Purpose
There are certain scenarios where various departments require unique technology and equipment that may be outside the scope of Information Technology Services (ITS) responsibility or ability to support and may not meet security compliance/standards. This document is to outline the policy requirements for those scenarios where compliance cannot be maintained (i.e. research equipment with special/unique devices attached for data acquisition and/or analysis).
Existing ITS policies (such as Network Access Procedure, Security and Risk Management, Tech Access, and the University Acceptable Use Policy) remain intact and enforceable. This policy does not replace them and will only be used to govern non-compliant technology scenarios.
There will be a signed document required as an acknowledgement of responsibility, to ensure non-compliant equipment will not be connected to the campus wired or wireless network, and that the equipment will not store personal identifiable information.
Compliant Computer Security Requirements
- All university computer technology and software purchases must be authorized by ITS.
- All university computers must have the latest operating system (OS) and must be patched regularly with critical and security updates.
- All university computers accessing the campus network, must bind to Active Directory (AD), using valid/authorized accounts.
- Systems must have the following compliance monitoring agents actively running:
- SCCM
- KeyServer
- Alertus
- Some form of anti-virus protection
- All university computers must either have full-disk encryption or are “frozen” (not allowing any data to be stored locally).
- Encryption requires modern hardware, firmware, and OS support.
- If the computer technology performs manipulation of personal identifiable information on the local device, it must abide to all the computer security requirements listed above.
Considerations for Non-Compliant Technology
When technology and/or software cannot meet certain security requirements mentioned above, the owners responsible for those systems must understand and acknowledge their responsibilities to safeguard data and other campus network systems, by observing the following and signing the attached Acknowledgement of Responsibility for Non-Compliant Computing Equipment:
- All university computer technology and software purchases must be authorized by ITS.
- Review and understand the entirety of the University Acceptable Use Policy.
Noteworthy Sections
- User Responsibilities Section #4:
- They should not save or store such personal information on any electronic media or format including local hard drives or images without consulting with IT Services regarding security.
- General Regulations Section #16:
- Documents or files with personal information must be stored on network shared drives, not on local "hard drives" or portable data storage media.
- Equipment that cannot support the latest OS versions and updates, or run anti-virus or other compliance monitoring software, must be isolated and never connected to the campus network.
- The responsible owner of the computer must ensure any external storage devices, used to transfer data, has been scanned to eliminate the threat of infecting the computer system. In addition, if personal identifiable information is stored on external devices – the device medium must be encrypted.
- Non-compliant equipment should be marked/labeled and documented in some fashion to ensure the systems are not inadvertently connected to the campus network, and that no personal identifiable information is stored on the system.
Failure to Comply with Policy
If any item listed on the attached form is detected, or discovered, to be connected to the campus network, it will be immediately confiscated/removed for violating this policy. It will also be reported to the respective Chair, Dean, Provost, Executive Vice-President of Administration and Business Affairs, and Executive Director of Information Technology Services.
Planning for Compliance
It is preferred all systems be compliant where possible (as outlined above). Departments are encouraged to develop a replacement plan for technology that may become non-compliant, or at minimum develop a contingency plan for critical failure scenarios. Should a “compliant” system become “non-compliant” through age or technical requirements that prohibit upgrades, it should be reported to ITS and the following form completed.
Acknowledgement of Responsibility for Non-Compliant Computing Equipment
I, _________________________, acknowledge and accept full responsibility of ensuring the following list of equipment will not be connected or used on the campus wired/wireless network, and that no personal identifiable information will be stored on the equipment.
__________________________________
Please sign here
Please identify your department Dean/Director, so they can receive a copy of this form.
Dean or Director: ______________________________
Non-Compliant Equipment
|
Equipment Identifier
|
Location
|
Equipment Description
|
Purpose of Equipment
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
A copy of this form will be sent to the Dean/Director identified and put on file with ITS Information Security Manager.