University Policies

Page tree

Versions Compared

Old Version 11

changes.mady.by.user O'Neill, Erin E.

Saved on

compared with

New Version Current

changes.mady.by.user O'Neill, Erin E.

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

ROWAN UNIVERSITY POLICY


Title: Workstation Use and Security Policy 
Subject: Information Security 
Policy No: ISO: 2013:03

...


Applies: University-Wide
Issuing Authority: Senior Vice President for Information Resources and Technology and Chief Information Officer
Responsible Officer: 

...

Assistant Vice President and Chief Information Security Officer
Date Adopted: 07/01/2013

...

Last Revision

...

07/

...

12/

...

2021
Last

...

Review:

...

07/

...

12/

...

2021

I. PURPOSE

...

The purpose of this policy is to specify the appropriate

...

security controls and minimum requirements for Rowan University's workstations to ensure the security of information on the workstation and information the workstation may have access to.

II. ACCOUNTABILITY

Under the direction of the President, the Chief Information Officer and the

...

Chief Information Security Officer shall implement and ensure compliance with this policy. The Vice Presidents, Deans, and other members of management shall implement this policy in their respective areas and ensure that all members of their respective organizations follow the administrative, physical, and technical safeguards defined in this policy.

III. APPLICABILITY

This policy applies to all members of the

...

Rowan University community and any other parties, who use, work on, or provide services involving Rowan University workstations and information systems. 

IV. DEFINITIONS

...

Refer to Rowan University Technology Terms and Definitions for terms and definitions that are used in this policy.

V. POLICY

  1. Rowan University’s workstations are provided by Information Resources & Technology (IRT) for official use to support the administrative, academic, and research needs of the university. 

  2. IRT is responsible for defining the baseline security controls and minimum standards and configurations for all workstations. All workstations are required to utilize the baseline security controls and safeguards defined and managed by IRT.

  3. The minimum security controls and requirements for all workstations should include but is not limited to the following:

    1. Antivirus

      1. Workstations must have antivirus software installed, configured so that the virus definition files are current, routinely and automatically updated, and the antivirus software must be actively running on these workstations. 

      2. All files on workstations will be scanned periodically for viruses per the schedule established by IRT.

    2. Encryption

      1. All workstations must be encrypted

    3. Removable Media

      1. All access to read or write to removable media, such as external hard drives, USB flash drives/thumb drives, rewritable DVDs and CDs must be blocked.

      2. Shipments of removable media containing information classified as sensitive must be done using a courier that can track shipments and provide proof of receipt.

    4. Anti-Theft

      1. All workstations that support the appropriate hardware and software requirements for anti-theft deterrent software must be configured with this software

    5. Data Storage and Backup

      1. Users must not save information classified as

...

V. POLICY

ROWAN’s workstations are provided by the University for business, academic, and research use. They must be used in accordance with the University’s policies and secured against unauthorized access.

In order to protect the confidentiality, integrity, and availability of ROWAN’s electronic information and information systems, activity may be reviewed, logs captured, and access monitored without notification.

A. Requirements

    Workstation Use 
  1. Removable Media:  Connecting personal removable media, particularly portable hard drives and USB thumb drives, to ROWAN workstations is prohibited.
    2. Users must not save on workstations information classified

      1. Confidential, Private, or otherwise considered sensitive or privileged information

    3. , unless it is appropriately secured against theft or loss.

      1. on workstations.

      2. Users are provided with access to Shared Drives and Google Drive for data storage. However, some files such as Outlook email archives are automatically stored locally on workstations. 

      3. Users and business units should consult with

    4. their IT services organization,

      1. IRT and the Office of Ethics, Compliance and Corporate Integrity

    5. , and the Office of Legal Management

      1. regarding what kind of security is appropriate for the sensitive information they store on their local workstations.

    6. Outlook email archives are automatically stored locally on workstations. If email archives contain sensitive information (in the message body or in an attachment), they must be secured against theft or loss of the workstation.

      1. Users and business units are responsible for ensuring a backup of their data exists and should consult with IRT for guidance on backing up any data as not all locations on a workstation are backed up

      2. Sensitive information should be saved in folders with access limited to those individuals authorized to access the information.

    7. Folder

      1. Data access entitlements must be reviewed and handled according to the University’s

    8. “Information Security: Electronic Information and Information Systems Access Control policy.”

      1. Access Control Policy

    2. Workstation Login and Logon Banners 

      1. A user ID and password must be required to use the workstation. This user ID must tie back to a user and thus generic local or network accounts are not permitted

      2. Logon Banners are required and must state: “I understand and acknowledge that this system is the property of Rowan University and is for authorized activity only. By using this system, I acknowledge notice of, and agree to comply with, Rowan University’s Acceptable Use Policy available at go.rowan.edu/aup."

      3. Workstation screen lock out policies must be enforced to lock idle workstations after 15 minutes of inactivity

    3. Workstation Privileges

      1. Elevated Rights are only provided to full time Faculty members on their workstation 

      2. Administrator access on a workstation is a privilege and will only be granted when a clear business need is established and standard university services or an alternative solution cannot support the user’s business needs.

      3. IRT reserves the right to revoke without notice local administrator privileges if access is deemed to present a risk to Rowan electronic information or information systems.

      4. IRT will periodically reassess workstation privileges including administrator access and at their discretion revoke the entitlement (without notice) or offer an alternative solution to meet the user’s needs.

    4. Physical Controls

      1. Workstations that provide access to or use of sensitive information or information systems should not be located in publicly accessible areas.

      2. If a workstation must be located in a public area, physical and technical safeguards must be employed to protect against unauthorized access and to ensure the workstation is secured from theft

      3. Workstation monitors should face away from public viewing or use privacy screens to protect the sensitive information that is displayed on the workstations

    5. Software Updates

      1. Workstations must be rebooted every 30 days to ensure operating system and application software updates are installed. 

      2. Users are responsible for checking with IRT to validate that any software updates that are not provided by IRT are from an approved source

  9. Workstation Use

    1. Users must log off or lock their workstations when not in use.

    2. Users must receive approval through the Information Technology Acquisition Process (ITAP)

  10. Users must logoff or lock their workstations when not in use.
  11. Users should consider using a privacy screen to prevent unauthorized people from viewing information on their workstation screen.
    12. Users must consult with their IT services organization

    1. before installing software or connecting hardware that has not been issued or purchased by

    13. ROWAN

    1. Rowan University.

    14. When installing personal software authorized by ROWAN, users

    1.  

    2. Users must provide and retain proof of purchase and licenses

    15. (

    1. when installing personal licensed software, unless the software is

    16. offered free

    1. provided with a free license for use at Rowan University by the software developer. Any specialized software required must be submitted for approval through ITAP, paid for with department funds and released to the university once the user leaves the university.

    2. Users must use the home drive and department shared drives (e.g. OpenArea or Google Drive) to maintain a backup of their important data.

    3. Users must use a privacy screen when handling or displaying classified information on their workstation screen that could be viewed by an unauthorized user or bystander. If privacy screens are not available or practical, then ensure the monitors are in areas or at angles that minimize viewing by persons who do not need the information.

    4. Users should utilize privacy shutters on web cameras to prevent the capture of classified information within the view of the camera and ensure that the privacy shutter is enabled when the camera is not in use

    5. Users should take the necessary precautions to protect the data and their workstations from unauthorized use, theft, damage etc. For example, best practices include:

      1. Never leaving a workstation unattended and securing workstations in the location that it is typically used

      2. When traveling, store workstations appropriately to ensure the workstations are protected

      3. Be mindful of liquids from food or drink while using the workstation 

  17. Workstation Minimum Software, Hardware and Network Requirements

    1. Workstations must authenticate with Rowan University systems monthly to ensure compliance with all Rowan University technology policies unless special permission has been given by the Department Head and the Information Security

  18. Workstation builds must incorporate ROWAN’s baseline security controls and safeguards defined by the University’s Information Resources and Technology (IR&T) organization.

    1. Office.

    2. Workstations are required to be brought into the campus during the annual Physical Audit of the university department

    3. Workstations that are over six (6) years of age are considered end-of-life and will be removed from service. 

    4. Workstations, where the original operating system or the hardware are no longer supported by the manufacturer, are considered end-of-life and will be removed from service following the requirements of the Technology Ownership Policy.

    5. Workstations may be rebooted or disconnected from the network if deemed necessary to:

      1. Ensure a workstation's security controls comply with the requirements in V.3 and are updated and functioning correctly, such as updated antivirus definitions.

      2. Prevent propagation of malware to other networked devices or detrimental effects to the network or data.

      3. Address a security incident under the direction of the Information Security Office (ISO).

  20. Workstation Auditing, Logging and Monitoring

    1. Each department is responsible for working with IRT to provide and maintain an accurate and current inventory of all workstations. Annual Physical Audits of workstations are required to ensure the inventory and asset database are updated and any deviations of security controls are documented and reviewed by the Information Security Office. Workstations that deviate from Rowan University’s

    21. Workstations that deviate from ROWAN’s

    1. baseline security controls and safeguards must be identified by Technology Support during the asset audit. Deviations must be documented and state:

      1. The department where the workstation resides.

      2. The purpose of the workstation.

      3. The workstation’s serial number.

      4. The controls and safeguards not applied to the workstation.

      5. The business justification for deviating from

    22. ROWAN’s

      1. Rowan’s baseline security controls, safeguards, and configurations.

      2. The

    23. IT

      1. IRT Asset manager approving the deviation

    24. .
  24. IT service organizations and the businesses are expected to maintain an accurate and current inventory of all workstations.
  25. Login banners are required and must state:
    This workstation is the property of ROWAN and exclusively for the use by authorized members of the University community and limited to activities specific to their role and responsibilities. All activity occurring during the use of this workstation (including Internet use) is governed by the University’s Code of Conduct, its policies, as well as by federal, state, and local laws.
  26. Idle timeout mechanisms must be employed.
  27. A user ID and password must be required to use the workstation.
  28. Local workstation administrator access is a privilege and will only be granted when a clear business need is established and standard University IT services or alternative solution cannot support the user’s business needs.
    1. The University reserves the right to revoke without notice local administrator privileges if access is deemed to present a risk to ROWAN’s electronic information or information systems.
    2. The user’s manager and/or the University’s IT service organizations will periodically re-assess the user’s need for administrator access and at their discretion revoke the entitlement (without notice) or offer an alternative solution to meet the user’s need.
    3. Workstation administrator access is auditable and subject to access entitlement reviews.
  29. Workstations that provide access to or use of sensitive information or information systems should not be located in publicly accessible areas.
    1. If a workstation must be located in a public area, physical and technical safeguards must be employed to protect against unauthorized access.
    2. When feasible, workstation monitors should face away from public viewing.

B. Responsibilities

    2. Workstations must be used in accordance with the University’s policies and secured against unauthorized access. In order to protect the confidentiality, integrity, and availability of Rowan University’s electronic information and information systems, activity may be reviewed, logs captured, and access monitored without notification.

  2. Workstation Repurpose and Disposal

    1. A workstations that is repurposed for another user or for another use must be first reviewed by IRT per university guidelines and procedures to ensure the workstation meets the minimum requirements to be in use. In addition, all data must be securely disposed of and all licensed software, hardware and security controls must be removed. Once the data is securely disposed, the workstation can be reimaged to meet the minimum requirements and the asset database must be updated accordingly to reflect the new ownership and the new use of the workstation.

    2. A workstations that is deemed end-of-life will not be supported or permitted on the network and must be disposed by IRT per university guidelines and procedures to ensure the workstation and data is securely disposed of and all licensed software, hardware and security controls are removed prior to disposal and that the asset database is updated accordingly.

  3. Workstation Loss and Theft
    1. Workstations, removable media or related peripherals that are lost or stolen must be reported to the Manager, Data Owner, Department of Public Safety and the Technology Support Center.
    2. The Information Security Office must investigate the workstation loss or theft according to the Security Incident Management Policy.

  4. Workstation Exceptions

    1. Exceptions to this policy can be requested if the workstation cannot meet the requirements for a specific security control or if the security control interrupts with another core workstation component. The need for an exception will be validated by Device Management and Technology Support and approved by the Information Security Office. If an exception is required, the Information Security Office and Device Management team must work with the department to develop a plan to provide compensating controls for the workstation that meet the minimum technical, administrative and physical security requirements to protect against unauthorized access, loss or theft. 

    2. Individuals that require exceptions to the minimum security standards and configurations for a workstation can provide the business justification to the Information Security Office for review and approval of the exception for the specific control or requirement. If approved, the individual is responsible to:

      1. Incorporate

  5. Information Resources and Technology (IR&T) is responsible to define base controls and configurations for workstation builds.
    6. All ROWAN IT Service Organizations or Departments managing their own workstations are responsible to incorporate

      1. the University’s baseline security controls, safeguards, and configurations into their workstation builds

    7. and to maintain

      2. Maintain an accurate and current inventory of all their workstations

    8. . Any deviation from ROWAN’s baseline security model must be documented.

      1. .

      2. All exceptions, including extending the end-of-life policy are not valid for more than one year and the workstation will have to be replaced or updated to comply with the requirements of

    9. The Presidents and Vice Presidents of the University’s units and the Deans of the schools have ultimate responsibility for the protection of their electronic information and information systems against unauthorized disclosure, loss, or misuse. They must ensure that all members of their respective organizations follow the administrative, physical, and technical safeguards defined in

      1. this policy.

VI.

...

POLICY COMPLIANCE

...

Violations of this policy may subject the violator to disciplinary actions

...

up to or including termination of employment or dismissal from

...

school, subject to applicable collective bargaining agreements and may subject the violator to penalties stipulated in applicable state and federal statutes. Students who fail to adhere to this Policy or the Procedures and Standards will be referred to the Office of Student Affairs and may be expelled. Contractors and vendors who fail to adhere to this Policy and the Procedures and Standards may face termination of their business relationships with the University. Sanctions shall be applied consistently to all violators regardless of job titles or level in the organization

...

per the Acceptable Use Policy.


By Direction of the CIO:Image Removed

________________________________

Mira Lalovic-Hand,
SVP and Chief Information Officer  Officer  

                                                                                          

...