IT Security Standards and Guidelines
Security Standards
Banner/System Notice Standards
All application systems should provide explicit notice to all users at the time of initial login and regularly thereafter that the system is a private system, it may be used only by authorized parties, and that, by successful login, the user is acknowledging their responsibility and accountability for their activities on the system.
Remote Access Standards
These standards apply to Emory employees, contractors, vendors and agents with a Emory owned or personally owned computer/workstation used to connect to the Emory network. These standards apply to remote access connections used to perform work on behalf of Emory. Employees should VPN to the Emory network to ensure communications are secured from inappropriate access. If Emory employees, contractors, vendors and agents are working with sensitive data from home on a personally owned computer, they must:
- Ensure their operating system is patched with the latest updates and security patches
- Install and use anti-virus software. The software should be configured to automatically retrieve the latest update files and to automatically scan the system on a periodic basis. In addition, the software should be configured to scan all email messages for viruses.
- For employees with high speed internet access and/or wireless access, personal firewall software must be installed and maintained on the home computer.
Server Security & Configuration Standards
Operating system configuration should be reviewed to ensure services are limited and security is maintained.
- The most recent security patches must be installed on the system as soon as practical.
- Services and applications that are not used must be disabled where practical
- Accesses to services should be logged or protected
- Trust relationships between systems should be considered closely to ensure security risks are minimized.
- Use the standard security principles of the least required access to perform a function.
- Do not use root access when not absolutely necessary
- Servers should be physically located in a secured or access-controlled environment.
- Servers should not be placed in uncontrolled areas, such as a cubicle area or area with general public access.
Standards for Social Security Number Use
The use of Social Security Numbers as common identifiers should be discontinued, except where required.This helps to ensure the protection of the privacy rights of individual associated with Emory, to help secure Emory's information databases responsibly, and to help ensure Emory is in compliance with Georgia Identity Theft laws. An individual's Emory ID# should be used rather than their SSN. SSN and other tax identifying numbers are not intended for identification purposes.
- Systems purchased or developed should not use Social Security numbers as identifiers unless required by law or business necessity.
- The General Counsel's office will review and approve exceptions to this standard, including those systems stating a "business need" for using the individuals' Social Security number.
- Each member of the community will be assigned a unique identification number that is not the same as or derived from the individuals social security number.
- Systems purchased or developed may use Social Security numbers as data elements only, not as keys to databases.
- Systems purchased or developed by Emory may not display Social Security numbers visually, whether on computer monitors, on printed forms, or on other system output, unless required by law or business necessity.
- Name and directory systems will be tied to individual's unique identification numbers, not Social Security Numbers
- When databases require Social Security numbers, the databases may automatically cross-reference between the Social Security numbers and other information through the use of conversion tables within the systems or other technical mechanisms.
- No new system or technology will be developed or purchased by Emory unless it is compatible with these regulations.
System Scanning Standards
Emory's systems are increasingly targeted by intruders and hackers. In an effort to protect our resources and further secure the environment, IT Security may conduct vulnerability/inventory scans within the Emory network for the following purposes:
- To inventory machine(s) being utilized on the Emory network and assess if any have been compromised.
- To assess machine(s) for security vulnerabilities.
- To determine vulnerabilities for machine(s) that are reported or believed to be compromised and/or attacking other machines either internally or externally.
- To verify that machine(s) that were previously compromised have been appropriately patched/fixed prior to being placed back on the Emory network.
Currently the security team utilizes the Nessus Open Source Vulnerability scanning tool, but other vulnerability assessment tools may be used to ensure the systems and network at Emory are secure from inappropriate access and/or hacks.
System Timeout Standards
System and application timeouts are important to help ensure the safety of confidential, restricted, or regulated data contained at Emory. System timeout limits are as follows:
- For computers accessing applications and systems containing confidential, restricted, or otherwise regulated data, the timeout period should be set to no more than 5 minutes of inactivity.
- For computers located in public areas (kiosks, labs), the timeout for accessing confidential, restricted, or otherwise regulated data should be set to no more than 1 minute of inactivity.
Unattended Workstation Standards
Never leave your workstation unattended! Computers are most vulnerable when the user is logged into the network then leaves it unattended. It is possible for unauthorized access to applications to result in modification of data, fraudulent use of Emory resources, etc.
- When leaving a workstation unattended, even if only for a few minutes, users should lock their workstation with a password.
- Implement an automatic, password protected screen saver to run after a maximum of 5 minutes of inactivity.
- Terminate active sessions when finished, unless these sessions can be secured by an appropriate lock.
- Log off all systems and network as sessions are finished.
- System administrators should configure system processes to automatically logoff or disable processing ability without subsequent reauthorization when pc/terminals are left unattended in physically unsecured areas (enable screensavers with password protection).
- Move the workstation to a secure area if its primary function is to process data while unattended
- Those responsible for applications containing sensitive data should be configure the software program and network sessions to 'timeout' after a reasonable period of inactivity.
Security Guidelines
Password Guidelines
The password policy can be found on Emory's policy site.For help on creating a password, visit our password page
Physical & Environmental Security Guidelines
While good passwords and encryption are important to keeping your devices digitally secure, physical security of your systems and devices is also critically important. Examine the guidelines on our physical security page to find out more about physical and environmental security for your systems.
Recommended Security Practices and Requests
Peer-to-Peer Recommended Security Practice
The policy for Peer-to-Peer file sharing can be found on Emory's policy site.
Working From Home- Minimum Security Requirements
These standards apply to Emory employees, contractors, vendors and agents with a Emory owned or personally owned computer/workstation used to connect to the Emory network. These standards apply to remote access connections used to perform work on behalf of Emory. Employees should VPN to the Emory network to ensure communications are secured from inappropriate access. If Emory employees, contractors, vendors and agents are working with sensitive data from home on a personally owned computer, they must:
- Ensure their operating system is patched with the latest updates and security patches
- Install and use anti-virus software. The software should be configured to automatically retrieve the latest update files and to automatically scan the system on a periodic basis. In addition, the software should be configured to scan all email messages for viruses.
- For employees with high speed internet access and/or wireless access, personal firewall software must be installed and maintained on the home computer.
Current Laws with IT Security Requirements
Family Education Rights and Privacy Act (FERPA)
FERPA is the keystone federal privacy law for educational institutions and imposes confidentiality requirements around student educational records, prohibiting institutions from disclosing "personally identifiable education information" such as grades or financial aid information without the student's written permission. FERPA also provides students with the right to request and review their educational records and to make corrections to those records. The law applies with equal force to electronic and hardcopy records.
For more information on FERPA, go to the U.S. Department Of Education Website.
Gramm-Leach-Bliley Act (GLBA)
The GLBA is applicable to financial institutions, colleges & universities and was enacted in 1999. It requires that Emory protect customer financial information including the personal identifying information such as names, addresses, account, credit information and Social Security numbers.
The Federal Trade Commission (FTC) regulations implementing the GLBA specifically provide that colleges and universities will be deemed in compliance with the privacy provisions of the GLBA if they are also in compliance with the Family Education Rights & Privacy Act (FERPA). The GLBA compliance is required by May 23, 2003 and requires Emory to develop a comprehensive security program, assess the need for employee training, and include obligations in their agreements with third parties that have access to financial records covered by the GLBA.
This act applies to Emory, however since we are required to comply with the Family Education Rights & Privacy Act (FERPA), Emory is not subject to the GLBA privacy rules.
For additional information on the GLBA, see the Federal Trade Commission's site.
Health Insurance Portability and Accountability Act of 1998 (HIPAA)
HIPAA was enacted to protect the rights of patients and participants in certain health plans. Among other requirements HIPAA requires that health records be protected and to help protect against unauthorized disclosure of this information. This includes patient data at Universities and used in Research studies.
For more information on HIPAA, go to the U.S. Department of Health & Human Services website.