UCSF Minimum Security Standards for Electronic Information Resources
Effective Date: December 2007, Updated December 2017
UCSF Policy 650-16, Addendum B, defines a requirement for Minimum Security Standards for Electronic Information Resources (EIR). This document is a living document that defines the UCSF Minimum Security Standards that all campus EIRs must comply with.
Overview and Scope
These standards apply to all departments within UCSF and the UCSF Medical Center.
Non-UCSF devices, including personal computing devices, are expected to meet these standards when used to connect to the UCSF network. For example, a personal computer that accesses the UCSF network through a VPN connection would be expected to meet these standards. Additionally, non-UCSF devices are expected to meet these standards when used to conduct UCSF business, including storing or processing UCSF information.
The minimum standards in this document are reviewed, updated for applicability, and approved by the Information Security Committee (ISC) at least once a year or more often as determined by Security & Policy (S&P).
Restricted Information is defined in Appendix A of UCOP BFB IS-3: Information Security.
Individuals who believe that their devices or applications are unable to meet UCSF’s Minimum Security Standards must apply for a yearly exception by completing and digitally signing the online form linked below. Upon receiving the completed form with signatures from the individual's department leadership, IT Security will contact you for a consultation. After this consultation the University's Information Security Officer will respond to your request.
Security Exception Request Form (DocuSign Form)
Exception Requests Covering Legacy Systems
If granted, exception requests for an operating system that is no longer supported by the vendor will be for 12 months from the date of approval. At each renewal you must document the steps you are taking to mitigate the risk to the system and to UCSF. Failure to renew an exception may result in disconnection from UCSF's network.
For systems which access to or which store ePHI, departments are advised that this exception documentation and controls should be considered carefully to remain compliant with HIPAA section § 164.308(a)(1)(ii)(B), which requires UCSF to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level. Controls are countermeasures to help avoid or minimize security risks. These controls are generally implemented as technologies not directly associated with the system seeking exception from UCSF's Minimum Security Standards.
Minimum Security Standards
Anti-virus software must be active with current anti-virus signatures on computing devices connected to the network including laptop computers, desktop computers, and servers, except where there are significant compensating controls that would prevent virus infiltration.
IT currently has a contract with Symantec to provide anti-virus software and is available through the UCSF IT Software Download page.
All email that contains electronic Protected Health Information (ePHI) or other Restricted Information must be encrypted if it is addressed outside the UCSF network environment. An existing service is available to accommodate encrypted email: Secure Email Procedure
Non-UCSF or 3rd party email services are not approved for use by faculty, staff, or students for conducting UCSF business.
Given the prevalence of restricted data in the UCSF environment, all endpoints (desktops, laptops, and mobile devices including smartphones and tablets) used for UCSF business must be encrypted. This applies to both UCSF-owned and non-UCSF-owned endpoints.
Servers that store or process restricted information must be encrypted or have compensating security controls, such as those found in UCSF data centers.
IT provides encryption software for laptops and desktops. How to Encrypt Your Computer
Mobile devices must be connected to the UCSF Exchange email server with ActiveSync, which enforces the required security settings. More information regarding connecting your smartphone can be found at http://it.ucsf.edu/services/email-mobile-access/tutorial/iphone-email-configuration.
Those who believe they need an exception to this device encryption standard due to a hardware or software incompatibility must submit a computer encryption waiver (http://it.ucsf.edu/how_do/request-device-encryption-waiver).
Store restricted information only when necessary.
Transmission of Restricted Information
Restricted Information that is transmitted over non-UCSF networks must be encrypted. Restricted Information includes, but is not limited to, ePHI and personal information such as Social Security numbers.
Transmit Restricted Information only when necessary.
Host-Based Firewall Software
Firewalls that run on desktops, laptops and servers are often referred to as host-based and/or personal firewalls. Host-based firewall software (if available for the platform) must be running and configured on networked computing devices, including laptop computers, desktop computers, and servers. While the use of departmental network firewalls is encouraged, they do not necessarily obviate the need for host-based firewalls.
IT currently has a contract with Symantec that provides host based firewall solution and is available through the UCSF IT Software Download page.
Campus electronic communication systems or services must identify users and authorize access by means of passwords or other secure authentication processes. Shared-access systems must enforce the Unified UCSF Enterprise Password Standard whenever possible. Shared-access systems must, whenever possible and appropriate, require that users change any pre-assigned passwords immediately upon initial access to the account.
All default passwords for access to network-accessible devices must be modified. Passwords used by system administrators for their personal access to a service or device must not be the same as those used for privileged access to any service or device.
Privileged administrator accounts with access to sensitive Windows systems should use passphrases that are 15 or more characters in length and meet the Unified UCSF Enterprise Password Standard. Passphrases should be reset at least every 90 days.
All forms of authentication must use adequate encryption to protect against unauthorized access to login credentials, such as user accounts and passwords. Use of unencrypted authentication is prohibited.
Unauthorized physical access to an unattended device (including mobile devices) can result in harmful or fraudulent modification of data, fraudulent email use, or any number of other potentially dangerous situations. Whenever possible and appropriate, devices must be configured to "lock" and require a user to re-authenticate if left unattended for more than 20 minutes.
Computing devices that are left unattended must be located in locked areas or otherwise physically secured (e.g., with a cable lock).
Software Patch Updates
Networked computing devices must be kept updated with the most recent applicable security patches. Departments should document and implement a process to apply security patches in a timely fashion. Exceptions may be made for patches that compromise the usability of critical applications; these exceptions should be documented.
Unnecessary services can pose a threat to the computing environment that can potentially be exploited. Unnecessary services must not be running or configured on computing devices.
Application and Website Security
Application and web site owners are responsible to ensure that applications and sites are secure, and must conduct periodic vulnerability assessments of these applications and sites. More information regarding secure coding best practices and vulnerability scanning services can be found here.
System Management Agent
In order to ensure compliance with the UCSF Minimum Security Standards, identify computers connected to the UCSF network, and prevent unauthorized computers from connecting to the UCSF network, users must install system management software provided by IT. This applies to both UCSF-owned and non-UCSF-owned endpoints.
The system management software is available through the UCSF IT Software Download page.
System Inventory and Protection Level Classifications
Systems must be inventoried as a configuration item in the enterprise configuration management database (CMDB); this includes but is not limited to: servers, systems, endpoints, networking devices, printers. This applies to all devices used for UCSF business. Any changes to the system throughout its lifecycle must be recorded in the enterprise CMDB.
Devices can be inventoried and/or their registration updated using the ServiceNow CMDB.
Additionally, systems must have their protection level classification set in the enterprise CMDB. UCOP protection level classifications are defined here.
Enterprise Vulnerability Management
Systems connected to the UCSF network are subject to vulnerability scanning on a routine basis by IT Security to identify vulnerabilities. System owners must ensure that their devices do not inhibit the enterprise vulnerability management tool to scan their systems.
All devices connected to the UCSF network must meet the remediation timelines associated with the vulnerability severity and protection level classification. Remediation timeline begins when a vulnerability is publicly announced. Major vulnerability exploits can lead to an adjustment of vulnerability remediation timelines and priorities. These out-of-band instances will be communicated by IT Security.