CATEGORY: SUPPORT SERVICES
SECTION: Computing, Information, and Data
SUBJECT: Data Security Policy
EFFECTIVE DATE: January 2021 Revised
I. SCOPE
This policy is designed to protect data located on Public Health computers and computer systems from computer viruses and other malicious code, and to prevent computer loss or theft. This policy is also intended to prevent damage to applications, data, files, and hardware.
Data confidentiality is a critical component of security. A good understanding of data types, their risk levels, and minimum security precautions is necessary to prevent unauthorized access. Refer to http://technology.pitt.edu/security/data-classification-matrix for an overview of University guidelines on data classification and security. Also, refer to University of Pittsburgh’s HIPPA Compliance policy document.
The policies listed below aim to provide as much data security as possible. There are many different avenues of attack; therefore, different protections must be in place to help protect data.
This policy applies to all employees of the School of Public Health, as well as vendors, contractors, partners, students, collaborators, and any others doing business or research with the School. Any other parties, who use, work on, or provide services involving School computers and technology systems will also be subject to the provisions of this policy. Every user of the School’s computer resources is expected to know and follow this policy.
II. DEFINITIONS
Anti-Virus software is a program or set of programs installed on a server or workstation and used to detect, prevent, and remove malicious software. Anti-virus software is generally reactive, meaning a signature file must be developed for each new virus discovered and these virus definition files must be uploaded to the software in order for it to scan for the most recently released malicious code. Anti-virus software is available for download on the software download service via My.Pitt portal.
Desktops are computers that are accessed by users on a daily basis. They are not intended to be moved and are located behind locked doors.
Desktop management software is software that is used to inventory computer software and hardware. It also automates the update process to several applications. Furthermore, it provides checks for potential security risks that may otherwise go unnoticed.
Laptops are computers that are operated by users on a daily basis. They are intended to be moved to different locations and may be exposed to situations where theft could occur.
Malicious software is any type of computer code that infects a machine and performs a nefarious action. Computer viruses, worms, trojans, and ransomware are all examples of malicious software.
Mobile devices are small and easily transportable. They are generally moved to different locations and may be exposed to a high risk of theft. Examples of these devices include tablets and smartphones.
Servers are machines that are used to centrally store data or run applications. Users do not work directly on these machines. They are not intended to be moved and are protected behind locked doors.
III. POLICY
Servers
- All servers will be managed either by Public Health IT or by Pitt IT, which will provide the following:
- Central management of Microsoft updates.
- Central management of overall system health, including hardware, software, events, and performance monitoring.
- Central management of anti-virus software.
- All servers will have security software (anti-virus and anti-malware) installed and configured to automatically update definition files. These programs must be actively running, and it is imperative that these processes are not disabled or impeded in any way.
- A full disk virus scan will be periodically conducted with findings reported to an internal server.
- All files on the server will be scanned periodically for personally identifiable information. All files found with personally identifiable information will be removed unless the server has been designated to store such information by PITT IT.
- All servers will have desktop management software installed. This software is NOT to be disabled, modified or removed.
- Any server that is using an operating system that is no longer supported must be upgraded or decommissioned.
Desktops
- All desktops will be managed by the Public Health IT group, which will provide the following:
- Central management of Microsoft updates.
- Central management of software updates.
- Central management of overall system health, including hardware, software, events, and performance monitoring.
- Central management of antivirus and anti-malware software.
- All desktops connected to the network will have security software (anti-virus and anti-malware) installed and configured to automatically update definition files. These programs must be actively running, and it is imperative that these processes are not disabled or impeded in any way.
- A full disk virus scan will be periodically conducted with findings reported to an internal server.
- Desktops that access confidential or PII data will be encrypted.
- Standard user accounts will be required to limit exposure to and the installation of malicious software.
- All users will scan their computer using Spirion (formerly called Identify Finder) every six months. Any files found containing personally identifiable information will be redacted or deleted.
- All desktop computers will have desktop management software installed. This software is NOT to be disabled, modified or removed.
- Any desktop computer using an operating system that is no longer supported (End of Life) must be either upgraded or decommissioned.
Laptops
- All laptops will be managed by the Public Health IT group, which will provide the following:
- Central management of Microsoft updates.
- Central management of software updates.
- Central management of overall system health, including hardware, software, events, and performance monitoring.
- Central management of antivirus and anti-malware software.
- All laptop computers connected to the network will have security software (anti-virus and anti-malware) installed and configured to automatically update definition files. These programs must be actively running, and it is imperative that these processes are not disabled or impeded in any way.
- A full disk virus scan will be periodically conducted with findings reported to an internal server.
- All laptops will be configured with encryption software to protect all data on the device. The encryption software is not to be disabled, modified or removed.
- Standard user accounts will be required to limit exposure to and installation of malicious software.
- All users will scan their computer using Spirion (formerly called Identify Finder) every six months. Any files found containing personally identifiable information will be redacted or deleted.
- All laptop computers will have desktop management software installed. This software is NOT to be disabled, modified or removed.
- Any laptop using an operating system that is no longer supported (End of Life) must be either upgraded or decommissioned.
Mobile Devices
Currently, mobile devices are not managed by the School of Public Health. If the use of such a device is required, collaboration with the Public Health IT group will be necessary to recommend the best hardware and current protections available for the device.
NEVER store sensitive or confidential data directly onto a mobile device unless you have authorization from PITT IT to do.
All Devices
- Confidential data will NOT be stored on USB or external devices without encryption.
- If a device has become infected or compromised, it will be disconnected from the network until the infection has been removed. Data loss may occur depending on the severity.
- Any local accounts created on devices will use complex passwords. Contact Public Health Technology Services for details.
- Local accounts are not to be modified without the permission of Public Health Technology Services.
- Disabling or modifying any security software or security policy is prohibited without the permission of Public Health Technology Services.
- It is not permissible for anyone other than a workstation’s primary user, that user’s supervisors, or IT personnel to access a workstation or resources on the University network as harm could inadvertently be done to Public Health or University resources, assets or research.
- All devices must be locked when not in use.
- The installation of hardware on any device is prohibited.
- The installation of any software is not permissible without the permission of the Public Health IT group.
- University approved services and software must be used for all University work. Approved service providers ensure adequate data protections and support in the case of issues involving University data. Services like Box, OneDrive, DocuSign, Qualtrics, Office 365, Microsoft Teams, Zoom, etc., are all examples of approved service providers.
- The use of common document storage and communication services, such as Google (including Gmail, Docs, Sheets, and Slides), Discord, and Dropbox for University work is strictly prohibited. The University currently has no data storage/services agreement with these companies. The use of these services exposes University data and intellectual property to potential hacking threats.
- The use of Cloud File Storage Solutions (Box, Dropbox, OneDrive, etc.) for confidential and sensitive data is prohibited. Contact Public Health IT group for details.
Exceptions to this policy may be granted if a user and/or installed software cannot operate under these policies. Each exception will be evaluated to determine the risks associated with omitting specific protections. Users that require exceptions will be required to undergo training to understand the risks and develop habits and strategies to mitigate those risks. These users will also be required to sign an annual agreement.
This policy will not supersede any University of Pittsburgh policies but may introduce more stringent requirements.