Computer Security Standard
This standard applies to all computers, defined as any workstation, desktop or laptops that are:
- Owned or managed by Loyola University Chicago
- Connected to Loyola University Chicago networks
- Connected to Loyola University Chicago resources or services
- Storing Loyola University Chicago data
The owner of a computer may use it at his or her discretion; however, once that computer is connected to the University network or is used to store university data, it is subject to applicable laws and regulations, and to University policies.
The purpose of this document is to establish standards for the base configuration of University computers. Effective implementation of this standard will minimize security incidents involving University resources. This document is broken up into two sections: Baseline Standards, and High Security Standard. All in scope computers will be configured to the baseline standard. All computers connected to high security systems will conform to both the Baseline Standard and the High Security Standard.
The following sections must be adhered to by the user of the computer.
- Computers must use a vendor supported operating system that currently receives vendor security updates and technical support. Security updates patch vulnerabilities that may be exploited by malware and help keep users and their data safer. Unsupported operating systems will not be allowed to connect to the network.
- Users must lock their computer or logout prior to leaving the area to prevent unauthorized access.
- All user accounts must have a unique local profile associated to their account.
The University does not allow the use of shared local profiles, when logging in to a Loyola workstation.
- Computers will comply with the ITS Password Standard.
- Computers will comply with the ITS Antivirus Standard.
- Computers will comply with the Electronic Security of Loyola Protected Data & Loyola Sensitive Data Policy.
- Personal firewalls will be enabled on the computer and will filter inbound traffic to the host with a "deny all" policy.
- Users will implement anti-spyware on their computer.
- Users will disable unneeded services, e.g. SMTP or FTP if enabled by default by the operating system.
- Users will regularly check and install all critical and security patches for the operating system and applications as soon as possible, no later than within 30 days of their release.
- A minimum configuration of the latest appropriate CIS benchmark will be maintained at all times.
High Security Standard
All computers procured through, operated or contracted by the University and connected to, or interacting with, a high security network zone, as defined in the ITS Network Firewall Policy, or store Loyola Protected Data, must adhere to the following rules in addition to the Baseline Standard:
- The operating system will be configured in accordance with approved Information Security guidelines, as referenced in the Appendix.
- Users will enable a password-protecting screen saver on their desktop that will lock their desktop after 15 minutes of inactivity.
- Users may not be administrators of the local machine.
- Users will not login using generic, shared or service accounts.
- Users will ensure monitors are positioned in such a way so that it restricts the viewing of Protected Data to anyone but the operator.
- The computer will not function as a server (e.g., will not provide file shares, web, ftp or peer-to-peer applications).
- The computer will not access high security systems or networks using wireless technology except via VPN.
- Computers that access high security systems will enable all security and access logging in accordance with the ITS Log Management Standard.
- Authorization for remote access to computers will be submitted, with valid business justifications, to the Information Security Officer (ISO) for approval.
- The computer must be affixed with a Loyola Asset Tag inventory barcode.
1. All approved remote access will comply with the ITS Access Control Policy.
2. All approved remote access techniques will be encrypted between the computer and the remote machine.
3. The user is encouraged to use an alternative browser, such as Firefox.
4. In instances where an alternative browser is not available, Internet Explorer (IE) can be used as long as ActiveX is disabled on all IE zones except Trusted.
5. Trusted zones may be explicitly enabled for specific web sites on an as needed basis.
- Disable default accounts that are not used, such as Guest, and change their default passwords.
- All computers will be properly sanitized prior to their disposal or decommissioning, per the Disposal of Loyola Protected Data & Loyola Sensitive Data Policy.
- All computers shall contain a login banner that displays the following content: This computer and network are provided for use by authorized members of the Loyola community. Use of this computer and network are subject to all applicable Loyola policies, including Information Technology Services policies and any applicable Loyola Handbooks. Any use of this computer or network constitutes acknowledgment that the user is subject to all applicable policies. Any other use is prohibited.
Users of any networked system, including this computer, should be aware that due to the nature of electronic communications, any information conveyed via a computer or a network may not be private. Sensitive communications should be encrypted or communicated via an alternative method.
Exceptions to this policy will be handled in accordance with the ITS Security Policy.
This policy will be maintained in accordance with the ITS Security Policy.
In emergency cases, actions may be taken by the Incident Response Team in accordance with the procedures in the ITS Incident Response Handbook. These actions may include rendering systems inaccessible.
High Security Systems - Servers, applications or network computers that store, process or transmit Loyola Protected Data, per the Data Classification Policy.
Service Accounts - User accounts that are required by applications as part of their normal function and operation. These accounts are not used by users to login interactively.
January 24, 2011: Initial Policy
October 19, 2012: Annual review for PCI Compliance
October 22, 2012: Corrected links, Removed vendor specific references
July 12, 2013: Annual review for PCI Compliance, Corrected Links
June 5, 2014: Annual review for PCI Compliance
September 16, 2014: Added supported operating system reference