Jump to content
School of Medicine Virginia Commonwealth University VCU Medical School

Information Security

Standards and Checklists

  • Security Standards

    The following computer security standards have been adopted by the School of Medicine and are effective as of April 1, 2005. These standards have been put in place to protect your computer from malware, spyware, viruses and unauthorized usage.

    Standard 1 Workstations must use an operating system that is currently supported by the vendor to ensure that security updates are available.
    Standard 2 All workstations must be configured to perform automatic updates of critical patches to the operating systems. There will be exceptions for specialized use such as research labs.
    Standard 3 A centrally supported (VCU/VCUHS) Antivirus Client must be installed on all workstations.
    Standard 4 Spyware scanning and removal must be performed on a regular schedule.
    Standard 5 Confidential business, research, patient and personnel data must be protected by strong passwords and must be stored on VCU Technology Services or VCUHS supported servers.
    Standard 6 Users must not share files using peer-to-peer networks.
    Standard 7 These standards should be implemented before deploying new workstations.

    Standard 1 – Workstations must use an operating system that is currently supported by the vendor to ensure that security updates are available.

    Verify operating system compliance:

    For Windows Computer For Macintosh Computer
    1. Click Start > Run
    2. In the “Run” box, type “winver.” Click OK.
    3. A dialog box appears that contains a logo that tells you the current version of the operating system.
    4. Confirm that the operating system is Windows 2000, XP or Vista.
    1. Click Apple in the upper left corner.
    2. Click About this MAC.
    3. Confirm that the operating system is Mac OS X 10.3, 10.4 or 10.5

    Back to top

    Standard 2 – All workstations must be configured to perform automatic updates of critical patches to the operating systems. There will be exceptions for specialized use such as research labs.

    Set up automatic updates

    For Windows Computer For Macintosh Computer
    1. On Windows XP computers, Click Start > Control Panel.
      On Windows 2000 computers, click Start > Settings > Control Panel.
    2. Double click the Automatic Updates icon:
      automatic update
    3. The “Automatic Updates” dialog box appears. Select the “Automatic (recommended)” option button.
    4. Make sure to select “Every day” and select a time during the day when you can allow the installation of the updates.
    5. On Windows Vista computers, click Start > All Programs > Windows Update.
    6. In the left pane, click Change settings.
    1. From the Apple menu, choose Software Update.
    2. Click the Check Now button.
    3. Software Update checks for available updates. In the software update window, select the items you wish to install, then click Install. It is recommended that all available updates be installed.
    4. Enter an administrator account name and password when prompted.
    5. After installation finishes, restart the computer if a restart is required.

    Back to top

    Standard 3 – A centrally supported (VCU/VCUHS) Antivirus Client must be installed on all workstations.

    VCU Network
    If you do not have antivirus package on your computer, call the Help Desk (828-2227) or visit the VCU Technology Services anti-virus software page to download and install it yourself. VCU Technology Services provides Sophos Anti-virus to all faculty, staff and students.

    Hospital Network
    All hospital workstations connected to the hospital network must have McAfee Antivirus installed.

    Back to top

    Standard 4 – Spyware scanning and removal must be performed on a regular schedule.

    Please visit the VCU Technology Services page for instructions on configuring virus and spyware scan.

    Back to top

    Standard 5 – Confidential business, research, patient and personnel data must be protected by strong passwords and must be stored on VCU Technology Services or VCUHS supported servers.

    All confidential and sensitive business data must be stored on VCU- or VCUHS-supported server. To request storage space on a central server, please submit a request to SOMTech.

    A strong password is the key to safeguarding confidential information—both yours and other’s. Read VCU’s Standards for Strong Passwords for tips on how to create strong passwords and protect your information.

    Back to top

    Standard 6 – Users must not share files using peer-to-peer networks.

    Peer-to-peer (P2P) programs such as Kazaa, WinMX, Morpheus and Skype are not supported by SOMTech. P2P file sharing programs are prime targets for malicious hacker attacks and must be avoided to protect our network.

    SOMTech will help departments replace P2P printer sharing with network-based IP printing. Research labs that are currently using Microsoft P2P file sharing are encouraged to move their data to more secure storage available on servers managed centrally by the university computing center.

    To request storage space on the Novell or Windows server, please contact SOMTech.

    Back to top

    Standard 7 – These standards should be implemented before deploying new workstations.

    Please submit an online service request or call 828-2227 for help with setting up your new computer. This step ensures that you will be compliant with computer security standards.

    Back to top

  • Security Standards Checklist

    The following table denotes the security standards all faculty and staff of the VCU School of Medicine must abide by. These standards are based off of the VCU Information Security Standards. All VCU IT systems that either contain or have access to sensitive business related data are required to comply to these policies.


    Workstation Requirements
    • Complex Passwords (8 characters, Upper/Lower, Numerical or Special character)
    • VCU or VCUHS approved antivirus system
    • Automatic lock of workstation after 10 minutes of inactivity.
    • Disable unneeded accounts
    • Maintain current patch level for all applications
    • The remember passwords feature in applications (e.g. web browsers) must not be used under any circumstances

    Physical Security Requirements
    • Office doors and computers must be locked when an user steps away from the desk
    • Passwords must not be written and stored in areas without physical protection. (e.g. sticky notes on monitor or keyboard)
    • Documents containing sensitive information must be stored in a physically secure location (behind locked door and locked drawer)

    Data Protection
    • All business data must be stored on the network servers unless it is authorized by Information Security and are encrypted
    • Forwarding of emails containing sensitive information to external accounts must be approved by VCU Information Security
    • Authorized local storage of sensitive data must be encrypted.
    • Transfer of files containing sensitive data must have point to point encryption enabled

    Remote Access
    • Remote access to business IT systems must be encrypted
    • All remote access into the VCU Network must use VCU or VCUHS approved tools (WebVPN, F5, Cisco VPN), exceptions must be approved by VCU or VCUHS Information Security
    • Business requirements for remote access must be documented

    Communication Security
    • Passwords must not be electronically stored, sent or received in clear text
    • Point to point encryption is required when sensitive data is accessed

    Data Breach Notification
    • Lost or stolen computers and electronic storage media must be reported to the VCU ISO within 24 hours
    • Unauthorized access of sensitive information must be reported to the SOM Information Security or SOMTech within 24 hours.