Administration & Finance
Information Technology Services
Chief Information Officer / Nish Malik / (415) 338-1133 / firstname.lastname@example.org
Tuesday, September 4, 2018
Tuesday, July 14, 2020
Integrated CSU Administrative Manual 8000 Information Security
San Francisco State University Policies
The Workstation Management Policy defines the maintenance and configuration requirements for the management of university and auxiliary-owned workstations. Common and high-risk workstation standards must be followed. Campus IT support providers must be able to track information technology assets and remediate endpoint vulnerabilities to manage risk.
Workstations: Refers to desktop, laptop (notebook), and devices running supported workstation operating systems including secondary or virtualized supported workstation operating systems. Any university-owned workstation or any university approved cloud-hosted workstation is in scope for compliance with this directive even if no longer in use for its intended purpose.
Common Workstations: Refers to the configuration and state of workstations as described in ICSUAM 8050.S01.
High-Risk Workstations: A “High Risk” workstation is defined as any workstation that locally stores or processes “critical” data or systems. In addition, a “High Risk” workstation includes any workstation that accesses critical data or systems as defined, and whenever the access to critical data or systems includes the use of privileged account permissions. Workstations that do not directly access critical data or systems are not considered high-risk workstations.
Critical data or systems: “Critical data” includes protected level 1 information in such quantities as to require notification of a government entity in the event of a breach (e.g. over 500 records under HIPAA or CA 1798.29), or information classified as protected level 1 due to severe risk, regardless of the record count. Examples include: patient health information, student financial information, and payment information. See the Confidential Data Policy for more information. SF State’s Information Security Office is responsible for determining the classification of a workstation when questions arise.
Directly Access: Refers to accessing critical data or systems where no isolation layer is used, such as virtualization.
Protected Level 1 Information Due to Severe Risk: Information whose unauthorized use, access, disclosure, acquisition, modification, loss, or deletion could result in severe damage to the CSU, its students, employees, or customers. Severe risk includes but is not limited to: financial loss, damage to the CSU’s reputation, and legal action.
The Workstation Management Policy covers all University-owned workstations used to access or store SF State data including Mac and Windows-based desktops and laptops. Workstation management may be conducted manually or using an automated tool according to timelines and criticalities established in workstation security guidelines. The following guidelines must be followed for workstation management:
• Enable data gathering for hardware, operating system, applications and configuration running on workstations
• Follow active directory and DNS naming conventions to associate devices with user, location, and support area
• Track all devices storing confidential level 1 data
• Deploy operating system and application updates and patches to remediate vulnerabilities
Operating System Deployment
• Deploy operating systems that adhere to common or high-risk workstation standards
• Install, un-install and configure applications
• All non-public workstations must be encrypted
o Computer lab workstations may be reviewed on a case-by-case based on usage
• Minimum configuration settings must be included in all deployments
Workstation Management Tool Administration
• Workstation management tools must use the approved campus Active Directory service for authentication and authorization
• Hosting for tools used for the management of high-risk workstations must meet the requirements of a high-risk workstation
Decommissioning and Disposal
• Workstations no longer in use and ready for removal from the campus environment must follow secure e-waste and property control procedures
Responsibility for implementing this policy will rest with Information Technology (IT) units across campus. Submit any apparent violation to the appropriate administrative authority (vice president, dean, director, department, or program chair) or to email@example.com. Any exceptions to this policy must be documented using a risk assessment and approved by a Vice President, the Chief Information Officer and Information Security Officer.
Noncompliance with applicable policies and/or practices may result in suspension of network and systems access privileges. In addition, disciplinary action may be applicable under other University policies, guidelines, implementing procedures, or collective bargaining agreements.
Endpoint, workstation, manage, configuration, deployment, update, patch, maintain