When AMAS performs computing related audits in various areas of Syracuse University, controls that are in place on desktop computers in those areas are reviewed. Desktop computers can be defined as personal workstations that contain University data, or workstations that are connected to the University's network and have access to University data. These can include PC's, Macs, UNIX, or other types of workstations.

Good sound computing control and security practices in place at the desktop computer level help to protect the confidentiality and integrity of Syracuse University's computer resources and data. The following are some guidelines and controls that can be used to help ensure the data on desktop computers, and any data accessed on the University network through these computers, remains as secure as possible. These may also help protect you in the event something occurs where data is lost, or compromised, and you can show that you were following good computing practices.

The amount of effort spent on securing and controlling a desktop computer should be weighed against the importance and confidentially of the data accessible by the computer. If the computer is connected to the University's network, regardless of what is kept on that particular computer's hard drive, strong controls should be in place because that computer could be used to access to any data kept on the network. Keep in mind that you are the first line of defense in protecting the University's computing resources and data.

 
- Passwords and Access Security. (Prevent others from using your computer or system login ID to access University data)

Each user should keep their passwords secret and not keep them written down in a place where others will find them, such as in a desk drawer or taped under the keyboard. Generic, shared, or department wide passwords should be forbidden. Passwords should be changed regularly, every 30 to 90 days. Only strong passwords that cannot easily be guessed should be used.

Users of computers should log off of all systems when they will be away from their computers for any length of time. Also, locking screensavers that activate after a short period of inactivity should always be used. The connection of dial-up modems and wireless hardware to computers that are connected to the University's network should be prohibited without proper review and approval from ITS.

 
- Physical Security. (Protection from theft, damage, or physical access by others)

Workstations should be kept in areas that are locked when unattended. This would include individual offices and shared departmental offices. If the computers are kept in an un-lockable open common area, they should be fastened down by a secure cable lock system. All hardware should be inventoried and tagged (uniquely identified) with the documentation kept in a secure location. The workstations should be located away from environmental hazards.

- Backup of Data and Files. (Protection from the loss of important data)

Ensure any important files and data are backed up. If the desktop workstation is connected to the University network, it may be possible to save the data on a network server. (Please check with your system administrator to find out if the server's backup frequency and offsite storage procedures are adequate for your needs.) If not, it is up to the individual user of the workstation to ensure adequate backups are performed.

Backup copies of data should be available in case the current data on a workstation are lost. The data should be backed up on a frequency that the users of the data are comfortable with. An application with low activity and paper documents recording transactions may only need to be backed up occasionally, maybe semi-monthly. An application with a high volume of transactions with little paper documentation may need to be backed up daily. The frequency of the backup should depend on how much effort the user would need, or would want, to put in to manual recovery of lost transactions. The procedures for generating the backup should be written and logs kept of what dates the backups are made.

Once the frequency of the backup is determined, consideration should be given to storing some of these backups at an offsite location and not in the same location as the workstation. There are different schemes used for rotating backup data offsite. It is best is to have, at a minimum, the most current copy of the data stored offsite. Where this is impracticable, consideration should be given to have the most current copy sent offsite at least weekly or monthly.

Ideally, the backup data that is rotated offsite should be stored in a location that is physically secure, yet accessible during an emergency situation. One of the best locations is with a third party that provides this service as their primary business. There are a few companies that provide this service in the Syracuse area, however they can be quite expensive. ITS also offers this service utilizing the tape vault located at Skytop. You can contact them for the specifics. Another method that can be utilized is storing your backups in another building on campus, perhaps using a reciprocal agreement with another department or school. A locking fireproof file cabinet, where you have control over the keys, is best. Keeping backups at an employee's home should be considered unacceptable. The employee could sever ties with the University and not return the data files. There is also no assurance of who has access to the data when it is stored in someone's home.

Lastly, make sure you test the backups to ensure you can recover data from them.

- Backup of the Operating System and Application Programs. (Protection from downtime)

There should backup copies available for any programs or business related computer applications used on the desktop as well as for the operating system. Check with your DSP or ITS to determine if this is being already done for you. If you have installed some programs on your own, it may be up to you to do this. Make sure you keep all your original software CD's and floppy disks for this purpose. They should be stored in a secure offsite location. You may also want to check to see if you can receive additional copies of the software from the software vendor during an emergency situation. It is important to make sure your backup copies are the same version of the software that you currently use.

 
- Software Licenses. (Protection from legal issues)

All software used on University workstations must have valid and up-to-date software license agreements. ITS provides many University wide software licenses. You should contact your DSP or review ITS's website for additional information at: http://its.syr.edu/purchases/software/licensing.cfm

The Syracuse University Computing and Electronic communications policy states:

"In general, you may not copy, download, install or use software on the Computer System without acquiring a license from the publisher. (For example, you may not copy it from a friend or other source.) Furthermore, you may not copy the University's software, unless such copying is specifically permitted by the license agreement.
The ability to download documents from the Internet, and to attach files to E-mail messages, increases the opportunity for and risk of copyright infringement. A user can be liable for the unauthorized copying and distribution of copyrighted material through the use of download programs and E-mail. Accordingly, you may not copy and/or distribute any materials of a third party (including software, database files, documentation, articles, graphics files, audio or video files) unless you have the written permission of the copyright holder to do so. Any questions regarding copying or downloading should be directed to ITS."

 
- Confidential Information. (Protect sensitive data)

Any confidential or sensitive information stored on a workstation, such as payroll data, Social Security Numbers, SU Ids, credit card numbers, HIPAA-protected information, SEVIS-related data, or passwords, should be stored in a secure manner. This would include security measures such as encrypting the data and having the workstation behind a firewall. Encryption scrambles the data so that if someone broke into the computer and looked at the information, they could not make sense of it. Using a firewall helps to protect the workstation from hackers accessing the data from the Internet. Many computers at Syracuse University are already protected by a firewall. This firewall, however, is only set up to protect specific parts of the University's network. In cases where computers are not protected by this firewall, another type of firewall can be installed on individual workstations. If you store confidential or sensitive information on your workstation, please contact your DSP, ITS or AMAS to make sure your data is being stored as securely as possible.

 
- Virus and Spyware Protection. (Protect data integrity)

Anti-virus software should be installed on all University computers. This software detects and eliminates viruses that can come into the computer from Internet downloads, file sharing, or through emails. The anti-virus software should be updated frequently, such as once or twice a week. The software should be running on the computers at all times and also be used to scan all the computers' files on a regular basis. The University provides virus protection software for all users. Contact your DSP or ITS if you are unsure if it is installed on your computer.

Another type of threat from the Internet is something referred to as spyware. This type of software enters a computer from visiting websites while surfing the Internet or from emails. It can record and transmit information about web surfing habits, and other types of information, from one computer to another across the Internet without the user of the computer knowing about it. There are programs available, similar to virus protection programs, that can detect and eliminate spyware from computers. You can contact your DSP or ITS for more information if this is a concern to you.

If you have comments about any of the items contained in this document, or have a suggestion of something else that should be included, please feel free to send them to AMAS at amas@listserv.syr.edu