Workstation Security

This list is aimed to help you manage the risk in your environment.  Use it as a means of assessing your information security posture, and as a framework for improvement. More items you complete the less risk you face.

Sensitive data:

  • I house the minimal amount of sensitive data necessary.
  • I store sensitive data on a server instead of my personal system.
  • If I must store sensitive data on a mobile device or laptop, I always encrypt it.
  • I encrypt stored sensitive information where it’s feasible.
  • I always use end-to-end encryption for transmitting sensitive data.
  • I know where sensitive data is stored.
  • I practice the principle of “least privilege” with regards to sensitive data. Baseline Security:

Baseline Security

  • I keep my operating system patches up-to-date.
  • I keep my anti-virus solution up-to-date with patches and signatures.
  • I use complex passwords.
  • I use a host-based firewall.
  • I backup important data.
  • I ensure user authentication (and attempts) are being recorded in the system’s log.
  • I know if sensitive data is stored and/or processed on my system.

Workstation Security:

  • I have removed/disabled unnecessary programs and services.
  • I integrate with Active Directory for enhanced management capabilities.
  • I utilize a software management solution.
  • I implement individual accounts for system users and avoid shared accounts.
  • I make sure the screen is locked while the computer is not being used.

Server Security:

  • My server is registered with the Information Security and Policy Office.
  • Physical access to my server is restricted.
  • My firewall rules are restrictively scoped.
  • I have removed/disabled unnecessary services.
  • The software on my server, applications included, is up-to-date.
  • The software on my server is supported.
  • I do not perform workstation-like activities on my server (i.e. browsing the web).
  • I have implemented appropriate security measures for my server’s services.
  • I am aware that if I discover my system is compromised, I should contact IT Security immediately.
  • If others access my system, I give them as few privileges as I can.
  • There are at least two people with access to/knowledge of my server.
  • My backups allow me to recover my server/services if needed.

Incident Response:

I am aware that if I discover my system is compromised, I must contact the Information Security and Policy Office before I perform any (further) activities on the system.

IT Security
Phone: 319-335-6332
E-mail: it-security@uiowa.edu 

Resources for more information:

Sensitive Data:
http://itsecurity.uiowa.edu/policy/policy-InstitutionalDataAccess.shtml

Security Assessments/Guides:
http://www.cisecurity.org/
http://www.sans.org/score/
http://www.nist.gov/information-technology-portal.cfm
http://www.nsa.gov/ia/mitigation_guidance/index.shtml/
 

General IT Security
http://itsecurity.uiowa.edu
http://www.securemac.com/
http://www.apple.com/support/security/
http://www.microsoft.com/security/default.aspx
 

A few words

If you interact with a computer, computer security is important to you.
Ensure that the integrity, confidentiality, and availability are maintained at an appropriate level when your data (and others’) is at risk.  This need is not short-lived.  Computer security is an ongoing,
ever-evolving, process.
 

Prioritize your efforts.
In the end, security is all about protecting data.  Less data means less risk.  This is especially important with regards to sensitive data.  Delete data that is no longer needed.  If possible, keep data that you need on a server, as this increases availability, makes backups easier, and allows you to recover more quickly from workstation failure.

Don’t reinvent the wheel.
Capitalize on services provided to you whenever and wherever you can to make your life easier. Joining your computer(s) to the Enterprise Active Directory implementation makes user and policy management easier.  Utilize the SMS service to effectively manage your machine(s).

Be in compliance with policy.
Policy is implemented to communicate the management expectation of the University.  IT policy protects you and the University from harm.  Therefore, it is in your best interests to review IT policies periodically to ensure you are in compliance.