Enhanced Security for Computers and Other Electronic Devices
Printed on: . Please go to http://policy.umn.edu for the most current version of the Policy or related document.
Computers and other electronic devices storing or accessing private data require an enhanced level of security and support. In addition, these requirements apply to servers designated as “critical servers” and are recommended for other important servers. These requirements may also apply to computers and electronic devices permitted or sponsored by University employees or departments such as contractor, research related, consultant or vendor provided systems.
The following are included in the enhanced security requirements:
- All Basic Security Level Requirements (Training, Authentication, Configuration and Firewall, Anti-Virus, Security Patches)
- Local Data Owner
- Information Technology Support
- Enhanced Configuration
- Data Storage and Media
- Physical Security
- Critical Server Identification and Vulnerability Scanning
- Secure Data Deletion & Secure Disposal
- Information System Review
- Change Control
- Additional actions as appropriate
In addition to the above requirements, laws and contractual agreements may impose additional requirements above and beyond those listed above. Units designated by the University as "Health Care Components" under the HIPAA regulations must also meet requirements as directed by the HIPAA Compliance Office. Units designated as credit card processing units subject to PCI must also meet the additional requirements as directed by the PCI Compliance Office.
Local Data Owner
The local data owner (such as the principal user of the data or the unit supervisor), is responsible for the data on a day to day basis and should act as a point of contact for compliance and security questions. This person is responsible for ensuring the appropriate security of the data over its lifetime including coordinating with technical staff and relevant compliance program staff to ensure University and other requirements are met.
Information Technology Support
Units are responsible to have appropriately supervised professional technical support staffing sufficient to maintain information security. The staffing level should be appropriate to the environment considering the amount and type of information for which they are responsible as well as the level of risk.
Computers and other electronic devices must be either continuously managed or reviewed on an ongoing basis for appropriate security measures by a full-time information technology professional, such as competent local information technology staff. These reviews must include adherence to basic and the enhanced levels of security.
Background checks of all information technology employees are required before hiring.
Physical and logical access to systems and data must be revoked immediately upon employee termination. Access must be reevaluated upon transfer to another department, or acceptance of a new position within the department.
Computers and electronic devices must comply with applicable University secure configuration requirements. As received from the vendor, computers and other devices are not configured for security and require initial as well as ongoing review of the configuration and security of the operating system and software. These settings vary by operating systems and usage of the computer or device. Detailed settings for password, account use, logging, network encryption, etc are required. Other operating systems should consult and follow the system documentation and make settings consistent with those given below.
Desktop/Laptop- PC Configuration Settings for Microsoft Windows:
- Set up the password security features
- Minimum password length (8 characters)
- Require passwords to meet the complexity requirements (upper/lower case, numbers, special characters)
- Enforce password history (5 password remembered)
- Maximum password age (365 days or less)
- Minimum password age (1 day)
- Administrator account only used locally on the computer or device
- Set up the account lockout features
- Account lockout duration (15 minutes)
- Account lockout threshold (10 invalid logon attempts)
- Reset account lockout counter (after 15 minutes)
- Set up the account and other settings
- Guest account is disabled
- Account use of blank passwords is disabled
- Deny remote desktop access for Guest and Local Administrator accounts
- From the network access, disable anonymous name translation
- Do not allow anonymous enumeration of SAM accounts and shares
- Do not store LAN Manager hash value on next password change
- Send NTLMv2 response only\refuse LM & NTLM
- Require NTLMv2 session security and require 128-bit encryption for NTLM SSP based servers (including secure RPC)
- Disable IPv6 transition mechanisms (tunnel mechanisms such as 6 to 4, teredo, ISATAP, V6 over https)
- Disable AutoRun
- Disable automatic administrative logon for the recovery console
- Disable Everyone permissions for anonymous users
- Set up computer and device logs
- Application log size (9984 kilobytes)
- Security log size (99968 kilobytes)
- System log size (9984 kilobytes)
- Prevent local guests from accessing application log, security log, system log
- Set retention method for application, security and system logs to as needed
- Audit “success” and “failure” for the following: account logon events, account management, logon events, policy change, system events
- Audit “failure” for the following: object access and privilege use
- Enable file timestamp for Last Accessed if setting is available
See vendor technical documentation for additional detail on the above security settings. Services must be limited as much as possible on desktops and laptops. Web server, ftp server, mail server, peer to peer, and anonymous files sharing software can significantly raise the security risk to private data. Unless a high level of expertise is available and these services are closely monitored at all times, the higher risk software must not be installed.
Desktop/Laptop – Apple/Mac Configuration Settings
- Limit how accounts are used
- Disable accounts auto-login
- Display account login with name and password
- Network settings
- Turn off IPv6 transition mechanisms/tunnels (already off by default)
- Turn FileVault protection on
- Password settings
- Master password is set
- Require password to wake computer
- Disable automatic login
- Require password to unlock each secure system preference
Services must be limited as much as possible on desktops and laptops. Web server, ftp server, mail server, peer to peer, and anonymous files sharing software can significantly raise the security risk to private data. Unless a high level of expertise is available and these services are closely monitored at all times, the higher risk software must not be installed.
- Server settings are highly dependent on the role of the server and require different configuration settings. Follow security industry standards such as National Institute of Standards Technology (NIST), Center for Internet Security (CIS), and National Security Agency (NSA), where appropriate.
- Review desktop settings above for applicability. Set up authentication, account management and logging.
- Services must be limited as much as possible. Web server, ftp server, mail server, peer to peer, and anonymous files sharing software can significantly raise the security risk to private data. Unless a high level of expertise is available and these services are closely monitored at all times, the higher risk software must not be installed.
- Configure all services to log all connections and authentication information.
- Periodic review of access to multi-user server and databases is required. If access is no longer needed, the account must be inactivated or removed.
- Server logs must be saved on a separate log server via a one way process.
- Access to the log server must be restricted.
- Host security log files must be configured and reviewed for anomalies.
- Logs must be of sufficient size to provide useful information in case of a security event (at least 90 days of logs unless legal or contractual requirements require longer retention).
Encryption of Laptops and Portable Devices
- Encryption of data stored on laptop computers or other portable devices must be maintained to a security level appropriate for the system, based on the type of data stored on or accessed through them. Some computer and devices must meet regulations or contractual agreements related to the use of encryption. More information on this requirement, see the End User Device Encryption Standard.
- If sent across the Internet (external to the University's network) or other open networks such as wireless connections, both the authentication data (e.g. a userid and password) and the data itself must be encrypted with strong encryption. The University's wired network is not considered an open network.
- Encryption products are available for various operating systems. See Encrypting Stored Data.
Data Storage and Media
- Private University data files must be stored on University-owned computers and media, not personally owned computers and media (thumb drives, laptops, etc). Any incidental and unintended storage of files in browser or other cache files or email/email attachments must be deleted as soon as possible.
- Private University data must not be stored on vendor or non-University Internet sites or systems unless a University contract reviewed and approved by the appropriate Compliance Office or the Office of the General Counsel is in place with that vendor or site.
- Staff and faculty traveling internationally must not transport export-restricted data or software outside of the U.S. The Office of the General Counsel and the Office of International Programs can provide guidance. When traveling internationally only the minimum data files necessary for the trip should be stored on laptop computers and media. All other files should be securely deleted (old email, old files, etc) or departmental travel or rental computer should be used.
Physical access must be restricted as much as possible.
- Devices not in use for extended periods (e.g. at night and on weekends) must be logged off.
- Laptops must be either physically restrained (e.g. via an anchoring device) at the primary work location when left unattended or stored in a locked cabinet or drawer.
- Servers must be in an appropriate and secure physical facility.
Periodic backup copies of software and data must be made, tested, and stored securely (not in staff cars, homes, etc). Physical security of removable media must be maintained and plans made to allow recovery from unexpected problems.
Servers must be protected by backup and offsite data storage. The offsite storage of backup media must be in a secure University or backup-vendor secure location.
Critical Server Identification & Vulnerability Scanning
IT Professionals are responsible for identifying critical servers and maintaining the security of critical servers. They are required to expeditiously patch, change the configuration, or mitigate high level vulnerabilities identified by the security scanning process unless an exception is approved. Critical servers must be identified by inclusion in the "Critical" asset group in the Qualys security vulnerability scanning system. See Critical Server Scan Process.
Secure Data Deletion & Secure Disposal of Equipment
When a computer or electronic device will no longer be used, it needs to be properly disposed of. See Administrative Procedure: Disposing of University Equipment for details. A “secure deletion” program must be used to permanently remove data from hard disks and media prior to transfer or disposal of hardware. Permanent media (e.g., CD’s, etc) or non-operational media must be physically destroyed. If media is not operational or can’t be wiped, it must be sent to the University disposal vendor for physical destruction.
After University use, media (whether operational or not) must not be returned to the vendor unless securely wiped. Most vendors offer a “no return to vendor” option for malfunctioning media when purchasing computers. Copiers, printers, and multi-function devices with hard drives or other storage media must be securely deleted before return to the vendor or the media must be physically destroyed.
Information System Review
University of Minnesota departments and units must conduct periodic reviews of information systems in their control that contain legally private or confidential data including:
- Regular review of list of users who have been granted access to systems that contain protected or private information to ensure that only those who need access have access to the systems
- Periodic review of audit logs
Change Control for Software Development and System Implementation
- A documented method of change control (appropriate to the scope and risk of the environment) is required for software development and system implementation as well as other changes that have higher than normal risk to the environment. The method of change control must result in documentation and approval of changes within the relevant environment.
- Colleges and administrative units are responsible for designating the appropriate organizational level, scope, and methodology to be used for change control. The Office of Information Technology can provide guidance to assist in determining the appropriate change control and consultation regarding technical security controls for the highest risks.
Additional actions as appropriate
One or more of the following additional actions should be used to further protect private data, depending on the requirements for the data:
- Consult with appropriate compliance office (see contacts section in the Policy).
- Develop a security plan
- Conduct a risk analysis
- Limit storage of private data to a hardened file server at the department or collegiate level
- Severely restrict the volume and duration of the information stored
- Move the data to a dedicated computer with no other applications or data
- Limit network access to a list of specific machines or devices (access control list)
- Use an internal University, non-routed IP address or network which prevents any access either to or from the Internet
- Encrypt stored data to protect data in case of theft of hardware
- Sign up for notification of security patch availability from vendors
- Separate any sensitive data from other data and store independently (e.g. on a non-networked device)