The Security Procedures for Computers storing Personal Information are used to ensure an adequate level of protection for these computers against information security related threats such as hacker attacks, worms, viruses, and other malicious activities. These procedures are required for all SMU-owned computers which store Personal Information, as defined in Policy 12.x Use and Protection of Personal Information.
A. DEFINITIONS
1. Computer – defined in University Policy 12.x Use and Protection of Personal Information
2. Personal Information – defined in University Policy 12.x Use and Protection of Personal Information
B. PROCESS
SMU Computers which store Personal Information must meet all of the requirements below:
1. Use an idle time password.
Your computer must be locked whenever you are away from it. Even of you only step away from your computer for a few minutes, that can be enough time for someone to steal, destroy, or corrupt information on your computer. Locking your computer prevents another person from being able to simply sit down at your computer and access all of your information. Idle time passwords must activate in 5 minutes or less. Instructions to add idle time passwords to your computer are as follows:
i. Windows Screen Saver/Password
ii. Mac Screen Saver/Password
2. Use a personal firewall.
A personal firewall is traditionally a piece of software installed on an end-user’s computer which controls communications to and from the user’s computer, permitting or denying communications based on a security policy. Personal firewalls can help to protect your computer from unauthorized access.
Windows XP has an integrated personal firewall, called the Windows Firewall. Mac OSX also contains a built in firewall. You will need to enable the firewall application in both the Windows and Mac environments. Instructions to enable personal firewalls are on the Firewall page.
3. Network access to computers will be restricted.
Desktops and laptops will have their access to the network and the Internet limited to the minimum amount necessary for the computer to offer the services for which it is intended.
4. Use anti-virus software, and keep definitions up-to-date.
Viruses are self-replicating programs that spread by inserting copies of themselves into other executable code or documents. Viruses are one of the several types of malware, or malicious software. In common parlance, the term “virus” is often extended to refer to computer worms and other sorts of malware.
All SMU-owned computers must have anti-virus software installed on them. For non-SMU computers, SMU makes anti-virus software available to students, faculty and staff. Faculty and staff can download anti-virus software for free, and students may purchase anti-virus software at very reasonable rates. Computers should be scanned regularly for viruses. To obtain the anti-virus software, go to http://smu.edu/help/download/index.asp.
Outdated virus definitions provide little defense against threats to your computer. Be sure to keep your virus definitions up-to-date, or configure your anti-virus program to update the virus definitions automatically on a regular basis.
5. Physical access to computers will be restricted.
Only authorized SMU faculty, staff, students, and approved third parties will be allowed physical access to computers. Business unit operating procedures define individual access to computers. Physical access will be restricted as follows:
i. Desktop computers must be located in a limited access area, such as an office or room that can be locked when the computer is not in use (no public areas or common spaces).
ii. Mobile computers must be located in a limited access area, such as an office or room that can be locked when the computer is not in use (no public areas or common spaces). In addition, mobile computers must be physically secured by one or more of the following means when not in use:
a. Held down with a computer “cable lock”
b. Stored in a locked closet, drawer, or cabinet
6. Mobile / portable computers which store Personal Information must store the Personal Information in an encrypted format. Instructions to encrypt data on your mobile / portable computer are as follows:
i. Windows – appropriate methods currently being researched.
ii. Mac – appropriate methods currently being researched.
7. Patch your computer's OS and other software.
Patches are software updates meant to fix problems with computer programs, including operating systems, office suite software, and other applications. New vulnerabilities in computer programs are frequently discovered, and vendors create patches to mitigate these vulnerabilities. The patches are then made available to end users, so that they can apply the patches to their systems and protect themselves.
Periodically, users should check for patches, updates, and/or service packs for software products on their computers. Three common places where updates may be found are:
i. Microsoft Windows Update http://windowsupdate.microsoft.com
ii. Mac Updates and Support http://www.apple.com/support
iii. Office Updates http://office.microsoft.com/en-us/officeupdate/default.aspx
Patches for software not mentioned here are often available directly from the software vendor's website.
8. Use anti-spyware software, and keep definitions up-to-date.
Spyware are software programs installed on a computer that collect and transmit user information to advertisers or other interested third parties, often without the knowledge or awareness of the user. These programs may capture sensitive information such as usernames and passwords, credit card numbers, etc. They also interfere with the normal operations of your computer.
Outdated spyware definitions provide little defense against threats to your computer. Be sure to keep your spyware definitions up-to-date, or configure your anti-spyware program to update the spyware definitions automatically on a regular basis.
For technical assistance with the implementation of any of these requirements, contact the ITS Help Desk at http://help.smu.edu or 214.768.4357.
C. SECURITY ASSESSMENTS
ITS Security Staff may conduct security assessments, including vulnerability testing, at their discretion to ensure that Personal Information is appropriately protected. Users must take remedial action to address any vulnerability or issue identified in security assessments. This may include, but is not limited to, contacting the Help Desk for assistance.
D. BREACH NOTIFICATION
In the event of a security breach, or a suspected security breach, members of the campus community are responsible for reporting the incident to appropriate Information Technology Services staff. Contact information for the reporting of security breaches is maintained by Office of Information Technology staff, visit the Contacts page.