Medical College of
Georgia Administrative Policies and Procedures
Office of Primary Responsibility: Information Technology Support &
Services
No. 2.4.08
Workstation Configuration
1.0 Purpose
The purpose of this document is to establish standards for the base
configuration of workstation computers that are authorized to operate within the
Medical College of Georgia. Since data that is created, manipulated and stored
on these systems may be proprietary, sensitive or legally protected, it is
essential that the computer systems and computer network, as well as the data
they store and process, be operated and maintained in a secure environment and
in a responsible manner. It is also critical that these systems and machines be
protected from misuse and unauthorized access. Therefore, ITSS requires that all
access to workstations be authorized and that all data be safeguarded.
2.0 Scope
This policy applies to all workstations connected to the University’s
network. This includes all University and non-University owned workstations
including personally owned machines. This policy applies to all users of
computing resources owned or managed by the Medical College of Georgia,
including, but not limited to University employees, students, guests,
contractors, temporary staff, vendors, external individuals or organizations,
and individuals accessing Medical College of Georgia computing resources through
external network services, such as the Internet. Workstations configured to
share or distribute resources such as FTP, web services, and file and print
services must comply with the
Server Security Policy.
3.0 Policy
Ownership and Responsibilities
All MCG owned workstations connected to the Medical College of Georgia network
must have an MCG asset tag should follow industry standard configuration
guidelines and should monitor configuration compliance with campus guidelines.
4.0 General Configuration Requirements
- Operating System configuration should be in accordance with industry
standards and campus guidelines. Operating systems no longer supported by
the vendor must be upgraded or decommissioned.
- Account and application passwords must comply with the
Password Protection Policy.
- Services that are not used must be disabled.
- The most recent security patches must be installed on the system in a
timely manner, the only exception being when immediate application would
interfere with business requirements.
- Workstations used to access
PHI (Protected Health Information) or sensitive information must be
configured so that information cannot be viewed or copied by unauthorized
users. All such workstations must use appropriate tools such as password
protected screen savers, data encryption, or applications with automatic log
off capabilities where practical.
- Peer to peer file sharing programs are not permitted on the MCG campus
network.
- Workstations may not be configured to automatically connect to any MCG
campus network resources that require a login.
- Anti-spyware software is strongly recommended.
5.0 Public Access Computers
Public Access Computers operating on the MCG campus network are subject to the
same requirements as listed in this policy. The following additional
requirements apply:
- No sensitive information is to be stored or transmitted on public access
computers.
- Any automatic logins should be used by the local machine only, with no
administrative rights.
- No public access machine should be configured to automatically login to
ANY network resources.
- Access to all directories files on the machine must be restricted as
much as feasible.
6.0 Personally Owned Computers
Personally owned computers operating on the MCG campus network are subject
to the same requirements as listed in this policy. The following additional
requirements apply:
- PHI or other sensitive data may not be stored on personally owned
computers.
- Upon separation from the Medical College of Georgia or before disposing
of personally owned computers that have been used on the MCG campus network,
owners must completely remove any MCG licensed software that may have been
installed on the computer.
7.0 Transfer
All workstations must be re-imaged before any transfer of custody of current
ownership within the institution.
8.0 Disposal
All workstations must be properly sanitized in compliance with the MCG
Electronic Data Disposal Policy (http://www.mcg.edu/policies/1108.html)
before redistribution outside the institution.
9.0 Compliance
All systems are subject to audit by ITSS Security Administration.
Designated system administrators and/or system owners must cooperate with ITSS
Security Administration personnel during the audit process. Workstations not
conforming to this policy will be disconnected from the MCG campus network.
Workstations that have been removed from the MCG campus network will not be
allowed to reconnect to the network until it can be demonstrated that they
conform to this policy.
10.0 Related Documents
Date: 22 December
2005 | Rev. No. NEW |
Rev. Date: | No. 2.4.08 |