ISO PS012 Workstation and Computing Devices

Policies and Standards ISO PS012 Workstation and Computing Devices [Previous]  [Next]  [Policy Home]

Policy Name: Workstations and Computing Devices
Policy Number: IS PS012
Effective Date: July 23, 2007
Review Date: January 29, 2013
Last Revision Date: January 29, 2013
Last Revision By: Kim Adams
Contact Name: Matthew Witten
Contact Email: ISOPolicy@louisville.edu
Approved By: Compliance Oversight Council
Version: 1.3

POLICY:

All workstations and other computing devices shall:

• if connected to the university network and capable of running active directory, [1] be a part of the university’s Active Directory domain, to ensure password synchronization with central authentication services and to facilitate updating of security settings and enterprise software;

• be maintained in an environment and manner so that access is reasonably restricted to authorized users only;

• be used in a prudent manner so that data, system and network integrity is maintained to the highest degree reasonably possible; and

• have operating systems and other software maintained in the most up-to-date and secure manner reasonably possible.

• ---

  [1] Macintosh computers are capable of using Active Directory, but are limited to authentication services only.  Mobile devices, such as iPads, utilize synching software to connect to the university network and therefore, are exempt from the Active Directory requirement. 

   

Note 1: All workstations and other computing devices (including personal and mobile) used within the University that contain or transmit sensitive information or that attach to the university network are covered by this policy.

Note 2: If the standard is not technically possible for the specific computing device then a security exception should be filed and mitigating controls should be employed.

Note 3: Exceptions may be considered where a device needs access to more than one Active Directory domain.  Exceptions should be requested through the Director of Enterprise Security by sending a note to itpolicy@louisville.edu.

STANDARDS:

Administrative standards:

• Implementation
  The Dean of each school or Administrative Division Head is responsible for implementation of these security policies and standards, including methods to:
  • Educate the school or division users on computing device security practices.
  • Configure and maintain the school or division computing devices to meet these computing device security standards.

• Documentation
  • Procedures for complying with these policies and standards, as well as any additional school or division policies, standards and procedures will be developed and maintained by the Dean or Division Head's designee for each school, division or other subsidiary unit.
  • All school or division policies, standards and procedures for computing devices must be well documented, up-to-date and meet the minimum requirements established in this policy and accompanying standards.
  • After review and approval by the Dean or Division Head's designee, documentation of procedures (as well as any additional policies or standards) is to be forwarded, in electronic format, to the Information Security Office for review and university records. All major updates to the documentation and their effective dates should be forwarded to the Information Security Office.

• Compliance
  • Each school or division is expected to ensure compliance with these policies and standards as well as their own policies, standards and procedures.
  • The Information Security Officer will work with Audit Services, IT and others to schedule periodic audits of computing devices to further ensure compliance with the policies and standards.

• Use of Computing Devices
  • Computing devices and access to the network and internet are provided to perform university functions.

• Licensing
  • Licensing documentation must be maintained for any commercial software loaded on university owned computing devices (see ISO PS003 for additional licensing requirements).

Technical and physical standards:

• System Maintenance:
  • All computing device operating systems and other software should be kept up-to-date by reviewing security updates, patches and tools on a regular schedule but not less often than every 90 days. Automated update capabilities must be turned on.

• Physical System Access:
  • Reasonable efforts should be made to limit and/or monitor physical access to computing devices to only authorized personnel. Devices, including removable media, should be equipped with anti-theft devices.  Access doors and windows should be secured and computing device display screens should be positioned to minimize the chance for viewing by unauthorized individuals, where appropriate and feasible.

• Systems used to store, transmit or access electronic Protected Health Information (ePHI).
  In addition to the physical security requirements above, each responsible area must:
  • Implement and maintain physical safeguards to restrict access to only authorized users for all computing devices that store, transmit or access ePHI.
  • Define the allowable functions, how these functions are to be performed and required physical surroundings of computing devices that access ePHI.

• Software:
  • Operating systems and software currently supported by University IT should be used for university computing. See Supported Software List for more information.
  • Other operating systems and software are allowed if such software is:
    • currently supported by the vendor with security updates provided and applied as applicable;
    • approved for the use by and supported by your school/division's technology management; and
    • in compliance with IS PS004 Policy Exception Management Process.
      Note: This is an example of the type of exception that will generally require only proper completion of the initial form and not the "Policy Exception Management Template".

• A process to evaluate and install software prior to integration into theu niversity environment should be followed and should include the following elements:  assessment of the impact on the current environment, remediation of any noted risks, disabling of  unnecessary services and permissions, documentation of configurations, testing and obtaining of  approvals.
• Where feasible and within licensing guidelines, a backup copy should be made prior to installation and a master retained off-site.
  
• Logical System Access and Security:
  • Passwords
    All computing devices should require entry of a user ID and complex password. See IS PS007 User Accounts and Acceptable Use and IS PS008 Passwords.
    
  • Administrator or Administrative Accounts
    The Tier 1 support staff for the school or division should be used for installation of any software or performance of administrative functions on computing devices. If the Tier 1 staff is not routinely used, the school or division should have a policy and procedure for permitting other individuals to engage in these tasks.
    
    Individuals with administrative access to computing devices must be familiar with and abide by the university's Acceptable Use Policy (see ISO PS007 User Accounts and Acceptable Use), as well as all technology standards, policies and procedures in using these rights. The default administrator and all other default privileged accounts should be renamed and passwords changed where technically possible.
    
    In addition, as the university transitions to new operating systems that require changes in practice:
    • The administrator or its equivalent account should not be the active user account;
    • User accounts should not have administrative privileges unless such access is required based on the user's routine university business activity; and
    • Administrator account or accounts with administrator rights should only be used when necessary and should have a secure password (see ISO PS008 Passwords).
      
  • System Time-Out
    All computing devices connected to the university's networks or used to store, process or transmit information of a proprietary or sensitive nature must be configured to lock or "time-out" after a short period of inactivity and require a user ID and password or other authentication mechanism to unlock the machine. Ten minutes is the recommended period before time-out. Schools and divisions should establish appropriate time-outs based on the business use of the device.
    
  • Security of data
    All portable computing devices and computing devices not demonstrably located in a secure area used to store, process or transmit sensitive information must maintain information of this nature in a secure fashion. Encryption of proprietary or sensitive data fields, files or storage partitions or encryption of the entire system storage area is the recommended method to secure data residing on system storage devices. If this data is transmitted over any network other than the university's internal network, the data or the transmission protocol should be encrypted. (See backup standard below - it is important that all proprietary or sensitive information be backed up to prevent loss in the event of equipment loss or hardware failure).
    • Systems used to store, transmit or access electronic Protected Health Information (ePHI):
      Computing devices in this category must use encryption as described above unless the device is maintained and used only in a highly secure, access controlled environment.
    • Systems used to store, transmit or access other sensitive information:
      Computing devices in this category must use encryption as described above unless the device is maintained and used only in a highly secure, access controlled environment.

    Note: Personal devices must not be used for sensitive information unless you are personally able to configure your device to comply with these standards or your university Tier support is able to configure the device and train you in operating the device in the necessary secure fashion.

  • Virtual Private Network (VPN) Access
    Any sensitive information accessed outside of the university must be accessed using the VPN client.  Please see http://louisville.edu/it/accounts/vpn for instructions for requesting and using the VPN.
    
  • Wireless Network Access
    Access to the university network via wireless technology must be appropriately configured to access the university's secure wireless network. See IS PS010 Network Service.
    
  • Protection from Malicious Software:
    All computing devices connected to the university's network adhere to this policy and standards. See IS PS014 Protection from Malicious Software.
    
  • Data Backup and Recovery
    • Files containing valuable information1 must be backed up (note that the university network drives may be suitable for many back-ups).
    • Back-ups will be performed on a regular basis.
    • Back-ups will be maintained in a secure environment removed from the physical location of the computing device.
    • Back-ups should be encrypted and must be encrypted if custody of the back-ups is entrusted to a third party (non-UofL personnel).
    • Ability to successfully recover back-up files will be tested by the school or division periodically.

    See IS PS015 Backup of Data, IS PS002 Business Continuity and Disaster Recovery.

All persons while conducting/performing work, teaching, research or study activity or otherwise using University resources. Scope/Applicability also includes all facilities, property, data and equipment owned, leased and/or maintained by the University or affiliates.

POLICY AUTHORITY / ENFORCEMENT:

The University's Information Security Officer (ISO) is responsible for the development, publication, modification and oversight of these policies and standards. The ISO works in conjunction with University Leadership, Information Technology, Audit Services and others for development, monitoring and enforcement of these policies and standards.

POLICY REVIEW:

This policy will be reviewed annually to determine if the policy addresses University risk exposure and is in compliance with the applicable security regulations and University direction. In the event that significant regulatory changes occur, this policy will be reviewed and updated as needed.

COMPLIANCE:

Failure to comply with these policies and standards and/or any related information security and/or information technology policy, standard or procedure may result in disciplinary action up to and including termination of employment, services or relationship with the University and/or action in accordance with local ordinances, state or federal laws.

Version / Revision Date / Description

1.0 / July 23, 2007 / Original Publication

1.1 / March 15, 2011 / Addition of VPN access

1.2 / June 21, 2011 / Addition of Active Directory language

1.3 / January 29, 2013 / Content Update

Approved July 23, 2007 by the Compliance Oversight Council
Shirley C Willihnganz, Executive Vice President and University Provost, Chair of the Compliance Oversight Council

[Next]