The purpose of this document is to establish standards for the base configuration of workstation computers that are authorized to operate within Georgia Health Sciences University. Since data that is created, manipulated and stored on these systems may be proprietary, sensitive or legally protected, it is essential that the computer systems and computer network, as well as the data they store and process, be operated and maintained in a secure environment and in a responsible manner. It is also critical that these systems and machines be protected from misuse and unauthorized access. Therefore, ITSS requires that all access to workstations be authorized and that all data be safeguarded.
This policy applies to all workstations connected to the University’s network. This includes all University and non-University owned workstations including personally owned machines. This policy applies to all users of computing resources owned or managed by Georgia Health Sciences University, including, but not limited to University employees, students, guests, contractors, temporary staff, vendors, external individuals or organizations, and individuals accessing Georgia Health Sciences University computing resources through external network services, such as the Internet. Workstations configured to share or distribute resources such as FTP, web services, and file and print services must comply with the Server Security Policy.
Ownership and Responsibilities
All GHSU owned workstations connected to Georgia Health Sciences University network must have an GHSU asset tag should follow industry standard configuration guidelines and should monitor configuration compliance with campus guidelines.
4.0 General Configuration Requirements
- Operating System configuration should be in accordance with industry standards and campus guidelines. Operating systems no longer supported by the vendor must be upgraded or decommissioned.
- Account and application passwords must comply with the Password Protection Policy.
- Services that are not used must be disabled.
- The most recent security patches must be installed on the system in a timely manner, the only exception being when immediate application would interfere with business requirements.
- Workstations used to access PHI (Protected Health Information) or sensitive information must be configured so that information cannot be viewed or copied by unauthorized users. All such workstations must use appropriate tools such as password protected screen savers, data encryption, or applications with automatic log off capabilities where practical.
- Peer to peer file sharing programs are not permitted on the GHSU campus network.
- Workstations may not be configured to automatically connect to any GHSU campus network resources that require a login.
- Anti-spyware software is strongly recommended.
5.0 Public Access Computers
Public Access Computers operating on the GHSU campus network are subject to the same requirements as listed in this policy. The following additional requirements apply:
- No sensitive information is to be stored or transmitted on public access computers.
- Any automatic logins should be used by the local machine only, with no administrative rights.
- No public access machine should be configured to automatically login to ANY network resources.
- Access to all directories files on the machine must be restricted as much as feasible.
6.0 Personally Owned Computers
Personally owned computers operating on the GHSU campus network are subject to the same requirements as listed in this policy. The following additional requirements apply:
- PHI or other sensitive data may not be stored on personally owned computers.
- Upon separation from Georgia Health Sciences University or before disposing of personally owned computers that have been used on the GHSU campus network, owners must completely remove any GHSU licensed software that may have been installed on the computer.
All workstations must be re-imaged before any transfer of custody of current ownership within the institution.
All workstations must be properly sanitized in compliance with the GHSU Surplus Personal Computers/Electronic Property Policy (http://policy.georgiahealth.edu/2010/09/23/surplus-personal-computerselectronic-property/) before redistribution outside the institution.
All systems are subject to audit by ITSS Security Administration. Designated system administrators and/or system owners must cooperate with ITSS Security Administration personnel during the audit process. Workstations not conforming to this policy will be disconnected from the GHSU campus network. Workstations that have been removed from the GHSU campus network will not be allowed to reconnect to the network until it can be demonstrated that they conform to this policy.
10.0 Related Documents