ROWAN UNIVERSITY POLICY
Title: Workstation Use and Security Policy
Subject: Information Security
Policy No: ISO: 2013:03
Issuing Authority: Senior Vice President for Information Resources and Technology and Chief Information Officer
Responsible Officer: Director of Information Security
Last Revision: 09/10/2018
This policy specifies the appropriate use and security applicable to ROWAN’s workstations.
Under the direction of the President, the Chief Information Officer and the University’s Director of Information Security shall implement and ensure compliance with this policy.
This policy applies to all members of the ROWAN community.
- Administrative Safeguards – administrative actions, and policies and procedures to manage the selection, development, implementation, and maintenance of security measures to protect the University’s information assets and to manage the conduct of the University community in relation to the protection of those information assets.
- Availability – the expectation that information is accessible by ROWAN when needed.
- Confidentiality – the expectation that only authorized individuals, processes, and systems will have access to ROWAN’s information.
- Information System – consists of one or more components (e.g., application, database, network, or web) that is hosted in a University campus facility and which may provide network services, storage services, decision support services, or transaction services to one or more business units.
- Integrity – the expectation that Rowan's information will be protected from improper, unauthorized, destructive, or accidental changes.
- Physical Safeguards – physical measures, policies, and procedures to protect the University’s information assets from natural and environmental hazards, and unauthorized intrusion.
- Removable Media – including, but not limited to, CDs, DVDs, storage tapes, flash devices (e.g., CompactFlash and SD cards, USB flash drives), and portable hard drives.
- Technical Safeguards – the technology and the policy and procedures for its use that protect the University’s electronic information and control access to it.
- ROWAN Community – faculty, staff, non-employees, students, attending physicians, contractors, covered entities, and agents of ROWAN.
- Workstations – desktop computers and laptops.
ROWAN’s workstations are provided by the University for business, academic, and research use. They must be used in accordance with the University’s policies and secured against unauthorized access.
In order to protect the confidentiality, integrity, and availability of ROWAN’s electronic information and information systems, activity may be reviewed, logs captured, and access monitored without notification.
- Workstation Use
- Removable Media: Connecting personal removable media, particularly portable hard drives and USB thumb drives, to ROWAN workstations is prohibited.
- Users must not save on workstations information classified Confidential, Private, or otherwise considered sensitive or privileged information, unless it is appropriately secured against theft or loss.
- Users and business units should consult with their IT services organization, the Office of Ethics, Compliance and Corporate Integrity, and the Office of Legal Management regarding what kind of security is appropriate for the sensitive information they store on their local workstations.
- Outlook email archives are automatically stored locally on workstations. If email archives contain sensitive information (in the message body or in an attachment), they must be secured against theft or loss of the workstation.
- Sensitive information should be saved in folders with access limited to those individuals authorized to access the information.
- Folder access entitlements must be reviewed according to the University’s “Information Security: Electronic Information and Information Systems Access Control policy.”
- Users must logoff or lock their workstations when not in use.
- Users should consider using a privacy screen to prevent unauthorized people from viewing information on their workstation screen.
- Users must consult with their IT services organization before installing software or connecting hardware that has not been issued or purchased by ROWAN.
- When installing personal software authorized by ROWAN, users must provide and retain proof of purchase and licenses (unless the software is offered free by the software developer).
- Workstation Security
- Workstation builds must incorporate ROWAN’s baseline security controls and safeguards defined by the University’s Information Resources and Technology (IR&T) organization.
- Workstations that deviate from ROWAN’s baseline security controls and safeguards must be identified. Deviations must be documented and state:
- The department where the workstation resides.
- The purpose of the workstation.
- The workstation’s serial number.
- The controls and safeguards not applied to the workstation.
- The business justification for deviating from ROWAN’s baseline security controls, safeguards, and configurations.
- The IT manager approving the deviation.
- IT service organizations and the businesses are expected to maintain an accurate and current inventory of all workstations.
- Login banners are required and must state:
This workstation is the property of ROWAN and exclusively for the use by authorized members of the University community and limited to activities specific to their role and responsibilities. All activity occurring during the use of this workstation (including Internet use) is governed by the University’s Code of Conduct, its policies, as well as by federal, state, and local laws.
- Idle timeout mechanisms must be employed.
- A user ID and password must be required to use the workstation.
- Local workstation administrator access is a privilege and will only be granted when a clear business need is established and standard University IT services or alternative solution cannot support the user’s business needs.
- The University reserves the right to revoke without notice local administrator privileges if access is deemed to present a risk to ROWAN’s electronic information or information systems.
- The user’s manager and/or the University’s IT service organizations will periodically re-assess the user’s need for administrator access and at their discretion revoke the entitlement (without notice) or offer an alternative solution to meet the user’s need.
- Workstation administrator access is auditable and subject to access entitlement reviews.
- Workstations that provide access to or use of sensitive information or information systems should not be located in publicly accessible areas.
- If a workstation must be located in a public area, physical and technical safeguards must be employed to protect against unauthorized access.
- When feasible, workstation monitors should face away from public viewing.
- Information Resources and Technology (IR&T) is responsible to define base controls and configurations for workstation builds.
- All ROWAN IT Service Organizations or Departments managing their own workstations are responsible to incorporate the University’s baseline security controls, safeguards, and configurations into their workstation builds and to maintain an accurate and current inventory of all their workstations. Any deviation from ROWAN’s baseline security model must be documented.
- The Presidents and Vice Presidents of the University’s units and the Deans of the schools have ultimate responsibility for the protection of their electronic information and information systems against unauthorized disclosure, loss, or misuse. They must ensure that all members of their respective organizations follow the administrative, physical, and technical safeguards defined in this policy.
VI. NON-COMPLIANCE AND SANCTIONS
Violations of this policy may subject the violator to disciplinary actions, up to or including termination of employment or dismissal from a school, and may subject the violator to penalties stipulated in applicable state and federal statutes. Sanctions shall be applied consistently to all violators regardless of job titles or level in the organization.
By Direction of the CIO:
SVP and Chief Information Officer