HSC PC Security Practices
Health Sciences Center
PC Security Practices
Revision 2
December 17, 2003
Table of Contents
1 Introduction 1
2 Definition of a covered PC 1
3 PC Security Policy 1
4 PC Security Standards 1
4.1 Administrator 1
4.2 Passwords 2
4.3 Physical Security 2
4.4 Virus Protection 2
4.5 Screen Saver 2
5 PC Security Procedures 2
5.1 Password Confidentiality 2
5.2 Unattended PC 3
5.3 Operating System (OS) Security Updates 3
5.4 Enterprise Software Security Updates 3
5.5 File Backup 3
5.6 Documentation 3
5.7 Implementation 3
HSC PC Security Practices
1 Introduction
The purpose of this document is to establish an initial PC security policy for the UofL Health Sciences Center (HSC) and to communicate the policy and its implementation practices to the HSC academic community.
This document is not intended to present the full set of HSC PC security polices and their practices; these are in the process of being developed. However, there is one policy and several of it practices that are relatively straightforward to implement and that can provide an appreciable level of security in the short term. This document presents these “quick-and-dirty” but effective and worthwhile security practices.
This document does not address those security measures that are already implemented by the University IT Department (IT), such as user ID assignment, password management, and network authentication.
As additions or changes to the policies and practices are adopted, they will be documented and communicated in revisions of this document.
2 Definition of a covered PC
A covered PC is any PC that is anticipated to be directly used by an HSC faculty or staff member on a regular basis for HSC-related purposes, including, but not limited to, storage of HSC-related information and access to the University network. If the PC is not available for administration by the University or by one or more of its faculty or staff, then the PC is not covered. The actual owner (e.g., University, personal), location (e.g., office, clinic, home), network connection (e.g., University network, cable, DSL, dial-up), or functions of the PC are not relevant to whether the PC is covered or not.
For the purposes of this definition, a PC is any computing device that is typically used by one person at a time, regardless of form factor (e.g., desktop, laptop, notebook, tablet), manufacturer (e.g., Dell, IBM, Hewlett-Packard, Compaq, Apple), or operating system (e.g., Linux, Windows, Macintosh). At the present time, the device typically referred to as a personal digital assistant (PDA) is not considered to be a PC.
3 PC Security Policy
Reasonable and appropriate measures shall be taken to secure a covered PC from unauthorized access to its contents and connections.
4 PC Security Standards
4.1 Administrator
Where possible and reasonable, a Windows Administrator or its equivalent is active and available on a covered PC, and a password is required to log on to the PC as Administrator (see Section 4.2).
4.2 Passwords
Logging on to a covered PC by a person requires entry of a user ID and password.
A password used by a person for accessing a covered PC conforms to the following:
· At least 8 characters, including at least one of each of numeral, lowercase letter, and uppercase letter.
· No character sequence being the person’s name or birth date, family member’s name, or birth date, pet’s name, user ID, or any other word or phrase that might reasonably be associated with the person.
4.3 Physical Security
Every reasonable effort is made to limit and/or monitor physical access to a covered PC.
Where appropriate and feasible, the display device of a covered PC is situated such that the opportunities for unauthorized viewing are minimized.
4.4 Virus Protection
University-provided anti-virus software or equivalent is installed on a covered PC.
The anti-virus software on a covered PC is configured to include at least all of the following:
· Activate on starting up the PC.
· Automatically update the virus definition and anti-virus software on the PC.
· Check for viruses in incoming and outgoing email.
· Check for viruses in downloaded files.
The anti-virus software on a covered PC is not uninstalled or disabled except for brief and attended periods as required to install other software or to maintain or repair the PC.
4.5 Screen Saver
A covered PC is configured with a password-protected screen saver that activates within five minutes of no user activity on the PC.
5 PC Security Procedures
5.1 Password Confidentiality
A password is confidential and shall not be shared with other people or be publicly available at or near a covered PC.
An Administrator password may be shared among a controlled and limited group of persons who are designated as administrators of the covered PC. The Administrator password shall be changed at least every six months and shall be immediately changed if the password is compromised by becoming known outside the limited group of administrators.
If a user has administrator privileges on a covered PC, the user shall not change the Administrator password unless the user is also a designated Administrator for the PC.
5.2 Unattended PC
Before a user leaves the immediate vicinity of a covered PC on to which the user is logged, the user shall do one of the following:
· Locks the PC.
· Logs off the PC.
· Restarts the PC (without logging on to it).
· Shuts down the PC (including powering it off).
5.3 Operating System (OS) Security Updates
The OS of a covered PC shall be kept up to date with regards to security.
5.4 Enterprise Software Security Updates
Any application installed on a covered PC shall be kept up to date with regards to security.
5.5 File Backup
Files containing valuable information shall be backed up.
5.6 Documentation
The following documentation shall be maintained:
· For each covered PC:
o Administrator account: enabled or not.
§ If not enabled, the reason for not being present.
§ If enabled, the Administrator password.
o Virus protection: installed.
o Screen saver: inactivity period for activation.
· For each Administrator password:
o The name of each person to whom the password has been given.
o The date the password was last changed.
5.7 Implementation
The Dean of each HSC School is responsible for implementing the HSC PC security policies, standard, and procedures, including:
· Educating the School’s users on PC security practices.
· Configuring and maintaining the School’s covered PCs to meet the PC security standards.
The HSC Office of the Associate Vice-President for Health Affairs/Health Informatics is responsible for providing documentation for implementing the HSC PC security practices, including:
· Techniques for implementing the standards.
· Information for users.
Revision 2 Page 3 December 4, 2003