• Report an Incident
• Incident Information
• Self Service Security
• Services and Products
• Best Practices
• Policies, Guidelines and Procedures
• Security Awareness, Training and Education (SATE)
• Vulnerability Information
• About EIS
• What's New

---

UCSF Minimum Security Standards for Electronic Information Resources

Effective Date: December 2007

Purpose

UCSF Policy 650-16, Addendum B, defines a requirement for Minimum Security Standards for Electronic Information Resources (EIR). This document is a living document that defines the UCSF Minimum Security Standards that all campus EIRs must comply with.

Overview and Scope

These standards are intended for all departments within the campus community. The UCSF Medical Center has minimum standards that must be met for the Medical Center environment and are separate from these standards.

Non-UCSF devices, including personal computing devices, are expected to meet these standards when used to connect to the UCSF network.  For example, a personal computer that accesses the UCSF network through a VPN connection would be expected to meet these standards.  Additionally, non-UCSF devices are expected to meet these standards when used to conduct UCSF business, including storing or processing UCSF information.

The minimum standards in this document are reviewed, updated for applicability, and approved by the Information Security Committee (ISC) at least once a year or more often as determined by Enterprise Information Security (EIS).

Restricted Information is defined in Appendix A of UCOP BFB IS-3: Information Security.

Minimum Security Standards

Anti-Virus Software

Anti-virus software must be active with current anti-virus signatures on computing devices connected to the network including laptop computers, desktop computers, and servers, except where there are significant compensating controls that would prevent virus infiltration.

OAAIS currently has a contract with Sophos that provides anti-virus software. OAAIS also has a contract with Webroot for their Spyware defense product called SpySweeper. Both of these products are available from the software licensing page.

Email

All email that contains electronic Protected Health Information (ePHI) or other Restricted Information must be encrypted if it is addressed outside the UCSF network environment. An existing service is available to accommodate encrypted email. Secure Email Procedure

Encryption of Restricted Information

Restricted Information that resides on mobile devices or is transmitted over non-UCSF networks must be encrypted. Restricted Information includes, but is not limited to, ePHI and personal information such as Social Security numbers.

Transmit Restricted Information only when necessary.  Store Restricted Information on laptop computers or mobile devices only when necessary.

Host-Based Firewall Software

Firewalls that run on desktops, laptops and servers are often referred to as host-based and/or personal firewalls. Host-based firewall software (if available for the platform) must be running and configured on networked computing devices, including laptop computers, desktop computers, and servers. While the use of departmental network firewalls is encouraged, they do not necessarily obviate the need for host-based firewalls.

OAAIS currently has a contract with Sygate that provides host based firewall solutions. Sygate can be obtained by contacting OAAIS Customer Support at (415) 514-4100 (option 2), or http://help.ucsf.edu/ to request the Sygate product.

Passwords

Campus electronic communication systems or services must identify users and authorize access by means of passwords or other secure authentication processes. Shared-access systems must enforce the Unified UCSF Enterprise Password Standard whenever possible.  Shared-access systems must, whenever possible and appropriate, require that users change any pre-assigned passwords immediately upon initial access to the account.

All default passwords for access to network-accessible devices must be modified. Passwords used by system administrators for their personal access to a service or device must not be the same as those used for privileged access to any service or device.

Physical Security

Unauthorized physical access to an unattended device (including mobile devices) can result in harmful or fraudulent modification of data, fraudulent email use, or any number of other potentially dangerous situations. Whenever possible and appropriate, devices must be configured to "lock" and require a user to re-authenticate if left unattended for more than 20 minutes.

Computing devices that are left unattended must be located in locked areas or otherwise physically secured (e.g., with a cable lock).

Software Patch Updates

Networked computing devices must be kept updated with the most recent applicable security patches. Departments should document and implement a process to apply security patches in a timely fashion. Exceptions may be made for patches that compromise the usability of critical applications; these exceptions should be documented.

Unnecessary Services

Unnecessary services can pose a threat to the computing environment that can potentially be exploited. Unnecessary services must not be running or configured on computing devices.

Prepared by:	OAAIS Enterprise Information Security
Revision Date:	May 1, 2008

Please tell us what you think of our new website