Regulated Computer Policy – Security and Management Guidelines
The specific requirements of the policy depend somewhat on local circumstances, including the sensitivity of data and the risk of computer compromise. It is difficult to provide a simple checklist of actions that do or do not satisfy the requirements. Rather, administrators of regulated computers should attend carefully to the following five areas, taking appropriate steps to meet the general requirement that regulated computers be managed securely and reliably to prevent unauthorized access of sensitive data.
- Administration. Regulated computers should be managed to professional standards, preferably by well-trained University employees or contractors with sufficient knowledge and resources to ensure that data on them are properly secured. For example, a regulated computer should be backed up regularly and completely, with backups kept physically separate from the computer itself. Operating systems and network-aware applications on regulated computers should be patched and maintained to the most current level provided by their manufacturers.
- Services. Regulated computers should run no programs or services that are not necessary to their core purpose. For example, regulated computers that contain substantial quantities of sensitive data should not run Web or file-sharing services, since these are frequently targeted and compromised by outsiders. Network-aware client software on regulated computers, such as Web browsers or email readers, should block the automatic execution of attachments, graphical files, or other common carriers of computer viruses, Trojans, or worms.
- Users and accounts. Regulated computers should prevent unauthenticated users from running programs or accessing raw data. For example, there should be no “guest” shared, or general-purpose accounts on regulated computers. Accounts with substantial system-administration privileges should be granted only to a few individuals with general management responsibility for the systems in question, and never to individuals without University faculty or staff appointments. In general, system-administrator and similar “root” accounts should be used only when strictly required.
- Access. User-authentication processes should encrypt or otherwise protect username/password exchanges from interception. In general, login or shell access to regulated computers must be restricted to the campus network, with virtual private networking used for off-campus access. All user passwords should meet or exceed IT Services’ complexity requirements for CNet passwords. In addition, users with extensive access to regulated computers should be sure never to use the corresponding passwords for other purposes, and should avoid recording or writing passwords where they might be discovered.
- Security. Regulated computers should be reasonably secured against unauthorized access, including data interception and compromise. For example, regulated computers should connect to the network using technologies that are reasonably secure from sniffing, which excludes unencrypted hub or wireless connections. Regulated computers must run antivirus software, updating definition files frequently. They should run host-based firewall or equivalent port-blocking software, configured to disable all ports not necessary for system functioning.
There are other obvious measures persons responsible for regulated computers should take. For example, host names that signal the presence of sensitive data are a bad idea: “x45jk.uchicago.edu” is a much better host name than “accesslist.uchicago.edu” or “staffdata.uchicago.edu” Similarly, someone whose workstation has automatic access to financial data should not permit family members to use that machine. Common sense is at least as important as formal requirements.
Regulated computers are subject to random and unannounced security scanning and auditing by IT Services and/or the University’s internal auditors.
See Regulated Computer Registration to learn how to register.
Expiration Date: August 15, 2014
Policy Owner: sbookerc