Basic Security for Computers and Other Electronic Devices
Printed on: . Please go to http://policy.umn.edu for the most current version of the Policy or related document.
The software on computers and other electronic devices must be set up and maintained to help protect the data, the computer and the University network. These requirements also apply to computers and electronic devices permitted or sponsored by University employees or departments such as contractor, research related, consultant or vendor provided systems.
Basic security requires:
- Authentication (Password, Passphrase or other strong authentication)
- Anti-Virus Protection
- Security Patches
Employees must take the mandatory University training along with periodic updates as available. In certain areas, other University community members (e.g. health sciences students, volunteers and visitors affiliated with units that are Health Care Components may also be required to complete training. See your supervisor for details.
Authentication (Password, Passphrase, MKey or other strong authentication)
- Password or passphrase must be used for all devices and software supporting authentication, unless using a higher level of authentication (e.g. MKey).
- Must be eight or more characters long. Longer passwords are better.
- Must be periodically changed as required by each system, but at least annually.
- Must contain a minimum of three types of characters (lower case, upper case letters, numbers, special characters).
- User passwords (including temporary worker and student worker passwords) must not be shared.
- A password is required upon resuming use from an inactive state (Hibernation, Sleep, Screen Saver) to prevent unauthorized access when unattended.
- Password protected Screen Saver must activate within a maximum of 30 minutes of inactivity.
- University desktop/laptop computers must be logged off when not in use during non-work hours.
Configuration (must be implemented by 7/1/2011)
- University-owned desktop/laptop computers compatible with the Active Directory architecture must be attached to, and configuration settings managed through, an approved University Active Directory to assure timely and secure configuration, regulatory compliance, and enhanced protection of data.
- The University Chief Information Officer must approve all Active Directory implementations. Any existing local or non-central directory/management systems that exist after 7/1/2011 must be reviewed by the IT Directors and approved by the University CIO as an exception to policy.
- Access to an account with administrative level privileges for desktop/laptops must only be provided to a user when an account with a lower level of access is not sufficient for conduct of University business. Such administrative access must be approved annually in writing by the unit supervisor (and documentation retained) due to the increased risk level.
- A separate standard user level account must be used for daily tasks such as email and web surfing. Use of the administrative level account must be limited to those actions which require administrative access.
- A software firewall, hardware firewall or other network filtering (e.g. port or IP address filtering) technology must be used to help protect the computer/device while on the network.
- Desktops and laptops should use the operating systems built-in or other software firewall.
Computers are required to maintain and use an up-to-date version of anti-virus software (or virus filtering software for Unix). Other electronic devices are required to use anti-virus protection, if available.
The University has purchased a license for anti-virus software for many common computing platforms. This licensed software is available free of charge to staff and faculty on all campuses of the University.
Minimum Configuration for Anti-Virus Software (pre-set in the campus download versions):
- Live Update is enabled
- Live Update Schedule Frequency is daily
- File System Real Time Protection is enabled
Operating systems and application programs have periodic security patches released by the vendor that need to be installed. Installation of newer versions of the operating system or application program may be needed.
- Software applications, whether installed by a user with access to the administrative level privileges or technical support staff, must be maintained and patched to meet the University patching and security requirements for the lifetime of the application.
- Patching for designated high risk software applications is required as soon as possible but not more than 30 days after availability from vendor. The list of high risk applications will be approved quarterly by the University CIO and published at www.oit.umn.edu/security/topics/patch-high-risk-apps/index.htm.
- All other operating system and application program security patches/updates must be installed as soon as possible but not more than 30 days after release by the vendor.
- Desktop and laptop computers must have automatic updates enabled or use the campus centralized updating of security patches for the operating system.
- Computer operating systems and software with published and unmitigated security vulnerabilities that are no longer supported or patched by the vendor or an active open source community cannot be used on University computers.