Oregon State University

203: Information Systems – Baseline Standards of Care

Information Security Policies & Procedures Manual
Section 200: Information Systems Security
Effective: 01/11/2010
Revised: 02/20/2014

Purpose

The purpose of this policy is to define the baseline standards of care based on the designated classification of Information Systems. 

Standards of Care

The following standards apply to people and machines that have access to and/or process information according to its classification as Protected, Sensitive, or Unrestricted.  Specific additional handling requirements above the baseline may in fact be required by the Records Custodian to ensure compliance with law, policy, or contractual obligation.  These baseline standards are set as a minimum; adoption of stricter security practices is encouraged where practicable.  

 

203-01 Baseline Standards for Protected Information

All computer systems (workstations and servers) which store or process Protected Information shall have restricted access to only authorized personnel; fully patched operating systems and applications; current anti-virus software with current virus definitions; and if attached to the network will be in a secured zone protected by appropriate firewall rules.  Workstations used by authorized personnel with direct write access to Protected Information will also be configured to automatically apply patches and current anti-virus definitions and will not be accessed via a local system administrator or domain administrator account on the local machine for day-to-day activities.

All personnel granted direct access to Protected Information should be instructed on the proper use and handling of this information and are subject to OSU Policies regarding security sensitive personnel.  Under no circumstances should Protected Information be disclosed to anyone outside OSU without authorization from the appropriate supervisory personnel.

 

203-02 Baseline Standards for Sensitive Information

All computer systems which store or process Sensitive Information should have restricted access granted only to authorized personnel affiliated with OSU, and shall have fully patched operating systems and applications, and current antivirus software with current virus definitions.  Any such computer system is also subject to Network Services’ network security policy.

All personnel granted access to sensitive information should not disclose this information to parties outside of OSU without authorization by appropriate supervisory personnel.

 

203-03 Baseline Standards for Unrestricted Information

All computer systems which store or process Unrestricted Information will have write access restricted only to authorized personnel to ensure that information presented is not edited without appropriate authorization. Any such computer system is also subject to Network Services’ network security policy and should have fully patched operating systems and applications, and current antivirus software with current virus definitions.

 

203-04 Mobile Computing

All mobile computer systems or portable storage media, which store Protected Information, shall be encrypted with at least the 256-bit encryption common in operating systems and encoding devices sold in the United States in addition to the baseline requirement prescribed in 203-01.  Those that cannot meet this requirement due to the proprietary nature of how they are created, such as back-up tapes, must be stored in a physically secure area and shall only be transported in a manner commensurate with OSU ISM 601-03.

As noted in the Personal Information Privacy Policy (OSU ISM 301), certain highly sensitive data elements are strictly prohibited from portable media. 

Contact Info

Site Maintained by: Office of Human Resources
Oregon State University, Corvallis, OR 97331
Contact us with your comments, questions and feedback
Copyright © 2009 Oregon State University | Disclaimer
Copyright ©  2014 Oregon State University
Disclaimer