Electronic Workstation Use and Security

Background and reasons for the policy: The University of Connecticut views University data, in all its forms and throughout its life cycle, as an asset of the University. University data must be protected to comply with the policies of the University and to meet requirements of Federal and State laws such as:

• the Family Rights and Privacy Act (FERPA),
• the Health Insurance Portability and Accountability Act (HIPAA),
• the Electronic Communications Privacy Act (ECPA),
• the Gramm-Leach-Bliley Act (GLB),
• the Children's Online Privacy Protection Act (COPPA),
• the Freedom of Information Action (FOIA), and
• the Connecticut Personal Data Act.

Purpose of Policy: The purpose of this policy is to ensure that each department within the University has identified the proper functions and environmental security for each computer workstation (desktop, laptop, PDA and similar user equipment) under its control.

Expected Institutional Outcome: This policy will ensure that Departments define appropriate uses for their own workstations, building upon the description of appropriate uses of computing resources that are described in the document "Individual Responsibilities with Respect to Appropriate Use of Information Technology Resources".  This policy requires that each Department ensure that computer workstations within its control are used for appropriate functions, and that each workstation is given adequate physical security.

Applicability of Policy: This policy applies to all users of University computer workstations.  Any Department within the University that stores, uses, or transmits University data or electronic data that is subject to State or Federal regulations that require security protections for data covered by those regulations will need to document its procedures for compliance with this policy.  The policy is also recommended for all departments that have other data that should be protected from unauthorized disclosure, interrupted availability, or damage.

Policy Statement: Each impacted department within the University will develop processes and controls for managing the functions appropriate for workstations that are under its control.  At a minimum, this will include:

1. Proper Function. Process(es) for specifying the work functions that are appropriate for workstations under its control.  Most workstations will use one of the standard "images" with a set of programs approved by the University, but since these images change as new programs and program versions become available, department heads will need to identify needs for periodic upgrades of workstation functions.  Some departments have needs for non-standard functions or additions to standard functions.  Department heads will need to authorize installation and use of these functions on workstations that support them.
2. Function Performance: Process(es) for specifying how work functions should be performed at the workstations under its control.  Department heads should ensure that documentation is available to help departmental users perform work functions effectively.  The documentation will often be provided to department heads by data stewards who either develop the documentation or acquire it from third-party developers.
3. Workstation Setup:  Process(es) for specifying the workstation setup needed to support the functions to be performed at the workstations under its control.  This setup includes such items as:
   • Ensuring that the workstations meet requirements that may be specified by data stewards who are responsible for resources used by the department.  For example, data stewards may specify minimum workstation configuration requirements (such as memory, storage space, or operating system version) or application software requirements (such as encryption software, database software, reporting programs, etc.).
   • Ensuring that all manufacturer recommended security patches have been installed for operating systems and applications used in the department.
   • Ensuring that software and/or policies to update security patches on a regular basis are in place.
   • Ensuring that the virus protection software (and/or other similar protection software) provided by the University has been installed and enabled on unit computers. Departmental computers must be set to update virus definitions on a regular basis. A virus scan of local storage must be scheduled to run frequently enough to satisfy requirements for protecting resources.
4. Physical Security:  Processes for limiting physical access to workstations that are under its control.  These processes will ensure that only authorized users are permitted access to workstations.

Responsibilities:
University officials with delegated responsibilities for data as defined in the "Policy on Roles and Responsibilities with Respect to University Data" are responsible for the security of the information technology resources (including the facility, equipment, software and data) that are within their control and/or protection.  They are also responsible for ensuring that they remain knowledgeable about regulatory and UCONN security requirements impacting their data.  They may delegate the security responsibilities for those resources to the system administrators who they may appoint to manage the resources for them.

Departments and units must adhere to "Responsibilities of Individual Departments and Units" policy when developing required processes.  The University security policies set a minimum level of protection for information technology resources.  The processes and technologies instituted by departments must achieve that level of protection.  They may provide additional protections as needed when stricter requirements apply to the departments or operating units.  When designing or implementing security policies, procedures, or technical solutions that respond to unique departmental needs, the departments should ensure that they are in compliance with the "Physical Network Access" policy.

The Vice President for Information Services has overall responsibility for this policy.

The Vice President for Information Services will review this policy on a bi-annual basis and respond to formal complaints resulting from the implementation of this policy.

Policy Implementation Guidelines: Departments required to implement these security management processes should also refer to http://itpolicy.uconn.edu/ ,  where UITS maintains a set of documents for policies, procedures, guidelines, and standards that provide additional detail.

Many of the procedures used to support this policy are currently used by UITS.  For further information about using these procedures as models for developing departmental procedures, departments may contact UITS.

Violations of this policy will result in appropriate disciplinary measures in accordance with University Laws and Bylaws, General Rules of Conduct for All University Employees, applicable collective bargaining agreements, and the University of Connecticut Student Conduct Code.

Last updated: January 18, 2005