.
SHU VPN accounts may be requested by individuals who have a business need to access restricted SHU network resources from off campus. The form to request a VPN account can be found on the University IT Services Web site [login required]. The application for a VPN account must be approved by the requestor’s immediate supervisor and the University IT Services IT security group. Once approved, the VPN account will be set up by University IT Services.
To help secure the University’s VPN accounts, once a user is issued a VPN account the Technology Service Desk will no longer reset that user’s password via the phone; a University or government ID will be required to reset the password for VPN account holders. VPN account holders will be required to change their SHU password every sixty (60) days.
Use of the VPN account requires dual factor authentication. The VPN account holder will be required to register his/her mobile phone, tablet computer, phone line or some other means of contact in order to verify their identity whenever they use the VPN. The VPN account holder will need to have access to his/her registered mobile phone, tablet computer, phone line or other verified device in order to start the VPN. Only one active VPN connection is allowed per user. The VPN account holder should disconnect the VPN when it is no longer needed. The VPN session will automatically terminate after thirty minutes of inactivity.
The VPN account holder’s SHU issued computer will have additional security software installed to help prevent inadvertent data loss. The VPN account holder should only use their University-issued computer to access the SHU VPN. The VPN account holder must make sure that their antivirus software, computer operating system and Internet browser are up to date before using the VPN.
A VPN account will require annual re-authorization by the employee’s supervisor. A VPN account will be automatically suspended if not used after 180 days. A VPN account holder’s access to the system will automatically expire if they are no longer an active employee in the University’s Banner system. This is generally at the end of the employee’s last pay period. Whenever an employee with a VPN account leaves the University, the employee’s supervisor should make arrangements with HR and University IT Services to disable the employee’s VPN account at the time of their separation from the University.
VPN accounts may not be shared with others. If a VPN user suspects that his/her VPN account, or any other University system, has been compromised, he/she must report the security incident immediately to the Technology Service Desk (973-275-2222). The Service Desk will document the incident and escalate the incident to SHU’s security incident response team.
Enforcement and Limitations:
Any user found to have violated this policy may be subject to loss of certain privileges or services, including but not necessarily limited to loss of VPN services.
SHU may, at any time and for any reason, change, terminate, limit or suspend this service, in whole or in part. Access to the service is completely at the discretion of Seton Hall University, and access to the service may be blocked, suspended, or terminated at any time for any reason including, but not limited to, violation of this policy, violation of the University’s Appropriate Use Policy, disruption of access to other users or networks, or violation of applicable laws or regulations.
The VPN account holder is fully responsible for all his/her account activities (including for any content, information and other materials you access or transmit via this service) and agrees not to use this Service to engage in any prohibited conduct. Broadly stated, prohibited conduct is any conduct that is unlawful, that violates University policy, that is harmful to (or puts at risk) Seton Hall University or any other party or property, that violates another party's intellectual property, privacy or other rights, or that otherwise interferes with the operation of other University systems or property.
Seton Hall University reserves the right to amend or otherwise revise this document as may be necessary to reflect future changes made to the I.T. environment. You are responsible for reviewing this Policy periodically to ensure your continued compliance with all Seton Hall University I.T. policies.
Office of the Chief Information Officer
University IT Security Group
Appropriate Use Policy
Data Classification Security Policy
Policy on Confidential Information
Separation of Duties Within Information Systems
August 20, 2015