Workstation Security

Requirement Statement

The College of Arts + Sciences has a diverse collection of research, teaching, business, and center-based workstations to support our vast research and bsuiness efforts. The College is committed to following all IU computing policies and industry best practices for workstation management, including:

• Guidelines in the IT-12 Security of Information Technology Resources and IT-28 Cyber Risk Mitigation Responsibilities will be followed on all systems
• An assessment of the nature of the data being stored on workstations will be made and appropriate actions taken to secure all Institutional Data (Critical/Restricted/University-Internal) per IU regulations.
• All Windows and Mac OS workstations will run anti-virus software
• Workstations needing access to Institutional Data (Critical/Restricted/University-Internal) will use secure servers housed at the Data Center (preferably as II VMs). Workstations will use folder redirection policies to enable storage of Institutional Data (Critical/Restricted/University-Internal) on file servers located in the Data Center. Local storage of Institutional Data (Critical/Restricted/University-Internal) will not be allowed without a demonstrated need, approval of the Leader for College Information Security & Policy and the use of local data encryption.
• All systems will run host-based firewalls (eg. Windows Firewall, Linux IP Tables, etc) with as limited a scope (port and source IP addresses) as possible to accomplish the required task.
• Systems that allow logins from non-IU IP space will deny all access from hosts that repeatedly attempt and fail to log in when possible.
• Accounts and access will be limited based on required need, authentication will be against the IU AD Servers using IU passphrases, and accounts will be promptly disabled when people leave IU.
• Workstation users will have no elevated priveleges on workstations. Exceptions will be granted only per the exceptions listed in the Exceptions to Policy section of this policy.
• A screen lock timeout will be enforced with an inactivity timeout not to exceed 15 minutes
• Supported operating systems will be chosen for their reliability, maintainability, and security.
• Workstations that are too old to run a currently supported OS will be retired and sent to IU surplus.
• Automated techniques (eg. SCCM for Windows, JAMF for Macintosh, and Kickstart for Linux) will be employed to allow for quick and uniform deployment of systems.
• All workstations in public spaces will have a BIOS password and restricted booting order set to prevent users from booting to external devices.
• Operating System patches will be managed and monitored from a single, central location using tools like SCCM (Windows), RHN (Linux), and JAMF (Mac). Security-related software updates are applied as soon as is practicable (following the 24/48/72 hour standard outlined in IT-12).
• Workstations in open labs will never be used to store Institutional Data (Critical/Restricted/University-Internal) and will be secured using physical security mechanisms.
• External vulnerability scanning will be performed, per IT Procedure: Qualys Vulnerability Scans (Pending)
• Systems will be disposed of in a secure manner, per College IT Requirement: System and Media Disposal
• Any security breaches will be handled per College IT Requirement: Incident Response
• Professional College IT Staff will be properly trained in both industry best practices and IU policies.

Exceptions to Requirement

• Users are not authorized for elevated priveleges to systems other than through written requests and with justification. Requests will be granted only with approval of the Leader for College Information Security & Policy in partnership with the Leader for College IT Research, Infrastructure and Support. In such cases, elevated priveleges will be granted via a separate admin account or sudo. The primary login account will never have administrator privileges.
• Given the unique computing requirements of computing research being done within the College, workstations may need to run operating systems and software not supported by the College IT Research, Infrastructure and Support (CITRIS) group. Such cases are governed by the College IT Requirement: Administrator Access and Co-Support