Skip to content. | Skip to navigation

Advanced Search…
Personal tools
You are here: Home Policies and Standards ISO ISO PS012 Workstation and Computing Devices

ISO PS012 Workstation and Computing Devices

Policies and Standards
ISO PS012 Workstation and Computing Devices
[Previous]  [Next]  [Policy Home]

Policy Name: Workstations and Computing Devices
Policy Number: IS PS012
Effective Date: July 23, 2007
Review Date: July 23, 2008
Last Revision Date: July 23, 2007
Last Revision By: Bruce Edwards
Contact Name: Bruce W. Edwards
Contact Email: ISOPolicy@louisville.edu
Approved By: Compliance Oversight Council
Version: 1.0

POLICY:

All workstations and other computing devices shall:

  • be maintained in an environment and manner so that access is reasonably restricted to authorized users only;
  • be used in a prudent manner so that data, system and network integrity is maintained to the highest degree reasonably possible; and
  • have operating systems and other software maintained in the most up-to-date and secure manner reasonably possible.

Note 1: All workstations and other computing devices used within the University that contain or transmit sensitive information or that attach to the University network are covered by this policy.

Note 2: If the standard is not technically possible for the specific computing device then mitigating controls should be employed where possible.

STANDARDS:

Administrative standards:

  • Implementation
    The Dean of each School or Administrative Division Head is responsible for implementation of these security policies and standards, including methods to:
    • Educate the school or division users on computing device security practices.
    • Configure and maintain the school or division computing devices to meet these computing device security standards.
  • Documentation
    • Procedures for complying with these policies and standards, as well as any additional school or division policies, standards and procedures will be developed and maintained by the Dean or Division Head's designee for each school, division or other subsidiary unit.
    • All school or division policies, standards and procedures for computing devices must be well documented, up-to-date and meet the minimum requirements established in this policy and accompanying standards.
    • After review and approval by the Dean or Division Head's designee, documentation of procedures (as well as any additional policies or standards) is to be forwarded, in electronic format, to the Information Security Office for review and University records. All major updates to the documentation and their effective dates should be forwarded to the Information Security Office.
  • Compliance
    • Each school or division is expected to ensure compliance with these policies and standards as well as their own policies, standards and procedures.
    • The Information Security Officer will work with Audit Services, IT and others to schedule periodic audits of computing devices to further ensure compliance with the policies and standards.
  • Use of Computing Devices
    • Computing devices and access to the network and internet are provided to perform university functions.
  • Licensing
    • Licensing documentation must be maintained for any commercial software loaded on university owned computing devices.

Technical and physical standards:

  • System Maintenance:
    • All computing device operating systems and other software should be kept up-to-date by reviewing security updates, patches and tools on a regular schedule but not less often than every 90 days. Automated update capabilities must be turned on.

  • Physical System Access:
    • Reasonable efforts should be made to limit and/or monitor physical access to computing devices to only authorized personnel. The computing device display screen should be positioned to minimize the chance for viewing by unauthorized individuals, where appropriate and feasible.
  • Systems used to store, transmit or access electronic Protected Health Information (ePHI).
    In addition to the physical security requirements above, each responsible area must:
    • Implement and maintain physical safeguards to restrict access to only authorized users for all computing devices that store, transmit or access ePHI.
    • Define the allowable functions, how these functions are to be performed and required physical surroundings of computing devices that access ePHI.
  • Software:
    • Operating systems and software currently supported by University IT should be used for University computing. See Supported Software List for more information.
    • Other operating systems and software are allowed if such software is:
      • currently supported by the vendor with security updates provided and applied as applicable;
      • approved for the use by and supported by your School/Division's technology management; and
      • in compliance with IS PS004 Policy Exception Management Process.
        Note: This is an example of the type of exception that will generally require only proper completion of the initial form and not the "Policy Exception Management Template".
  • Logical System Access and Security:
    • Passwords
      All computing devices should require entry of a user ID and complex password. See IS PS007 User Accounts and Acceptable Use and IS PS008 Passwords.
    • Administrator or Administrative Accounts
      The Tier 1 support staff for the School or Division should be used for installation of any software or performance of administrative functions on computing devices. If the Tier 1 staff is not routinely used, the School or Division should have a policy and procedure for permitting other individuals to engage in these tasks.

      Individuals with administrative access to computing devices must be familiar with and abide by the University's Acceptable Use Policy (see ISO PS007 User Accounts and Acceptable Use), as well as all technology standards, policies and procedures in using these rights. The default administrator account should be renamed where technically possible.

      In addition, as the university transitions to new operating systems that require changes in practice:
      • The Administrator or its equivalent account should not be the active user account;
      • User accounts should not have administrative privileges unless such access is required based on the user's routine university business activity; and
      • Administrator account or accounts with administrator rights should only be used when necessary and should have a secure password (see ISO PS008 Passwords).
    • System Time-Out
      All computing devices connected to the university's networks or used to store, process or transmit information of a proprietary or sensitive nature must be configured to lock or "time-out" after a short period of inactivity and require a user ID and password or other authentication mechanism to unlock the machine. Ten minutes is the recommended period before time-out. Schools and Divisions should establish appropriate time-outs based on the business use of the device.
    • Security of data
      All portable computing devices and computing devices not demonstrably located in a secure area used to store, process or transmit sensitive information must maintain information of this nature in a secure fashion. Encryption of proprietary or sensitive data fields, files or storage partitions or encryption of the entire system storage area is the recommended method to secure data residing on system storage devices. If this data is transmitted over any network other than the University's internal network, the data or the transmission protocol should be encrypted. (See backup standard below - it is important that all proprietary or sensitive information be backed up to prevent loss in the event of equipment loss or hardware failure).
      • Systems used to store, transmit or access electronic Protected Health Information (ePHI):
        Computing devices in this category must use encryption as described above unless the device is maintained and used only in a highly secure, access controlled environment.
      • Systems used to store, transmit or access other sensitive information:
        Computing devices in this category must use encryption as described above unless the device is maintained and used only in a highly secure, access controlled environment.

      Note: Personal devices must not be used for sensitive information unless you are personally able to configure your device to comply with these standards or your University Tier support is able to configure the device and train you in operating the device in the necessary secure fashion.

    • Wireless Network Access
      Access to the University network via wireless technology must be appropriately configured to access the University's secure wireless network. See IS PS010 Network Service.
    • Protection from Malicious Software:
      All computing devices connected to the University's network adhere to this policy and standards. See IS PS014 Protection from Malicious Software.
    • Data Backup and Recovery
      • Files containing valuable information1 must be backed up (note that the University network drives may be suitable for many back-ups).
      • Back-ups will be performed on a regular basis.
      • Back-ups will be maintained in a secure environment removed from the physical location of the computing device.
      • Back-ups should be encrypted and must be encrypted if custody of the back-ups is entrusted to a third party (non-UofL personnel).
      • Ability to successfully recover back-up files will be tested by the School or Division periodically.

      See IS PS015 Backup of Data, IS PS002 Business Continuity and Disaster Recovery.

SCOPE / APPLICABILITY:

All persons while conducting/performing work, teaching, research or study activity or otherwise using University resources. Scope/Applicability also includes all facilities, property, data and equipment owned, leased and/or maintained by the University or affiliates.

POLICY AUTHORITY / ENFORCEMENT:

The University's Information Security Officer (ISO) is responsible for the development and oversight of these policies and standards. The ISO works in conjunction with University Leadership, Information Technology, Audit Services and others for development, monitoring and enforcement of these policies and standards.

POLICY REVIEW:

This policy will be reviewed annually to determine if the policy is in compliance with the applicable security regulations and University direction. In the event that significant regulatory changes occur, this policy will be reviewed and updated as needed.

COMPLIANCE:

Failure to comply with these policies and standards and/or any related information security and/or information technology policy, standard or procedure may result in disciplinary action up to and including termination of employment, services or relationship with the University and/or action in accordance with local ordinances, state or federal laws.

REVISION HISTORY:

Version / Revision Date / Description

1.0 / July 23, 2007 / Original Publication

This policy is subject to change or termination by the University at any time. This policy SUPERSEDES all prior policies, procedures or advisories pertaining to the same subject.

Approved July 23, 2007 by the Compliance Oversight Council
Shirley C Willihnganz, Executive Vice President and University Provost, Chair of the Compliance Oversight Council

[Next]

Document Actions

10/27/2008
University of Louisville Selects GuardianEdge to Protect Sensitive Data for Faculty, Staff, Doctors and Researchers

  • GuardianEdge, the leader in enterprise endpoint data protection, today announced that the University of Louisville has selected the GuardianEdge Hard Disk Encryption, Smartphone Protection and Device Control solutions to safeguard data for faculty and staff, doctors and researchers. [Click here for more information]

10/20/08
Fourth Annual Cyber-Security Awareness Week was a BIG Success!

08/25/08
Safe computing starts with knowing the rules of the road (InfoSec Bulletin #7 - August 25, 2008)

08/20/07
Information Security Policies
and Standards Approved: