Department of Veteran Affairs Memorandum 00-010

Central Texas Veterans Health Care System (CTVHCS) June 10, 2014

Austin-Temple-Waco

Community-Based Outpatient Clinics (CBOCs)

Remote Access

I. CHANGES: Policy was reviewed and updated to include responsibilities and instructions for electronically requesting remote access electronically via the Remote Access (RA) Self-Service Portal.

II. RESCISSION: Memorandum 00-010-13, dated November 8, 2013.

IV. NEXT REVIEW DATE: June 2017.

V. AFFECTED SERVICES: All services and programs.

VI. POLICY: The purpose of this memorandum is to establish the policy, procedures, and responsibilities to ensure the security of remotely accessing any automated information systems (AIS) within CTVHCS.

A. It is the policy of CTVHCS to provide users, who have a need and authorization from their service chief, with remote access to VA information systems with an efficient and secure means of access. This policy is designed to protect all AIS (including medical devices) within CTVHCS from unauthorized access, disclosure, modification, destruction, or misuse. For the purpose of this policy the remote access method is a virtual private network (VPN) using nationally approved VA VPN solutions to connect to the VA gateway or wide area network over the internet. VA VPN nationally approved solutions include RESCUE Government Furnished Equipment (GFE), CITRIX Access Gateway (CAG), and Secure Mobility Client (SMC) for non-VA equipment use only.

B. Approved VA VPN remote access users are governed under the same local policies, Federal laws, and regulations that apply to the security and privacy of all data contained on VA systems. VA VPN remote access can and will be monitored by the VA Network Security Operations Center (VA NSOC), auditors, and investigators, as appropriate. Management will take appropriate actions based on that monitoring which indicate any violations of standards, procedures, or practices in support of this policy. Penalties of misuse or abuse of VA systems, resources and/or data and information may include loss of VA VPN privileges, disciplinary action up to and including dismissal, penalties prescribed by law, and any appropriate criminal action.

C. VA VPN remote access for CTVHCS staff is limited to the following authorized users that have active network accounts, have met mandatory Information Security training requirements and signed the Rules of Behavior, as well as VA background investigation requirements:

1. Office of Information and Technology (OI&T) Service staff.

2. CTVHCS employees approved to work from home, required to travel on official VA business, or designated within the facility contingency plan or service-level contingency plan to provide immediate support in the event of an emergency.

3. Contract employees or vendors under VA approved contract to maintain, operate, and/or troubleshoot AIS and/or medical devices within CTVHCS.

4. Authorized users at remote locations, without direct network connection, who support direct patient care activities.

5. Authorized users approved by their service chief with justification for VA VPN remote access as being required in the performance of their job duties.

D. VA VPN solutions support is available 7 days a week, 24 hours a day, 365 days a year from the National VA VPN Help Desk and may be contacted at 1-855-673-4357, Option 6, and then Option 4. The VA VPN Help Desk provides technical support for VA VPN remote access issues and is the point of contact for users that experience difficulty connecting using any of the VA VPN solutions or encounter problems with the VA VPN solutions installation instructions.

VII. RESPONSIBLITY:

A. The Information Security Officer (ISO) will:

1. Review and activate remote access requests submitted via the National VA Remote Access Portal.

2. Send e-mail notification to authorized users, through their respective Service ADPAC, notifying of activation of the remote access account.

3. Conduct annual review of VA remote access user accounts.

4. Follow-up with users shown on VA remote access account inactivity reports to determine continued need. NOTE: VA VPN RESCUE accounts will automatically be disabled after 30 days of inactivity and CAG accounts will automatically be disabled after 90 days of inactivity and deleted after another 90 days by the VA NSOC. If the VA VPN account is deleted, the user must re-apply for VA VPN.

5. Terminate VA remote access accounts for misuse, lack of use, or termination of CTVHCS network account.

B. The Facility Chief Information Officer (FCIO) or designee will:

1. Provide hardware to enable VA VPN remote access users to connect to the CTVHCS resources (i.e. VistA, CPRS, Outlook mail, etc.)

2. Provide setup instructions on how users will remotely connect to CTVHCS applications. For troubleshooting remote access problems, the user must submit a Region 2 CA Help Desk ticket.

3. Install VA VPN solutions software designed for use on VA government equipment used for remote access.

C. Service Chiefs or Program Managers will:

1. Approve or disapprove the remote access via an automated email generated from the RA Self-Service Portal requests.NOTE: Remote access approval to VA computer systems does not constitute approval for overtime pay or compensatory time.

2. Ensure VA Privacy and Information Security Awareness and Rules of Behavior Training is current, and a copy of the related training certificate is attached to the Remote Access (RA)Self-Service Portal Request (Attachment), as well as all VA background investigation requirements have been met for CTVHCS employees, contractors, vendors or other authorized users (non-PAID employees) sponsored through their Service. NOTE: Coordinate respective contractors’ appropriate VA required documentation with the Contracting Officer to ensure all information security requirements are met prior to requesting and being granting remote access.

3. Submit an OI&T ticket requesting a network account be created for the contractor or vendor, whenever required.

4. Provide user support (through the Service ADPAC) to employees using non-VA equipment for installing, using, upgrading, and uninstalling software. The ADPAC will assistusers with downloading the VA VPN remote access solutions and related software,troubleshooting problems, and training users within their service on how to use the system. Employees may also contact the National Service Desk (NSD) or VA NSOC for assistance.

5. Maintain a current list of all approved remote access users within their Service.

6. Ensure that remote access privileges are terminated as soon as they are no longer needed by notifying the ISOs when a remote access user is transferred, terminated, or no longer requires remote VA VPN access. Notifications may be sent via MS Outlook email addressed to the Central Texas ISOs at .

7. Respond to ISOs’ annual review of VA remote access user accounts with confirmation of staff that still require VA VPN remote access. Identify staff that no longer require access and should have their access removed.

D. Requesting Remote Access via the RA Self-Service Portal

1.Remote access users will:

a. Request remote access via the RA Self-Service portal ( Follow the instructions included in the attached Instructions for Using the Self-Service Portal (Attachment).

b. The user must upload a copy of their mandatory (VA Privacy and Information Security Awareness and Rules of Behavior Training certificate, TMS Course #10176) by selecting the “Upload Documents” tab after completing their remote access request via the RA Self-Service Portal. Failure to do so will delay creation of your remote access account.

c.The user requesting remote access must notify their Service Chief (supervisor) that a remote access approval request will be forthcoming via an automated email from the RA Self-Service Portal.

2.Service Chief (Supervisor) will either approve or disapprove the remote access request, which will be received via MS Outlook email. If the remote access is disapproved, the Service Chief (supervisor) must provide a reason.

3.Information Security Officer (ISO) will:

a.Review the remote access request, approve, create and activate the remote access request once the Service Chief (supervisor) has approved. The ISO will be notified of Service Chief (supervisor) approval via automated MS Outlook email. If the ISO discovers that mandatory training is not attached to the remote access request or other pertinent fields have not been completed as required in the Instructions for Using the RA Self-Service Portal, they will notify the user requesting remote access.

b.Once the ISO has reviewed and activated the remote access account, the user will be notified via email which will include a “Welcome Letter” with instructions for remote access based on the type of equipment they will be using (VA government-furnished equipment (GFE) or non-VA issued equipment).

NOTE: Services must allow two weeks for processing remote access requests.

E.Remote users will:

1.Read and follow the directions in the “Welcome Letter” upon notification of remote access approval from the ISO.NOTE: Users must have a VA network account to access this website.

2. Provide the same level of security and privacy for information as is required by VA directives and policies. The user is not authorized to store or make copies of VA information on remote systems. NOTE: It is possible that through normal authorized use of remote access procedures, VA information may be stored on a non-VA device. The user is responsible for seeking VA advice, through his/her Service ADPAC, to properly "cleanse the data" from the device before the system is released from the user's control. Service ADPAC may contact OI&T staff regarding software to cleanse the computer's hard drive. Authorized users of remote access are responsible for following current VA procedures to assure VA data is not stored on non-VA issued equipment and VA data is removed before the user releases control of the equipment. Simply deleting the data or reformatting a disk or drive is not adequate.

3. Possess basic computer knowledge and skills to setup and install programs, including operating system components. CTVHCS will not provide additional or replacement hardware or software required for remote access to individuals using personally owned equipment and does not accept any liability for damage associated with the installation of the VA VPN remote access solutions software.

4. Maintain up-to-date virus protection and critical operating security patches, required by VA NSOC, on non-VA equipment used to connect to VA resources.

5. Not share remote access logon identification, usernames, passwords, and other authentication means used specifically to protect VA information or access techniques to VA private networks.

6. Not use VA remote access services to engage in any activity that is illegal or violates VA policies.

7. Not simultaneously connect to VA and one or more non-VA networks. Inactive sessions must be terminated by logging off when finished or when leaving the workstation unattended.

9. Keep portable computers or storage devices in their possession, and may not check them as baggage when travelling. Guard against disclosure of VA protected information through eavesdropping, overhearing or overlooking (shoulder surfing) by unauthorized persons when in an uncontrolled environment (i.e., traveling on an airplane or in an airport).

10. Immediately report any incident with theft, loss, or compromise of any VA Government furnished equipment or non-VA equipment/device used to remotely access VA systems to the respective service chief, Police Service, Chief Information Officer or OI&T Assets Manager, and the Facility ISO.

11. Ensure VA Privacy and Information Security Awareness and Rules of Behavior Training is current, as well as all VA background investigation requirements are met.

F. Technical support: Once the user has remote access to the VA's Network, the user still needs to connect to our local systems.

1. Systems owned by the VA (government-issued equipment): OI&T will install all software on systems used for remote access that are owned by the VA. If the user is experiencing problems, the user should contact their service ADPAC first, the ADPAC may refer the user to the Region 2 OI&T Service Desk for additional support. If OI&T determines the system is working correctly, the user will be referred to the VA National Service Desk. The user is responsible for assuring their connections conform to the VA's standard.

2. Systems not owned by the VA: The user must accept responsibility for loading and configuring the software and assuring remote access connectivity. There are no guarantees the software will work on all systems or loading the software will not crash the operating system or applications. The user should speak with their service chief about the type of support (usually by the service ADPAC) the service is prepared to give the user before the user applies for remote access. All of the security controls required for the VA government furnished equipment must be utilized in approved non-VA owned equipment and must be funded by the owner of the equipment. Approved remote access users are governed under the same local policies, federal laws and regulations that apply to all local users of VA computer systems and the security and privacy of the information contained therein.

VIII. REFERENCES: VA Directive and VA Handbook 6500,VA Directive and VA Handbook 6102 Internet/Intranet,CTVHCS Memorandum 00-022, Information Security Program, VA Directive and VA Handbook 6502, Privacy Program; The Privacy Act of 1974 (5 U.S.C. 552a as amended); OMB Circular A-130;; and VA Directive 6001, Limited Personal Use of Government Office Equipment including Information Technology.