Introduction
Christopher Newport University supports a flexible work environment to maintain a work/life balance, promote administrative efficiencies and maintain a high standard of student service. Simultaneously all systems used to access University data must be adequately protected to ensure confidentiality, integrity, and availability. When you use a personal device to connect to the University via a Virtual Private Network (VPN), you are creating a secure, encrypted "tunnel" that makes your computer a temporary extension of the CNU network.
By using a personal device or connecting to the VPN, you acknowledge that your system meets these requirements and that you have no expectation of privacy regarding data transmitted through University resources.
Scope
This guideline applies to all faculty, staff, students, and contractors who use personally-owned devices (laptop, desktop, or mobile) to connect to CNU sensitive (Class 1 data) and restricted systems (Class 2 data).
Anyone using a personal system to connect to such systems, regardless of method (e.g., through approved VPN clients (GlobalProtect), remote access technologies (like SSH), cloud-hosted systems) must adhere to these requirements.
Definitions
Class 1 Sensitive Data: The most sensitive university data (e.g., Social Security numbers, protected health information, or financial accounts) as defined in the CNU Data Classification Standard.
Class 2 Restricted Data: Non-public university information, such as student grades, proprietary research, and internal administrative records, whose unauthorized disclosure could result in moderate risk to the university.
CNU System: Any computer, server, storage device, or information system that is owned, leased, or managed by the University. This includes systems used to process, store, or transmit University data, regardless of whether they are located on-campus or hosted in a cloud environment under a University contract.
Personally-Owned Device: Any portable or stationary hardware (e.g., smartphone, tablet, laptop, or home computer) that is owned by an individual employee or student rather than the University. These devices are used to access University resources but remain the private property of the individual, subject to the security requirements outlined in this guideline.
Personal Device Hardening (BYOD)
If you are authorized to use personal equipment for telework, you must comply with these university requirements.
Endpoint Protection
To maintain a secure remote connection, your personal device must be equipped with active, high-efficacy Endpoint Protection (Antivirus/Anti-malware). Per CNU standards, these definitions must be kept up-to-date to ensure the integrity of the University network.
Below are cost-effective and highly-rated recommendations for personal use across different operating systems.
OS | Recommended Product | Notes on Efficacy & Cost |
Windows | Microsoft Defender | Best "No-Cost" Option. Built-in, free, and consistently earns perfect 6/6 scores from independent labs like AV-TEST. |
Bitdefender Antivirus Plus | Best Overall Paid. Highly effective against phishing and zero-day threats with a very small system footprint. | |
macOS | Avira Free Security | Top Free Choice. Specifically optimized for Apple users, offering strong malware protection and a user-friendly interface. |
Intego Mac Premium Bundle | Mac-Specific Specialist. Widely considered the gold standard for macOS, offering deep integration with Mac-only security features. | |
Linux | Sophos Intercept X | Best for Personal Use. Leverages deep learning AI and behavioral analysis to block advanced threats on Linux systems. |
ClamAV | Best Open-Source. A lightweight, reliable command-line tool ideal for scanning files and email threats on various distros. |
Manual Scans: If you use a free version of an antivirus (like TotalAV) that lacks real-time protection, you must perform a manual scan of your system daily before connecting to the VPN.
Automatic Updates: Ensure your software is set to "Auto-Update." Connecting with outdated virus definitions is a violation of the University's security standards.
One is Enough: Never run two active antivirus programs simultaneously; they can conflict and actually lower your device's security and performance.
Patch Management
All devices must have current security patches installed to minimize exposure to potential threats. This covers the Operating System (OS), as well as any applications that you use to connect to CNU sensitive or restricted systems (i.e., web browsers)
When you connect via VPN, your device becomes an extension of the University's infrastructure; therefore, unpatched vulnerabilities on your machine could potentially be used as an entry point for attacks.
You must ensure that your operating system is set to download and install security updates automatically.
OS | Action Required | Verification Steps |
Windows 11 | Enable Windows Update | Go to Settings > Windows Update and ensure "Get the latest updates as soon as they're available" is toggled ON. |
macOS | Enable Automatic Updates | Open System Settings > General > Software Update. Click the (i) icon and ensure "Install Security Responses and system files" is enabled. |
Linux | Enable Unattended-Upgrades | For Ubuntu/Debian, use sudo apt install unattended-upgrades. For Fedora, ensure dnf-automatic is configured for security updates. |
Reboot Weekly: Many critical patches for Windows and macOS cannot finish installing until the system is restarted.
Avoid "End-of-Life" (EOL) Software: If your OS (e.g., Windows 7 or 8) or an application no longer receives security updates from the vendor, you must upgrade to a supported version or discontinue its use.
Verify Before Connecting: Make it a habit to check for pending updates before initiating your VPN session. A single unpatched critical vulnerability (like those found in RDP) can lead to a total system compromise.
Third-Party Application Patching
Operating system updates do not always cover third-party software. Attackers frequently target outdated versions of:
Web Browsers: Chrome, Firefox, and Edge should be set to auto-update.
Productivity Tools: Microsoft Office and Adobe Acrobat must be kept current.
Collaboration Software: Zoom, Teams, and Slack often require manual restarts to apply critical security patches.
Encryption & Physical Hardening
Full disk encryption is required for devices connecting to CNU sensitive or restricted systems. This ensures that if your personal device is lost or stolen, University data (and your personal files) remains unreadable to unauthorized parties.
Full Disk Encryption (FDE)
Encryption scrambles your data so it can only be accessed with your specific login credentials or recovery key.
OS | Recommended Tool | How to Enable |
Windows | BitLocker | Search for "Manage BitLocker" in the Start menu. Ensure it is "On" for your operating system drive (C:). |
macOS | FileVault | Go to System Settings > Privacy & Security > FileVault and click "Turn On". |
Linux | LUKS/dm-crypt | This is usually set up during OS installation. Use lsblk -f to check if your partitions show "crypto_LUKS". |
Always back up your Recovery Key in a secure location (like a physical safe or a separate cloud account). If you lose both your password and your recovery key, the data on your drive will be permanently inaccessible.
Physical Security & Environmental Hardening
Encryption protects the data, but physical security protects the hardware and the active session.
Automatic Screen Lock: Set your device to automatically lock after a maximum of 15 minutes of inactivity.
Manual Locking: Develop the habit of manually locking your screen (Win+L on Windows, Cmd+Ctrl+Q on Mac) every time you step away from the device.
Visual Privacy: If working in a public or shared space, use a privacy screen filter to prevent "shoulder surfing" of sensitive University data.
Credential Protection: Never leave your VPN credentials or MFA device (like your phone) unattended in a shared environment.
Security Practices
To maintain the "adequately protected" state required by Policy 6010:
Public Wi-Fi: You must be connected to the CNU VPN if using "Open" or unsecured public Wi-Fi.
Access Protection: Access to the device must require a strong password / passkey (See the University Password Standard) or biometrics (e.g., FaceID, Windows Hello)
Automatic Screen Lock: The screen must lock automatically when idle. The idle timeout must be no more than 30 minutes.
Account Sharing: Require a separate account / profile for each user. Never allow family members or guests to use your device using the account / profile you use to connect to CNU systems.
Firewall
Per the CNU Remote Access and VPN Standard, all hosts connected via remote access must have a firewall enabled and properly configured.
While the VPN provides an encrypted tunnel for your data, a local firewall prevents unauthorized "inbound" connections from other devices on your home network or the public internet from reaching your computer.
Local Firewall Configurations
You should ensure your system's built-in firewall is active and set to a "Restrictive" or "Public" profile to ensure maximum protection while telecommuting.
OS | Recommended Setting | How to Verify |
Windows | Windows Defender Firewall | Go to Settings > Privacy & Security > Windows Security > Firewall & network protection. Ensure the status is "On" for Domain, Private, and Public networks. |
macOS | Application Firewall | Go to System Settings > Network > Firewall. Toggle the switch to On. Under "Options," ensure "Block all incoming connections" is OFF (to allow VPN) but "Stealth Mode" is ON. |
Linux | ufw (Uncomplicated Firewall) | Use the command sudo ufw status. If inactive, use sudo ufw default deny incoming, sudo ufw default allow outgoing, and sudo ufw enable. |
Beyond the software on your device, your home network environment plays a role in your security posture:
Inbound Traffic: Your personal firewall should be configured to drop all unsolicited inbound traffic.
Stealth Mode: When available, enable "Stealth Mode" so your device does not respond to "ping" requests or discovery attempts from potential attackers on the same network.
Support & Troubleshooting
If you encounter issues while configuring your personal device for compliance or during an active VPN session, the Information Technology Services (ITS) team is available to assist.
Getting Help
Online Help Desk: Requests for remote access or technical assistance should be submitted via the online Help Desk portal.
VPN Requests: Ensure you have submitted a Request for VPN Access, which requires approval from your supervisor or department head prior to ITS review.
ISO Oversight: Specific security control questions or requests for exceptions are handled on a case-by-case basis by the Information Security Officer (ISO).
Common Troubleshooting Steps
Verify Authentication: Ensure you are using your assigned individual access credentials and have your Multi-Factor Authentication (MFA) device ready.
Check Connectivity: Confirm that you are not attempting to access local network resources (like home printers), as split-tunneling is prohibited when the VPN is active.
System Health Check: If you cannot connect, verify that your Antivirus is active and your Operating System is fully patched.