Jump to content
School of Medicine Virginia Commonwealth University VCU Medical Center

Information Security

Checklists and Guidelines

  • Security Standards

    The following computer security standards have been adopted by the School of Medicine and are effective as of April 1, 2005. These standards have been put in place to protect your computer from malware, spyware, viruses and unauthorized usage.

    Standard 1 Workstations must use an operating system that is currently supported by the vendor to ensure that security updates are available.
    Standard 2 All workstations must be configured to perform automatic updates of critical patches to the operating systems. There will be exceptions for specialized use such as research labs.
    Standard 3 A centrally supported (VCU/VCUHS) Antivirus Client must be installed on all workstations.
    Standard 4 Spyware scanning and removal must be performed on a regular schedule.
    Standard 5 Confidential business, research, patient and personnel data must be protected by strong passwords and must be stored on VCU Technology Services or VCUHS supported servers.
    Standard 6 Users must not share files using peer-to-peer networks.
    Standard 7 These standards should be implemented before deploying new workstations.

    Standard 1 – Workstations must use an operating system that is currently supported by the vendor to ensure that security updates are available.

    Verify operating system compliance:

    For Windows Computer For Macintosh Computer
    1. Click Start > Run
    2. In the “Run” box, type “winver.” Click OK.
    3. A dialog box appears that contains a logo that tells you the current version of the operating system.
    4. Confirm that the operating system is Windows 2000, XP or Vista.
    1. Click Apple in the upper left corner.
    2. Click About this MAC.
    3. Confirm that the operating system is Mac OS X 10.8

    Back to top

    Standard 2 – All workstations must be configured to perform automatic updates of critical patches to the operating systems. There will be exceptions for specialized use such as research labs.

    Set up automatic updates

    For Windows Computer For Macintosh Computer
    1. On Windows XP computers, Click Start > Control Panel.
      On Windows 2000 computers, click Start > Settings > Control Panel.
    2. Double click the Automatic Updates icon:
      automatic update
    3. The “Automatic Updates” dialog box appears. Select the “Automatic (recommended)” option button.
    4. Make sure to select “Every day” and select a time during the day when you can allow the installation of the updates.
    5. On Windows Vista computers, click Start > All Programs > Windows Update.
    6. In the left pane, click Change settings.
    1. From the Apple menu, choose Software Update.
    2. Click the Check Now button.
    3. Software Update checks for available updates. In the software update window, select the items you wish to install, then click Install. It is recommended that all available updates be installed.
    4. Enter an administrator account name and password when prompted.
    5. After installation finishes, restart the computer if a restart is required.

    Back to top

    Standard 3 – A centrally supported (VCU/VCUHS) Antivirus Client must be installed on all workstations.

    VCU Network
    If you do not have antivirus package on your computer, call the Help Desk (828-2227) or visit the VCU Technology Services anti-virus software page to download and install it yourself. VCU Technology Services provides Sophos Anti-virus to all faculty, staff and students.

    Hospital Network
    All hospital workstations connected to the hospital network must have McAfee Antivirus installed.

    Back to top

    Standard 4 – Spyware scanning and removal must be performed on a regular schedule.

    Please visit the VCU Technology Services page for instructions on configuring virus and spyware scan.

    Back to top

    Standard 5 – Confidential business, research, patient and personnel data must be protected by strong passwords and must be stored on VCU Technology Services or VCUHS supported servers.

    All confidential and sensitive business data must be stored on VCU- or VCUHS-supported server. To request storage space on a central server, please submit a request to SOMTech.

    A strong password is the key to safeguarding confidential information—both yours and other’s. Read VCU’s Standards for Strong Passwords for tips on how to create strong passwords and protect your information.

    Back to top

    Standard 6 – Users must not share files using peer-to-peer networks.

    Peer-to-peer (P2P) programs such as Kazaa, WinMX, Morpheus and Skype are not supported by SOMTech. P2P file sharing programs are prime targets for malicious hacker attacks and must be avoided to protect our network.

    SOMTech will help departments replace P2P printer sharing with network-based IP printing. Research labs that are currently using Microsoft P2P file sharing are encouraged to move their data to more secure storage available on servers managed centrally by the university computing center.

    To request storage space on the Novell or Windows server, please contact SOMTech.

    Back to top

    Standard 7 – These standards should be implemented before deploying new workstations.

    Please submit an online service request or call 828-2227 for help with setting up your new computer. This step ensures that you will be compliant with computer security standards.

    Back to top

  • Security Standards Checklist

    The following summary of key security standards applies to all VCU School of Medicine systems that either contain or have access to VCU School of Medicine business data. For detailed information security standards, click here.

    Definitions:
    Sensitive Data All data that are proprietary to VCU, VCUHS or VCU School of Medicine, where if lost or illegitimately modified, can cause negative impact to the individual units or the institution as a whole. Examples include employee performance evaluations, faculty salary or contract information, and proprietary research data. VCU School of Medicine classifies all business data generated, processed, and received by its employees as sensitive.

    Confidential and Protected Data – Confidential and Protected data are considered the most sensitive, and must be protected with the highest security standards. These data are protected specifically by federal or state law and regulations (e.g. HIPAA, FERPA.)  Loss of confidential and protected data can result in long term loss of funding, ranking and reputation for the school, as well as possible legal actions against the University, School, or the data owner. Confidential and protected data are a subset of sensitive data; therefore, all confidential and protected data are also classified as sensitive.  Examples include student or employee SSN, date of birth, Electronic Protected Health Information (EPHI), and student grades.  Refer to the "School of Medicine Data Classification Guidelines" for authoritative definitions.


    Workstation Security Standard
    • Usage of shared network authentication accounts on computer workstations is strictly prohibited. All users of a computer workstation must have their own dedicated network authentication accounts.
    • Guest accounts must not be enabled or used on any computer workstations.
    • A desktop management system must be used to centrally monitor and patch third-party software security vulnerabilities on all computer workstations.
    • Any Wake-on-LAN or similar remote power management features must be disabled if it is not needed.
    • User must assign complex passwords for accounts used to access sensitive data. The complex password must be at least 7 characters in length, and contain at least one uppercase letter, one lowercase letter, and one numeric or special character. Shared network login accounts are prohibited.
    • The workstation must have an up-to-date VCU or VCUHS approved antivirus program.
    • The firewall must be enabled for the operating system.
    • Autorun feature must be disabled for all CD / DVD / USB drives.
    • User must be prompted for password after 30 minutes of inactivity.
    • Unneeded computer logins and the guest account must be disabled.
    • Current patch levels must be maintained for operating system and commonly used software.
    • Workstation administrative rights must be restricted.
    • The remember password feature for applications and websites must be disabled.
    • All computer workstations are intended to be used for business purposes; a clearly documented computer usage policy must be defined by unit head and communicated to all system users.
    Research Equipment Workstation Security Standard
    • These standards apply to all workstations attached to research equipment.
    • All research equipment workstations must abide by the Workstation Security Standard unless the functionality of the research equipment will be hindered.  Leniencies to the Workstation Security Standard for justifiable Research Workstations are indicated below:
      • The firewall should be enabled for the operating system if possible.
      • Current patch levels should be maintained for the operating system if applicable.
      • Workstation administrative rights should be avoided.
      • Research output should be stored on centrally managed servers if possible.
      • Network connections must be disabled if it is not required by the research equipment.
    Handheld Mobile Device Security Standard
    • Handheld mobile computing devices are classified as SmartPhones, PDAs, and other palm sized computing and communication devices used for business purposes.
    • Handheld devices must be password or PIN protected with a 4 digit pin at minimum.
    • Handheld devices must not be left unattended in public.
    • Any unneeded and unused features and services must be disabled.
    • Handheld devices must automatically prompt the user for their password after a maximum of 60 minutes of inactivity.
    • Sensitive data must not be stored on handheld mobile devices or storage cards without proper encryption.

    Physical Security Standard
    • Facility owner reserves the right to grant or revoke access to a facility.
    • Office doors and / or computers must be locked when a user steps away from the office.
    • Passwords must not be written and stored in areas without physical protection.
    • Documents containing sensitive information must be stored in a physically secure location. Examples include behind a locked door or in a locked drawer.
    • Cable locks must be used for business computer equipment located in a publicly accessible area.
    • Business workstations must be protected with computer grade surge protectors.
    • Servers deemed critical to business operations must be managed in the VCU or VCUHS data center.

    Personnel Security Standard
    • Unique user names and passwords must be assigned to individuals for access to sensitive data stored in any VCU School of Medicine systems.
    • Individuals with access to sensitive data must keep his or her user IDs and passwords confidential. Any sharing of individual user names or passwords is strictly prohibited.
    • All IT System users must complete an information security awareness training annually and certify their acceptance and understanding of the VCU and / or VCUHS ACE information security standards.
    • All IT System users must understand and accept the fact that VCU reserves the right to monitor, and access all data created, sent, received, processed, or stored on VCU systems with a reasonable cause, at reasonable times, and after reasonable notice, except in the event of a bonafide emergency.
    • Unencrypted transmission of confidential and protected data via electronic mail or other electronic transmission medium is strictly prohibited. All electronic transmission of confidential and protected data must be encrypted.

    Data Handling and Storage Standard
    • A data owner must be clearly defined for all business data that is produced, accessed and stored using VCU School of Medicine facilities and workstations.
    • The data owner reserves all rights to the data, and is responsible for determining access controls, transmission, and data retention.
    • All confidential and protected data must be stored on centrally managed network servers under all circumstances.
    • Sensitive data must be stored on centrally managed network servers unless it is authorized by the Information Security Officer, backed up according to VCU or VCUHS standards, and encrypted with industry approved algorithms.
    • All personnel must use individual and unique passwords to logon to any network systems.
    • Users must not share their passwords with others.
    • Passwords must not be stored, sent or received in clear text.
    • Point to point encryption is required when confidential and protected data is accessed or transferred.
    • Sharing of sensitive data with external entities must follow a data sharing agreement that complies with all VCU / VCUHS standards.
    • Confidential and protected data must not be stored on non-VCU or non-VCUHS owned devices.
    • Sensitive data must be disposed of according to VCU or VCUHS standards.
    • If the employee separates from the organization, the data owner must notify the responsible IT system administrator and collect any access tokens, keys or key cards within 24 hours following employee termination.
    • Remote access to business IT systems must be encrypted.
    • All remote access into the VCU Network must use VCU or VCUHS approved tools (WebVPN, F5, Cisco VPN); exceptions must be approved by the appropriate VCU or VCUHS Information Security Officers.
    • The offsite computer used for remote access must meet the Workstation Security Standard.

    Removable Media Storage Security Standard
    • Removable storage media can be moved from workstation to workstation without any physical modification to the computer hardware. Examples of removable storage media include USB drives (thumb drives), CDs / DVDs, Floppy disks, USB or Firewire removable Hard drives, as well as SD, MMC, CF and any other types of storage cards.
    • All removable storage media used to store sensitive data must utilize industry approved encryption standard.
    • Removable storage media used to store confidential and protected data must be password protected and encrypted to meet the FIPS 140-2 compliant encryption standard.

    Business Continuity Management for IT Systems
    • All critical business functions must have a documented business function owner
    • All IT systems supporting critical business functions must have a clearly defined system owner and system administrator.
    • All IT systems must be inventoried and documented. The inventory and documentation must be updated annually to reflect changes.
    • A business impact analysis and risk assessment must be conducted for each business unit at least once every 3 years.
    • A disaster recovery plan must be documented and tested annually.

Data Breach Notification:

  • Immediately report any unauthorized access, misuse, tampering or deletion of sensitive data to the data owner and / or Information Security Office.
  • Immediately report any loss or theft of equipment that contains or has access to sensitive data to the VCU police at 828 – 1196.

Contact Information:

Phone

Electronic reporting

VCU Police

828 - 1196

http://www.vcu.edu/police/reportcr.html

VCU Helpdesk

828 - 2227

http://supportcenter.vcu.edu

VCUHS Helpdesk*

828 - 6447

http://isservicedesk.mcvh-vcu.edu/rapidwebsubmittal/

VCU SOM Security

827 - 9907

somsecurity@vcu.edu

*The VCUHS Helpdesk electronic reporting site is only accessible from VCUHS internal network or VCU SecureNet networks.

Updated 12/9/11