Overview
All workstations used for remote work must adhere to the University’s workstation security standards below. Only University-managed devices may be used to process, store, or transmit Restricted Data.
| Category |
Standard |
| Physical |
- University-owned workstations may only be used by University employees and for business purposes only
- Be conscious of your work environment and who may be able to see your screen or hear your calls
|
| Operating System |
- Only supported operating systems may be installed
- The operating system must be configured for automatic updates, so that patches are applied at least monthly
- Only install and configure services that are required
- No workstation should be configured to run as a server of any kind
|
| Applications |
- Only authorized, supported, and properly licensed software can be installed
- Any application updates and patches should be applied at least monthly
- When possible, applications should be configured to update automatically
- File sharing software must not be installed
|
| Authentication |
- Enterprise Active Directory must be used for authentication whenever possible
- All systems must have a password-protected screensaver configured to launch after a minimum of 15 minutes of inactivity
|
| Malware Protection |
- All systems must use endpoint protection software that is kept up to date.
|
| Network Protection |
- The workstation must use a wired ethernet connection or an encrypted wireless router
- Public networks must be used with a VPN (GlobalProtect)
- Ensure the default passwords for private wireless routers have been changed to a strong password
- A host-based firewall should be installed and configured to block unnecessary inbound ports
- The workstation should be disconnected from the University’s network when daily remote work is complete
|
| Encryption |
- All laptops must utilize hard disk encryption such as BitLocker or FileVault
- Removable media used to store high-risk data must be encrypted
|
| Cloud Storage |
|
| Data Destruction |
- Any printed copies of high-risk data must be shredded before disposal
- When no longer needed, hard drives and removable media must be securely sanitized or destroyed and not simply discarded
|
| Training |
|