Pol-Workstation and Computing Devices
policy Workstation Computing Devices modified Wed Oct 19 2022 11:27:29 GMT-0400 (Eastern Daylight Time)
University of Louisville
OFFICIAL
UNIVERSITY
ADMINISTRATIVE
POLICY
POLICY NAME
Workstation and Computing Devices
EFFECTIVE DATE
July 23, 2007
POLICY NUMBER
ISO-012 v2.1
POLICY APPLICABILITY
This policy applies to all University workforce, faculty and student members (including, but not limited to: faculty, staff, students, temps, trainees, volunteers, and other persons as deemed appropriate) while conducting/performing work, teaching, research or study activity using University resources and includes all facilities, property, data and equipment owned, leased and/or maintained by the University or affiliates.
REASON FOR POLICY
To ensure implementation of computing device controls (university and personal owned) in order to protect the confidentiality, integrity and availability of University data.
POLICY STATEMENT
All computing devices shall:
- If connected to the university network and capable of running active directory, [1] be a part of the university’s Active Directory domain, to ensure password synchronization with central authentication services and to facilitate updating of security controls and enterprise software;
- Be maintained in an environment and manner so that access is reasonably restricted to authorized users only;
- Be used in a prudent manner so that data, system and network integrity is maintained to the highest degree reasonably possible; and
- Have operating systems and other software maintained in the most up-to-date and secure manner reasonably possible.
[1] Macintosh computers are capable of using Active Directory, but are limited to authentication services only. Mobile devices, such as iPads, utilize synching software to connect to the university network and therefore, are exempt from the Active Directory requirement.
Note 1: All computing devices (including personal and mobile) used within the University that contain or transmit sensitive information or that attach to the university network are covered by this policy.
Note 2: If the standard is not technically possible for the specific computing device then a security exception should be filed and mitigating controls should be employed. Non-AD connected devices should utilize automatic update processes to ensure updating of system and software security protections.
STANDARDS
Administrative standards:
Documentation
Procedures for complying with these policies and standards, as well as any additional school or departmental policies, standards and procedures will be developed and maintained by the Dean or Department Head's designee for each school, department or other subsidiary unit.
All school or departmental policies, standards and procedures for computing devices must be well documented, up-to-date and meet the minimum requirements established in this policy, accompanying standards, or other compliance requirements (HIPAA and PCI).
Compliance
Each school or department is expected to ensure compliance with these policies and standards as well as their own policies, standards and procedures.
The Information Security Officer will work with Audit Services, IT and others to schedule periodic audits of computing devices to further ensure compliance with the policies and standards.
Use of Computing Devices
Computing devices and access to the network and internet are provided to perform university functions.
Licensing
Licensing documentation must be maintained for any commercial software loaded on university owned computing devices (see ISO-003 for additional licensing requirements).
Encryption
Where technically possible, all workstations and other computing devices purchased with university funds/owned by the University that are connected to the university network must adhere to university technology requirements that include the utilization of a supported form of whole-disk encryption. The university policy exception process must be followed for devices not meeting this requirement.
Technical and Physical standards:
System Maintenance:
All operating systems and other software should be kept up-to-date by installing all available security updates and patches on a regular schedule but not less often than every 30 days. Automated update capabilities must be turned on.
Physical System Access:
Reasonable efforts should be made to limit and/or monitor physical access to computing devices to only authorized personnel only. Devices, including removable media, should be equipped with anti-theft devices. Where appropriate and feasible access doors and windows should be secured and computing device display screens should be positioned to minimize the chance for viewing by unauthorized individuals.
Systems used to store, transmit or access electronic Protected Health Information (ePHI):
In addition to the physical security requirements above, each responsible area must:
- Implement and maintain physical safeguards to restrict access to only authorized users for all computing devices that store, transmit or access ePHI.
- Define the allowable functions, how these functions are to be performed and required physical surroundings of computing devices that access ePHI.
Software:
Operating systems and software currently supported by University IT should be used for university computing. See Supported Software List for more information.
Other operating systems and software are allowed if such software is:
- Currently supported by the vendor with security updates provided and applied as they become available;
- Approved for the use by and supported by your school/department's technology management; and
- In compliance with ISO-004 Policy Exception Management Process. Note: This is an example of the type of exception that will generally require only proper completion of the initial form and not the "Policy Exception Management Template".
A process to evaluate and install software prior to integration into the university environment should be followed and should include the following elements: assessment of the impact on the current environment, identification/remediation of any noted risks, disabling of unnecessary services and permissions, documentation of configurations, testing and obtaining of approvals.
Where feasible and within licensing guidelines, a backup copy should be made prior to installation and a master retained off-site.
Logical System Access and Security:
-
Passwords
All computing devices should require entry of a user ID and complex password. See ISO-007 User Accounts and Acceptable Use and ISO-008 Passwords. -
Administrator or Administrative Accounts (i.e., Admin or Sys accounts)
The Tier 1 support staff for the school or department must be used for installation of any software or performance of administrative (privileged) functions on computing devices. If the Tier 1 staff is not routinely used, the school or department must have a policy and procedure for permitting other individuals to engage in these tasks.
Individuals with administrative access to computing devices must be familiar with and abide by the university's Acceptable Use Policy (see ISO-007 User Accounts and Acceptable Use), as well as all technology standards, policies and procedures in utilizing this level of access. The default administrator and all other default, privileged accounts must be renamed and passwords changed where technically possible.
In addition, as the university transitions to new operating systems that require changes in practice:- The administrator or its equivalent account should not be the active user account;
- User accounts should not have administrative privileges unless such access is required based on the user's routine university business activity; and
- Administrator account or accounts with administrator rights must only be used when necessary and should have a secure password (see ISO-008 Passwords).
-
System Time-Out
All computing devices connected to the university's networks or used to store, process or transmit information of a proprietary or sensitive nature must be configured to lock or "time-out" after a short period of inactivity and require a user ID and password or other authentication mechanism to unlock the machine. Ten minutes is the recommended period before time-out. Schools and departments must establish appropriate time-outs based on the business use of the device.
Security of data:
All portable computing devices and computing devices not demonstrably located in a secure area used to store, process or transmit sensitive information must maintain information of this nature in a secure fashion. Encryption of proprietary or sensitive data fields, files or storage partitions or encryption of the entire system storage area is the recommended method to secure data. If this data is transmitted over any network other than the university's internal network, the data or the transmission protocol should also be encrypted. (See backup standard below - it is important that all proprietary or sensitive information be backed up to prevent loss in the event of hardware failure or equipment loss, destruction, or theft).
- Systems used to store, transmit or access electronic Protected Health Information (ePHI): Computing devices in this category must use encryption as described above unless the device is maintained and used only in a highly secure, access controlled environment.
-
Systems used to store, transmit or access other sensitive information:
Computing devices in this category must use encryption as described above unless the device is maintained and used only in a highly secure, access controlled environment.
Note: Personal devices must not be used for sensitive information unless you are personally able to configure your device to comply with these standards or your university Tier 1 support is able to configure the device and train you in operating the device in the required secure fashion.
Virtual Private Network (VPN) Access:
Any sensitive information accessed outside of the university must be accessed using the VPN client. Please see Virtual Private Network for instructions for requesting and using the VPN.
Wireless Network Access:
Access to the university network via wireless technology must be appropriately configured to access the university's secure wireless network. See ISO-010 Network Service.
Protection from Malicious Software:
All computing devices connected to the university's network adhere to this policy and standards. See ISO-014 Protection from Malicious Software.
Data Backup and Recovery:
- Files containing valuable information must be backed up (university network drives may be suitable locations and are automatically backed up).
- Back-ups will be performed on a regular basis.
- Back-ups will be maintained in a secure environment removed from the physical location of the computing device.
- Back-ups should be encrypted and must be encrypted if custody of the back-ups is entrusted to a third party (non-UofL personnel).
- Back-ups must be recoverable and tested by the school or department periodically.
See IS0-015 Backup of Data, ISO-002 Business Continuity and Disaster Recovery.
DEFINITIONS
Computing Devices
Includes but is not limited to workstations, desktop computers, notebook computers, tablet computers, network enabled printers, scanners and multi-function devices, PDAs, email/messaging devices and cell phones, all hereafter referred to as "computing devices".
ePHI
Electronic Protected Health Information - Health information maintained or transmitted in an electronic format that:
1. Identifies or could be used to identify an individual;
2. Is created or received by a healthcare provider, health plan, employer or healthcare clearinghouse; and
3. Relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of healthcare to an individual.
Sensitive Information
Information of a confidential or proprietary nature and other information that would not be routinely published for unrestricted public access or where disclosure is prohibited by laws, regulations, contractual agreements or University policy. This includes (but is not limited to) full name or first initial and last name and employee ID (in combination), identifiable medical and health records, grades and other enrollment information, credit card, bank account and other personal financial information, social security numbers, grant reviews, dates of birth (when combined with name, address and/or phone numbers), user IDs when combined with a password, etc. Sensitive information does not include personal information of a particular individual which that individual elects to reveal (such as via opt-in or opt-out mechanisms) (see Information Management and Classification Standard).
RESPONSIBILITIES
The Dean of each school or Administrative Department Head is responsible for implementation of these security policies and standards, including methods to: (a) Educate the school or department users on computing device security practices. (b) Configure and maintain the school or department computing devices to meet these computing device security standards.
Policy Authority/Enforcement: The University's Information Security Officer (ISO) is responsible for the development, publication, modification and oversight of these policies and standards. The ISO works in conjunction with University Leadership, Information Technology, Audit Services and others for development, monitoring and enforcement of these policies and standards.
Policy Compliance: Failure to comply with these policies and standards and/or any related information security and/or information technology policy, standard or procedure may result in disciplinary action up to and including termination of employment, services or relationship with the University and/or action in accordance with local ordinances, state or federal laws.
ADMINISTRATIVE AUTHORITY
Vice President for Risk, Audit, and Compliance
RESPONSIBLE UNIVERSITY DEPARTMENT/DIVISION
Information Security Office
502-852-6692
isopol@louisville.edu
HISTORY
This policy is subject to change or termination by the University at any time. This policy SUPERSEDES all prior policies, procedures or advisories pertaining to the same subject.
This policy will be reviewed annually to determine if the policy addresses University risk exposure and is in compliance with the applicable security regulations and University direction. In the event that significant regulatory changes occur, this policy will be reviewed and updated as needed per the Policy Management process.
Approved July 23, 2007 by the Compliance Oversight Council
Shirley C Willihnganz, Executive Vice President and University Provost, Chair of the Compliance Oversight CounciL
Revision Date(s):
1.0 / July 23, 2007 / Original Publication
1.1 / March 15, 2011 / Addition of VPN access
1.2 / June 21, 2011 / Addition of Active Directory language
1.3 / January 29, 2013 / Content Update
2.0 / March 8, 2016 / Review/update content and update to template format
2.1 / June 19, 2017 / Review and updated content to include University owned device encryption per EIT 2016 standard
2.1 / October 10, 2018 / Review and update grammar (should/must, division/department) and punctuation. Add reference to HIPAA/PCI compliance.
Reviewed Date(s): September 29, 2014; March 8, 2016; June 19, 2017; October 10, 2018
The University Policy and Procedure Library is updated regularly. In order to ensure a printed copy of this document is current, please access it online at http://louisville.edu/policies.