Many University of Denver offices deal with private information on a daily basis. The University's Privacy Policy, Confidentiality Statement, and rules such as FERPA and HIPAA cover these practices.
These additional requirements are intended to assure that protected information remains private. Employees who fail to follow these requirements may be subject to disciplinary action.
Computer Access
- University-owned computers must be registered with IT and Campus Safety.
- Computers must require a username and a strong password on start up. (Strong passwords are at least 6 characters long and consist of a mixture of upper letters, lowercase letters, digits and special characters.)
- Each person who uses a computer must have a separate login. (This can be effected by requiring users to log onto a Windows Domain). Sharing logins among computer users is prohibited.
- Computers must be password-protected when left unattended. (Log off, lock your computer, and/or set up a password-protected screen-saver with a time-out of 10 minutes or less.)
Software
- Computers must run an operating system approved by IT.
- Security patches to computer operating systems and application software must be kept up to date.
- An anti-virus program approved by IT must be installed and in operation at all times. Virus signatures must be updated at least weekly. Computers should be scanned for viruses at least weekly.
- An anti-spyware program approved by IT must be installed and in operation at all times. Spyware signatures must be updated at least weekly. Installation of software that monitors activities is prohibited. Computers should be scanned for spyware at least weekly. Programs that record activities must be removed.
- A personal firewall approved by IT must be run at all times.
Electronic Data Protection
- Protected information may be stored only in approved storage locations.
- Protected information stored on office computers, home computers and laptops must be encrypted. (See Software and Procedures Approved by Information Technology for an approved, easy-to-use encryption tool).
- Before computers and rewritable storage media (e.g., hard disks, other magnetic media, and flash memory devices such as key chain storage devices) are transferred between University departments or to different employees within a University department, all files that the recipients are not explicitly authorized to access must be deleted and free space must be erased. (See Software and Procedures Approved by Information Technology for an approved tool for erasing free space).
- When computers and rewritable storage media are discarded or sold outside the University, rewritable storage media must be erased by overwriting with meaningless data. (See Electronic Equipment Disposal Guidelines and Software and Procedures Approved by Information Technology for additional information).
- Media such as CDs and DVDs that are not rewritable must be physically destroyed before they are discarded.
Additional Recommendations
- Password lists, if they are used at all, should be adequately protected. One way to do this is to use free open source program Password Safe for Windows to keep an encrypted list of your passwords. (Do not attach lists of passwords to your computer.)
- Avoid saving passwords in web browsers.
- Use your University of Denver password(s) only for accessing University of Denver services. Use different passwords for accessing services at other Internet sites.
- Disable file sharing and other network services unless they are needed to support programmatic work. File-shares or folders that contain private information should be protected by strong passwords.
- Use encrypted protocols in preference to unencrypted protocols for transferring information across the network. (E.g., When possible, use protocols like ssh and sftp instead of telnet and ftp.)