Computer Security Standard

Computer Security Standard

Scope:

This standard applies to all computers, defined as any workstation, desktop, or laptops that are:

  • Owned or managed by the University of Detroit Mercy
  • Connected to the University of Detroit Mercy networks
  • Connected to the University of Detroit Mercy resources or services
  • Storing University of Detroit Mercy data

The owner of a computer may use it at his or her discretion; however, once that computer is connected to the University network or is used to store university data, it is subject to applicable laws and regulations, and University policies.

Purpose:

The purpose of this document is to establish standards for the base configuration of University computers. Effective implementation of this standard will minimize security incidents involving University resources. This document is broken up into two sections: Baseline Standards, and High-Security Standard. All in-scope computers will be configured to the baseline standard. All computers connected to high-security systems will conform to both the Baseline Standard and the High-Security Standard.

Standards:

The following sections must be adhered to by the user of the computer.

Baseline Standards

  • Computers must use a vendor-supported operating system that currently receives vendor security updates and technical support.  Security updates patch vulnerabilities that may be exploited by malware and help keep users and their data safer. Unsupported operating systems will not be allowed to connect to the network.
  • Users must lock their computers or log out before leaving the area to prevent unauthorized access.
  • All user accounts must have a unique local profile associated with their account.

The University does not allow the use of shared local profiles when logging in to a Detroit Mercy workstation.

  • Computers will comply with the Password Standard.
  • Computers will comply with the Antivirus Policy.
  • Computers will comply with the Electronic Security of Detroit Mercy Protected Data & Detroit Mercy Sensitive Data Policy.
  • Personal firewalls will be enabled on the computer and will filter inbound traffic to the host with a “deny all” policy.
  • Users will implement anti-spyware on their computers.
  • Users will disable unneeded services, e.g. SMTP or FTP if enabled by default by the operating system.
  • Users will regularly check and install all critical and security patches for the operating system and applications as soon as possible, no later than within 30 days of their release.

High-Security Standard

All computers procured through, operated, or contracted by the University and connected to, or interacting with, a high-security network zone, as defined in the Network Firewall Standard, or store Detroit Mercy Protected Data, must adhere to the following rules in addition to the Baseline Standard:

  • The operating system will be configured in accordance with approved Information Security guidelines, as referenced in the Appendix.
  • Users will enable a password-protecting screen saver on their desktop that will lock their desktop after 15 minutes of inactivity.
  • Users may not be administrators of the local machine.
  • Users will not log in using generic, shared, or service accounts.
  • Users will ensure monitors are positioned in such a way so that it restricts the viewing of Protected Data to anyone but the operator.
  • Personal firewalls must be configured to not be alterable by users.
  • The computer will not function as a server (e.g., will not provide file shares, web, FTP, or peer-to-peer applications).
  • The computer will not access high-security systems or networks using wireless technology except via VPN.
  • Computers that access high-security systems will enable all security and access logging in accordance with the Log Management Standard.
  • Authorization for remote access to computers will be submitted, with valid business justifications, to the Information Security Officer (ISO) for approval.
  • All approved remote access will comply with the Access Control Policy.
  • All approved remote access techniques will be encrypted between the computer and the remote machine.
  • Trusted zones may be explicitly enabled in browsers for specific websites on an as-needed basis.
  • Change vendor-supplied defaults and remove or disable unnecessary default accounts before a computer is installed on the network. This applies to ALL default passwords, including but not limited to those used by operating systems, software that provides security services, application and system accounts, point-of-sale (POS) terminals, payment applications, Simple Network Management Protocol (SNMP) community strings, etc.).
  • All computers will be properly sanitized before their disposal or decommissioning, per the Disposal of Detroit Mercy Protected & Detroit Mercy Sensitive Data Policy.
  • All computers shall contain a login banner that displays the following content: “This computer and network are provided for use by authorized members of the Detroit Mercy community. Use of this computer and network are subject to all applicable Detroit Mercy policies, including Information Technology Services policies and any applicable Detroit Mercy Handbooks. Any use of this computer or network constitutes acknowledgment that the user is subject to all applicable policies. Any other use is prohibited. Users of any networked system, including this computer, should be aware that due to the nature of electronic communications, any information conveyed via a computer or a network may not be private. Sensitive communications should be encrypted or communicated via an alternative method.”

Exceptions:

Exceptions to this policy will be handled in accordance with the Acceptable Use & Security Policy.

Emergencies:

In emergency cases, actions may be taken by the Information Security Incident Response Team (ISIRT) in accordance with the procedures in the Incident Response Policy. These actions may include rendering systems inaccessible.

Appendix:

Documents Referenced

Definitions

High-Security Systems – Servers, applications, or network computers that store, process or transmit Detroit Mercy Protected Data, per the Data Classification section in the University’s Acceptable Use & Security Policy.

Service Accounts – User accounts that are required by applications as part of their normal function and operation. These accounts are not used by users to log in interactively.

History:

  • June 1, 2021: Initial Policy