UPDDI Security Requirement Overview

• Users do not have admin rights on their computers.
• Storage for files is central and user access is controlled.
• IT policies are created and advertised. Security Awareness Training has to be done on a yearly basis.
• Computer Information Security Plan has been developed.
• Computers are centrally managed and monitored (patching, event monitoring, etc.).
• Antivirus is centrally managed and monitored.
• Backup processes are documented and tested (unless the NOC is doing it).
• Files are scanned for PII Info (Spirion).

CATEGORY:  SUPPORT SERVICES
SECTION:  Computing, Information and Data
SUBJECT:  Computer Access and Use
EFFECTIVE DATE:  March 2024 Revised

I. SCOPE

This policy establishes restrictions regarding the access and use of university-owned and maintained computers, computer systems, computer networks, electronic communication facilities and other related computing facilities used to store and process data, text and software used by the University.

II. POLICY

The UPDDI will refer to the University of Pittsburgh Policy A0 10 for Computer Access and Use and follow all policies therein.

CATEGORY: SUPPORT SERVICES
SECTION: Computing, Information, and Data
SUBJECT: Data Security Policy
EFFECTIVE DATE: March 2024 Revised

I. SCOPE

This policy is designed to protect data located on University of Pittsburgh Drug Discovery Institute (UPDDI) computers and computer systems from computer viruses and other malicious code, and to prevent computer loss or theft. This policy is also intended to prevent damage to applications, data, files, and hardware.
Data confidentiality is a critical component of security. A good understanding of data types, their risk levels, and minimum security precautions is necessary to prevent unauthorized access. Refer to http://technology.pitt.edu/security/data-classification-matrix for an overview of University guidelines on data classification and security. Also refer to Pitt’s HIPPA policy document 09-02-06.
The policies listed below aim to provide as much data security as possible. There are many different avenues of attack; therefore, different protections must be in place to help protect data.
This policy applies to all employees of UPDDI, as well as vendors, contractors, partners, students, collaborators and any others doing business or research with UPDDI. Any other parties, who use, work on, or provide services involving UPDDI computers and technology systems will also be subject to the provisions of this policy. Every user of UPDDI computer resources is expected to know and follow this policy.

II. DEFINITIONS

Servers are machines that are used to centrally store data or run applications. Users do not work directly on these machines. They are not intended to be moved and are protected behind locked doors.
Desktops are computers that are accessed by users on a daily basis. They are not intended to be moved and are located behind locked doors.
Laptops are computers that are operated by users on a daily basis. They are intended to be moved to different locations and may be exposed to situations where theft could occur.
Mobile devices are small and easily transportable. They are generally moved to different locations and may be exposed to high theft situations. Examples of these devices include tablets and smart phones.
Malicious software is any type of computer code that infects a machine and performs a nefarious action. Computer viruses, worms, trojans, and ransomware are all examples of malicious software.
Anti-Virus software is a program or set of programs installed on a server or workstation and used to detect, prevent, and remove malicious software. Anti-virus software is generally reactive, meaning a signature file must be developed for each new virus discovered and these virus definition files must be uploaded to the software in order for it to scan for the most recently released malicious code. Symantec Endpoint Protection is the University-approved anti-virus software. It’s available for download from the My.Pitt.edu portal.
Central management software is software that is used to inventory computer software and hardware. It also automates the update service to several applications, including Microsoft, Adobe, Java, and several others. Furthermore, it provides checks for potential security risks that may otherwise go unnoticed.
Regular computer accounts are user accounts that are restricted from performing computer administrative functions such as, editing configurations, installation/deinstallation of software/applications, creating local accounts etc.
Local admin accounts are user accounts that have privileges to perform local admin functions on specific computers where the account resides on. Admin functions include but not limited to, creating and deleting accounts, modifying computer configurations, installation/uninstallation of software/applications etc.

III. POLICY
Servers

• All servers will be managed either by the UPDDI Technology Group or by CSSD, which will provide the following:
   o Central management of Microsoft updates.
   o Central management of overall system health, including hardware, software, events, and performance monitoring.
   o Central management of anti-virus software.
• All servers will have anti-virus software installed and configured so the virus definition files are automatically updated and remain current. The anti-virus software must be actively running on these devices.
• All files on the server will be scanned periodically for viruses, and findings will be reported to an internal server.
• All files on the server will be scanned periodically for personally identifiable information. All files found with personally identifiable information will be removed, unless the server has been designated to store such information.

Desktops

• All desktops will be managed by the UPDDI Technology Services Group, which will provide the following:
   o Central management of Microsoft updates.
   o Central management of primary software updates, including Adobe Reader, Adobe Flash Player, Chrome, Firefox, Java, and others as deemed necessary.
   o Central management of overall system health, including hardware, software, events, and performance monitoring.
   o Central management of antivirus and anti-malware software.
• All desktops connected to the network will have anti-virus and anti-malware software installed and configured so the definition files are automatically updated and remain current. These programs must be actively running on these devices.
• All files on the desktop will be scanned periodically for viruses, and findings will be reported to an internal server.
• Desktops that access confidential data will be encrypted.
• Standard user accounts will be required to limit exposure to and the installation of malicious software.
• All users will scan their computer using Spirion (formally called Identify Finder) every six months. Any files found containing personally identifiable information will be redacted or deleted.

Laptops

• All laptops will be managed by the UPDDI Technology Services Group, which will provide the following:
   o Central management of Microsoft updates.
   o Central management of primary software updates, including Adobe Reader, Adobe Flash Player, Chrome, Firefox, Java, and others as deemed necessary.
   o Central management of overall system health, including hardware, software, events, and performance monitoring.
   o Central management of antivirus and anti-malware software.
• All laptop computers connected to the network will have anti-virus and anti-malware software installed and configured so the definition files are automatically updated and remain current. These programs must be actively running on these devices.
• All files on the laptop will be scanned periodically for viruses, and findings will be reported to an internal server.
• All laptops will be encrypted to protect data in case the laptop is stolen or lost.
• Standard user accounts will be required to limit exposure to and installation of malicious software.
• All users will scan their computer using Spirion (formally called Identify Finder) every six months. Any files found containing personally identifiable information will be redacted or deleted.

Mobile Devices

• Mobile devices are currently not centrally managed by UPDDI. Confidential data should NEVER be stored on these devices. If these devices are needed to be used, collaboration with the UPDDI Technology Services Group will be necessary to recommend the best hardware and current protections available for the device.

All Devices

• Confidential data will NOT be stored on USB or external devices without encryption.
• If a device has become infected or compromised, it will be disconnected from the network until the infection has been removed. Data loss may occur depending on the severity.

Local Admin Accounts

• Users are not allowed to have local administrative privileges on their computers except on rare occasions or circumstances.
• Users who want exception to this policy will have to undergo the Administrative Rights training, pass a short test (passing grade of 80% or more), and fill out the Administrative Waiver form.

Exceptions to this policy may be granted if a user and/or installed software cannot operate under these policies. Each exception will be evaluated to determine the risks associated with omitting specific protections. Users that require exceptions will be required to undergo training to understand the risks and develop habits and strategies to mitigate those risks. These users will also be required to sign an annual agreement.

This policy will not supersede any University of Pittsburgh policies but may introduce more stringent requirements.

CATEGORY:  SUPPORT SERVICES
SECTION:  Computing, Information and Data
SUBJECT:  Software Licensing Policy
EFFECTIVE DATE:  March 2024 Revised

I. SCOPE 

This policy sets forth the framework to secure the software installed on all UPDDI computers and computer systems. Unpatched software security flaws leave computing systems vulnerable to nefarious attacks and increase the potential for data theft or loss.

Licensing is an important aspect of software security. Appropriate licensing must be observed to protect computers and avoid fines. Illegal or improperly licensed software cannot be updated. Unpatched security flaws increase the possibility of data theft or loss. Regular audits are performed to reconcile software purchases against installed software titles and versions. Improper licensing can lead to fines for the University and the user.

This policy applies to all employees of UPDDI. Every user of UPDDI computer resource is expected to recognize and respect this policy.

II. DEFINITIONS

Software licensing is the purchase of one or more licenses allowing for the permissible and legal use of a software title. Typically, a licensed software title is purchased on a per user basis, but it can also be executed per computer, per department, per school, or across the University as a whole.

A University computer/computing device is one purchased with university funds (through a direct purchase requisition or a reimbursement of monies through a university account).

III. POLICY

License Purchases

All license purchases should be submitted/approved through the UPDDI IT group to ensure the correct number/type of licenses are ordered. For those products that require license renewals (usually annually), notifications are generally received by the software purchaser. Software renewals are to be reconciled with the user's School/Department.

License Usage

• All University computers require the appropriate licensed software from Pitt Software Distribution Services (SDS) or from an approved software vendor via purchase requisition. All terms of the license agreement are to be enforced. Read the terms and conditions for departmental use of licensed university software.
• Prompt payment of annually renewable SDS software license fees are expected and required. Expired software titles must be removed from the applicable workstation.
• Illegally installed software discovered on a university-purchased computer will be removed immediately and the user will be required to purchase the appropriate license for installation.
• Installation of Pitt student-licensed software onto ANY University-purchased device is forbidden! Student-licensed software is intended for individual student use on said individual’s personal device. Violation of the Software Compliance for Students policy can result in disciplinary action.

This policy will not supersede any University of Pittsburgh policies but may introduce stricter requirements.

CATEGORY:  SUPPORT SERVICES
SECTION:  Computing, Information and Data
SUBJECT:  Hardware Purchasing and Replacement
EFFECTIVE DATE:  March 2024 Revised

I. SCOPE 

This policy is designed to provide the accepted procedures for computer hardware purchases and data transfers to a new computer.

This policy applies to all employees of UPDDI. Every user of the Institute's computer resources is expected to know and follow this policy.

II. DEFINITIONS

Hardware refers to any computer device, including, but not limited to, servers, desktops, laptops, monitors, printers and tablets.

III. POLICY

Hardware Purchases

All hardware purchases should be submitted through UPDDI IT group to ensure that the computer configuration will meet the needs of the user. All computer purchases shall follow UPDDI IT and PITT IT recommendations and guidelines.

Exceptions to this policy may be granted. Each exception will be evaluated on an individual basis.

Hardware Replacement

Hardware replacement will follow these guidelines:

• Data stored on an old device will be copied to the new device.
• A backup of the device data or the original hard drive will be stored by UPDDI IT group for two weeks. This will ensure that any missed data can be retrieved and copied to the new device.
• Any request for a permanent static backup of the replaced unit’s hard drive (either partial or full image) will require the user to purchase an external drive that will be encrypted and to which the data will be copied.

Retired Hardware

Hardware marked for retirement will be sent to university surplus. Typically, retired hardware will have data wiped from the hard drive and/or the hard drive removed and sent for physical destruction. Users that wish to take retired hardware for personal use will be required to complete a request form, indicating all serial numbers/service tags of the requested equipment, understanding that the machine’s hard drive has been wiped and the proper software licenses have been applied, transferred or purchased.

This policy will not supersede any University of Pittsburgh policies but may introduce more stringent requirements.