Procedures for complying with these policies and standards, as well as any additional school or departmental policies, standards and procedures will be developed and maintained by the Dean or Department Head's designee for each school, department or other subsidiary unit.
All school or departmental policies, standards and procedures for computing devices must be well documented, up-to-date and meet the minimum requirements established in this policy, accompanying standards, or other compliance requirements (HIPAA and PCI).
Each school or department is expected to ensure compliance with these policies and standards as well as their own policies, standards and procedures.
The Information Security Officer will work with Audit Services, IT and others to schedule periodic audits of computing devices to further ensure compliance with the policies and standards.
Use of Computing Devices
Computing devices and access to the network and internet are provided to perform university functions.
Licensing documentation must be maintained for any commercial software loaded on university owned computing devices (see ISO-003 for additional licensing requirements).
Where technically possible, all workstations and other computing devices purchased with university funds/owned by the University that are connected to the university network must adhere to university technology requirements that include the utilization of a supported form of whole-disk encryption. The university policy exception process must be followed for devices not meeting this requirement.
Technical and Physical standards:
All operating systems and other software should be kept up-to-date by installing all available security updates and patches on a regular schedule but not less often than every 30 days. Automated update capabilities must be turned on.
Physical System Access:
Reasonable efforts should be made to limit and/or monitor physical access to computing devices to only authorized personnel only. Devices, including removable media, should be equipped with anti-theft devices. Where appropriate and feasible access doors and windows should be secured and computing device display screens should be positioned to minimize the chance for viewing by unauthorized individuals.
Systems used to store, transmit or access electronic Protected Health Information (ePHI):
In addition to the physical security requirements above, each responsible area must:
Implement and maintain physical safeguards to restrict access to only authorized users for all computing devices that store, transmit or access ePHI.
Define the allowable functions, how these functions are to be performed and required physical surroundings of computing devices that access ePHI.
Operating systems and software currently supported by University IT should be used for university computing. See Supported Software List for more information.
Other operating systems and software are allowed if such software is:
A process to evaluate and install software prior to integration into the university environment should be followed and should include the following elements: assessment of the impact on the current environment, identification/remediation of any noted risks, disabling of unnecessary services and permissions, documentation of configurations, testing and obtaining of approvals.
Where feasible and within licensing guidelines, a backup copy should be made prior to installation and a master retained off-site.
Logical System Access and Security:
Administrator or Administrative Accounts (i.e., Admin or Sys accounts)
The Tier 1 support staff for the school or department must be used for installation of any software or performance of administrative (privileged) functions on computing devices. If the Tier 1 staff is not routinely used, the school or department must have a policy and procedure for permitting other individuals to engage in these tasks.
Individuals with administrative access to computing devices must be familiar with and abide by the university's Acceptable Use Policy (see ISO-007 User Accounts and Acceptable Use), as well as all technology standards, policies and procedures in utilizing this level of access. The default administrator and all other default, privileged accounts must be renamed and passwords changed where technically possible.
In addition, as the university transitions to new operating systems that require changes in practice:
The administrator or its equivalent account should not be the active user account;
User accounts should not have administrative privileges unless such access is required based on the user's routine university business activity; and
Administrator account or accounts with administrator rights must only be used when necessary and should have a secure password (see ISO-008 Passwords).
All computing devices connected to the university's networks or used to store, process or transmit information of a proprietary or sensitive nature must be configured to lock or "time-out" after a short period of inactivity and require a user ID and password or other authentication mechanism to unlock the machine. Ten minutes is the recommended period before time-out. Schools and departments must establish appropriate time-outs based on the business use of the device.
Security of data:
All portable computing devices and computing devices not demonstrably located in a secure area used to store, process or transmit sensitive information must maintain information of this nature in a secure fashion. Encryption of proprietary or sensitive data fields, files or storage partitions or encryption of the entire system storage area is the recommended method to secure data. If this data is transmitted over any network other than the university's internal network, the data or the transmission protocol should also be encrypted. (See backup standard below - it is important that all proprietary or sensitive information be backed up to prevent loss in the event of hardware failure or equipment loss, destruction, or theft).
Systems used to store, transmit or access electronic Protected Health Information (ePHI): Computing devices in this category must use encryption as described above unless the device is maintained and used only in a highly secure, access controlled environment.
Systems used to store, transmit or access other sensitive information:
Computing devices in this category must use encryption as described above unless the device is maintained and used only in a highly secure, access controlled environment.
Note: Personal devices must not be used for sensitive information unless you are personally able to configure your device to comply with these standards or your university Tier 1 support is able to configure the device and train you in operating the device in the required secure fashion.
Virtual Private Network (VPN) Access:
Any sensitive information accessed outside of the university must be accessed using the VPN client. Please see http://louisville.edu/it/departments/enterprise-security/information/vpn for instructions for requesting and using the VPN.
Wireless Network Access:
Access to the university network via wireless technology must be appropriately configured to access the university's secure wireless network. See ISO-010 Network Service.
Protection from Malicious Software:
All computing devices connected to the university's network adhere to this policy and standards. See ISO-014 Protection from Malicious Software.
Data Backup and Recovery:
Files containing valuable information must be backed up (university network drives may be suitable locations and are automatically backed up).
Back-ups will be performed on a regular basis.
Back-ups will be maintained in a secure environment removed from the physical location of the computing device.
Back-ups should be encrypted and must be encrypted if custody of the back-ups is entrusted to a third party (non-UofL personnel).
Back-ups must be recoverable and tested by the school or department periodically.
See IS0-015 Backup of Data, ISO-002 Business Continuity and Disaster Recovery