Workstation Management

Division: 

Administration & Finance

Department: 

Information Technology Services

Contact Information: 

Chief Information Officer / Nish Malik / (415) 338-1133 / nish@sfsu.edu

Effective Date:

Tuesday, November 2, 2021

Revised Date: 

Wednesday, December 8, 2021

Authority: 

Integrated CSU Administrative Manual 8000 Information Security

ICSUAM 8045.S400 - Mobile Device Management Standard

ICSUAM 8050 - Configuration Management

ICSUAM 8050.S0100 - Configuration Management -Common Workstation Standard

ICSUAM 8050.S0200 - High-Risk/Critical Workstation Standard

ICSUAM 8060 - Access Control

ICSUAM 8065 - Information Asset Management

ICSUAM 8075 - Information Security Incident Management

ICSUAM 8105 - Responsible Use Policy

San Francisco State University Policies

SF State Mobile Device Policy

SF State Password Policy

SF State Secure E-Waste and Paper Disposal

Objective: 

The Workstation Management Policy defines the maintenance and configuration requirements for the management of university and auxiliary-owned workstations. Common and high-risk workstation standards must be followed. Campus IT support providers must be able to track information technology assets and remediate endpoint vulnerabilities to manage risk.

Definitions:

Workstations: Refers to desktop, laptop (notebook), and devices running supported workstation operating systems including secondary or virtualized supported workstation operating systems. Any university-owned workstation or any university approved cloud-hosted workstation is in scope for compliance with this directive even if no longer in use for its intended purpose.

Common Workstations: Refers to the configuration and state of workstations as described in ICSUAM 8050.S01.

High-Risk Workstations A workstation is high risk when it enables the authentication of accounts with permissions for manipulating Level 1 data or modifying critical infrastructure. A workstation is also high risk when it locally stores, processes or accesses Critical Data or Severe Risk Level 1 Data (as defined below)

Critical Data: “Critical data” includes protected level 1 information in such quantities as to require notification of a government entity in the event of a breach (e.g. over 500 records under HIPAA or California Civil Code section et seq.,), or information classified as protected level 1 due to severe risk, regardless of the record count. Examples of critical data include patient health information, student financial information, and payment information. See the Confidential Data Policy for more information.  SF State’s Information Security Office is responsible for determining the classification of a workstation when questions arise.   

Severe Risk Level 1 Information: Information whose unauthorized use, access, disclosure, acquisition, modification, loss, or deletion could result in severe damage to the CSU, its students, employees, or customers. Severe risk includes but is not limited to:  financial loss, damage to the CSU’s reputation, and legal action.

Statement: 

The Workstation Management policy covers all University-owned workstations used to access or store SF State data. Workstation management should be implemented using an automated tool according to timelines and criticalities established in workstation security guidelines.   Specific criteria pertaining to common and high risk workstations must be referenced when assessing policy compliance.  Please see ICSUAM 8050.S100 and ICSUAM 8050.S200 for more details.

High Risk workstation management requires the use of a secure configuration standard checklist or may be conducted using a baseline analyzer tool process.  SF State maintains a centrally managed CIS security baseline analyzer tool service which meets the requirement of a secure configuration checklist.  This service is available for use by all of the distributed IT support teams.  Each distributed IT support team is responsible for documenting their internal process on how they implement this requirement which will include the maintenance of a High Risk Workstation inventory.

Implementation:

Responsibility for implementing this policy will rest with Information Technology (IT) units across campus. Submit any apparent violation to the appropriate administrative authority (vice president, dean, director, department, or program chair) or to service@sfsu.edu. Any exceptions to this policy must be documented using the information security risk acceptance process and approved at a minimum by the appropriate Dean or Vice President, and reviewed Information Security Officer.

Non-Compliance:

Noncompliance with applicable policies and/or practices may result in suspension of network and systems access privileges. In addition, disciplinary action may be applicable under other University policies, guidelines, implementing procedures, or collective bargaining agreements.

Searchable Words:

Endpoint, workstation, manage, configuration, deployment, update, patch, maintain