Type
Information Technology Policies
Category
Information Security Policies


The following are the minimum security requirements that must be followed for each DCL.

Systems Management

Data Classification Level (DCL)Minimum Security Requirements
Level 1: Public Data
  • Systems must be managed by an IT pro and put in their appropriate AD (Active Directory) container and tier. From there it will inherit appropriate security policies based on its role. Ex: Local firewall management, system security settings, etc.
  • Operating system and application services security patches are installed expediently (e.g., 30-days) and in a manner consistent with change management procedures. Products that no longer receive security updates from the vendor are not authorized.
  • Workstations must not be configured as servers.
  • Administrator passwords must meet the Password Standard.
Level 2: Sensitive Data
  • Must comply with DCL1 requirements.
Level 3: Restricted Data
Level 4: Highly Restricted Data
  • Must comply with DCL1, DCL2 and DCL3 requirements.
  • Workstations that hold DCL4 data must be encrypted. University-issued workstations must be encrypted using software/services authorized or provided by the central IT department.(See Encryption Standard)

Network & Remote Access Security

Data Classification Level (DCL)Minimum Security Requirements
Levels 1-3
  • Central IT departments and system administrators must ensure adherence to the Network Security Standard.
  • Automatic joining to unknown or untrusted networks should be turned off.
  • Device should not be used as a hotspot/access point for other devices.
  • University business must not be conducted on public/unsecured wireless networks (e.g., coffee shop Wi-Fi networks) except through the use of VPN or other secure remote access services as provided or authorized by your campus IT department.
Level 4 (Highly Restricted Data)
  • Must comply with DCL1, DCL2 and DCL3 requirements.
  • To remotely access systems containing DCL 4 data, the remote connection must originate from a university-owned and managed device. No personal devices may be used to remotely access systems containing DCL4 data directly.

Computer Virus Protection

  • Levels 1-4: 
    • A University approved antivirus software must be installed and managed by a centrally supported workstation management tool.
    • Anti-virus software configured to update signatures daily.

Physical Security

  • Levels 1-4: 
    • Computer screens must be locked when unattended.
    • Automatic screensaver lock must not exceed 15 minutes.
    • Desktop computers must be reasonably physically and logically secured when unattended. Computers stationed in public areas (i.e., kiosks), must be physically attached to a wall or work surface via cable or have physical walls or barriers to deter theft. Laptops and portable devices must be physically secured when unattended.
    • Strong consideration should be given to the use of system tracking software for users who travel with their computer.
    • Report lost or stolen computers/computing devices that are used for work purposes, regardless of ownership, to the appropriate Information Security Officer per the Mandatory Reporting Requirement.
    • Additional recommendations can be found in the Information Security Travel Standard.

Backup/Disaster Recovery

Levels 1-4: Backup media must be secured from unauthorized physical access. All original and current versions of information/data must be stored or backed up on university-owned or approved systems (servers). If the backup media is stored off-site, it must be encrypted or have a documented process to prevent unauthorized access. Data stewards are responsible for taking appropriate measures to ensure that data is available and secure.

Data Disposal

Levels 1-4: All computing devices that are sent to surplus or otherwise disposed of must follow University surplus property and data disposal policies.

Public Kiosks

  • Levels 1-4:
    • Publicly-accessible computers and kiosk-type computers must be configured to clear Internet cache.
    • Computers stationed in public areas, such as kiosks, must be physically attached to a wall or work surface via cable or have physical walls or barriers to deter theft.
    • University information/data must not be stored on a computer that could potentially be used by the public.

Personally-Owned Computers

  • Levels 1-3:
    • Personally owned computers used for University business must be managed according to the same standards as a university-issued device.
    • University business information/data must not be stored on a personally owned computer, except under certain circumstances when access to the Internet, and thus, access to central storage locations, is unavailable. In these circumstances, keeping University-related electronic materials on a personally owned computer should be temporary. 
    • Consult your IT support staff for information about how to store University information/data when using a personally owned computer.
  • Level 4:
    • University business information/data must not be stored on personally-owned devices.

System Hardening

Data Classification Level (DCL)Minimum Security Requirements
Levels 1-2
  • System must be on a protected network environment. University business must not be conducted on public/unsecured wireless networks (e.g., coffee shop Wi-Fi networks) except through the use of VPN or other secure remote access services as provided or authorized by your campus IT department.
  • Apply the principle of least privilege to user, admin and system accounts. All administrator or root access is logged. Administrative access to the workstation requires the use of a dedicated administrative account. Administrative accounts are not to be used as a primary user account or for non-administrative purposes.
  • Examples:
Levels 3-4
  • Must comply with DCL1, DCL2 and DCL3 requirements.
  • Enable automatic installation of available patches.
  • Services, applications and user accounts that are not being utilized are disabled or uninstalled. This includes renaming the local Administrator account and disabling guest accounts.
  • Services or applications running on systems that interact with confidential data must implement encrypted communications as required by confidentiality and integrity needs.(See Encryption Standard)
  • Whenever possible, all non-removable or (re-) writable media is configured with file systems that support access control. (i.e., NTFS/AFS)
  • Enforce password complexity requirements.

Travel

Levels 1-4: Review and follow the Information Security Travel Standard when traveling with a laptop or other mobile computing device.

Regulated Data Security Controls

Levels 1-4: Implement PCI, DSS, HIPAA or export controls as applicable.