UCSF Minimum Security Standards for Electronic Information Resources
Effective Date: December 2007, Updated November 2018
- Overview and Scope
- Exception from Minimum Security Standards
- Exception Requests Covering Legacy Systems
- Compatibility Exemptions
- Minimum Security Standards
- System Inventory And Protection Level Classification (PLC)
- Transmission of Restricted Information
- Physical Security
- System Management Agent
- Network Access Control (NAC)
- Host-Based Firewall
- Security Endpoint Detection and Response Agent (EDR)
- Device Encryption
- Encrypted Authentication
- Software Patch Updates
- Application and Website Security
- Enterprise Vulnerability Management
UCSF Policy 650-16, Addendum B, defines a requirement for Minimum Security Standards for Electronic Information Resources (EIR). This document is a living document that defines the UCSF Minimum Security Standards that all campus EIRs must comply with.
Overview and Scope
These standards apply to all departments within UCSF and the UCSF Medical Center.
Non-UCSF devices, including personal computing devices, are expected to meet these standards when used to connect to the UCSF network. For example, a personal computer that accesses the UCSF network through a VPN connection would be expected to meet these standards. Additionally, non-UCSF devices are expected to meet these standards when used to conduct UCSF business, including storing or processing UCSF information.
The minimum standards in this document are reviewed, updated for applicability, and approved by the Information Security Committee (ISC) at least once a year or more often as determined by Security & Policy (S&P).
UCOP protection level classifications (PLC) are defined here
Individuals who believe that their devices or applications are unable to meet UCSF’s Minimum Security Standards must apply for a yearly exception by completing and digitally signing the online form linked below. Upon receiving the completed form with signatures from the individual's department leadership, IT Security will contact you for a consultation. After this consultation the University's Information Security Officer will respond to your request.
Exception Requests Covering Legacy Systems
If granted, exception requests for an operating system that is no longer supported by the vendor will be for 12 months from the date of approval. At each renewal you must document the steps you are taking to mitigate the risk to the system and to UCSF. Failure to renew an exception may result in disconnection from UCSF's network.
For systems which access to or which store ePHI, departments are advised that this exception documentation and controls should be considered carefully to remain compliant with HIPAA section § 164.308(a)(1)(ii)(B), which requires UCSF to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level. Controls are countermeasures to help avoid or minimize security risks. These controls are generally implemented as technologies not directly associated with the system seeking exception from UCSF's Minimum Security Standards.
Systems incompatible with or unsupported by the UCSF-specific tools will be exempted from that requirement(s) of the Minimum Security Standards. Any Compatibility Exemption will be listed by security application and OS in the Security 2.0 faq.
Minimum Security Standards
System Inventory and Protection Level Classifications
Systems must be inventoried as a configuration item in the enterprise configuration management database (CMDB); this includes but is not limited to: servers, systems, endpoints, networking devices, printers. This applies to all devices used for UCSF business. Any changes to the system throughout its lifecycle must be recorded in the enterprise CMDB.
Devices meeting the System Management Agent standard are automatically inventoried. Devices that are incompatible or not supported by the System Management standards, can be inventoried and/or their registration updated using the ServiceNow CMDB.
Additionally, systems must have their protection level classification set in the enterprise CMDB. UCOP protection level classifications are defined here.
Transmission of Restricted Information
Restricted and Sensitive Information (UCOP P4 and P3 data) that is transmitted over non-UCSF networks must be encrypted. Restricted Information includes, but is not limited to, ePHI and personal information such as Social Security numbers.
Transmit P4 and P3 data only when necessary.
All email that contains electronic Protected Health Information (ePHI) or other Restricted Information must be encrypted if it is addressed outside the UCSF network environment. An existing service is available to accommodate encrypted email: Secure Email Procedure
Non-UCSF or 3rd party email services are not approved for use by faculty, staff, or students for conducting UCSF business.
Unauthorized physical access to an unattended device (including mobile devices) can result in harmful or fraudulent modification of data, fraudulent email use, or any number of other potentially dangerous situations. Whenever possible and appropriate, devices must be configured to "lock" and require a user to re-authenticate if left unattended for more than 20 minutes.
Computing devices that are left unattended must be located in locked areas or otherwise physically secured (e.g., with a cable lock).
System Management Agent
In order to inventory computers and enable basic security compliance, users must install system management software provided by IT. This applies to both UCSF-owned and non-UCSF-owned endpoints.
The system management software uses BigFix and is available through the UCSF IT Software Download page.
Network Access Control (NAC)
In order to identify computers connected to the UCSF network, assess endpoint security compliance, and prevent unauthorized computers from connecting to the UCSF network, users must install system management software provided by IT. This applies to both UCSF-owned and non-UCSF-owned endpoints.
The Network Access Control software, SecureConnector, is available through the UCSF IT Software Download page. (Note: Review Service Page details for additional requirements and supported platforms).
Anti-virus software must be active with current anti-virus signatures on computing devices connected to the network including laptop computers, desktop computers, and servers, except where there are significant compensating controls that would prevent virus infiltration.
IT currently has a contract with Symantec to provide anti-virus software and is available through the UCSF IT Software Download page.
Host-Based Firewall Software
Firewalls that run on desktops, laptops and servers are often referred to as host-based and/or personal firewalls. Host-based firewall software (if available for the platform) must be running and configured on networked computing devices, including laptop computers, desktop computers, and servers. While the use of departmental network firewalls is encouraged, they do not necessarily obviate the need for host-based firewalls.
IT currently has a contract with Symantec that provides a host-based firewall solution and is available through the UCSF IT Software Download page.
Security Endpoint Detection and Response Agent (EDR)
In order to provide advanced protection monitoring and response capabilities, users must install the Security Endpoint Detection and Response agent provided by IT. This applies to both UCSF-owned and non-UCSF-owned endpoints.
The Security Endpoint Detection and Response agent is available through the UCSF IT Software Download page. (Note: Review Service Page details for additional requirements and supported platforms)
Given the prevalence of restricted data in the UCSF environment, all endpoints (desktops, laptops, and mobile devices including smartphones and tablets) used for UCSF business must be encrypted. This applies to both UCSF-owned and non-UCSF-owned endpoints.
Servers that store or process restricted information must be encrypted or have compensating security controls, such as those found in UCSF data centers.
IT provides encryption software for laptops and desktops. How to Encrypt Your Computer
Mobile devices must be connected to the UCSF Exchange email server with ActiveSync, which enforces the required security settings. More information regarding connecting your smartphone can be found at http://it.ucsf.edu/services/email-mobile-access/tutorial/iphone-email-configuration.
Those who believe they need an exception to this device encryption standard due to a hardware or software incompatibility must submit a computer encryption waiver (http://it.ucsf.edu/how_do/request-device-encryption-waiver).
Store restricted information only when necessary.
All forms of authentication must use adequate encryption to protect against unauthorized access to login credentials, such as user accounts and passwords. Use of unencrypted authentication is prohibited.
Campus electronic communication systems or services must identify users and authorize access by means of passwords or other secure authentication processes. Shared-access systems must enforce the Unified UCSF Enterprise Password Standard whenever possible. Shared-access systems must, whenever possible and appropriate, require that users change any pre-assigned passwords immediately upon initial access to the account.
All default passwords for access to network-accessible devices must be modified. Passwords used by system administrators for their personal access to a service or device must not be the same as those used for privileged access to any service or device.
Privileged administrator accounts with access to sensitive Windows systems should use passphrases that are 15 or more characters in length and meet the Unified UCSF Enterprise Password Standard. Passphrases should be reset at least every 90 days.
Software Patch Updates
Networked computing devices must be kept updated with the most recent applicable security patches. Departments should document and implement a process to apply security patches in a timely fashion. Exceptions may be made for patches that compromise the usability of critical applications; these exceptions should be documented.
Application and Website Security
Application and web site owners are responsible to ensure that applications and sites are secure, and must conduct periodic vulnerability assessments of these applications and sites. More information regarding secure coding best practices and vulnerability scanning services can be found here.
Enterprise Vulnerability Management
Systems connected to the UCSF network are subject to vulnerability scanning on a routine basis by IT Security to identify vulnerabilities. System owners must ensure that their devices do not inhibit the enterprise vulnerability management tool to scan their systems.
All devices connected to the UCSF network must meet the remediation timelines associated with the vulnerability severity and protection level classification. Remediation timeline begins when a vulnerability is publicly announced. Major vulnerability exploits can lead to an adjustment of vulnerability remediation timelines and priorities. These out-of-band instances will be communicated by IT Security.
The following checklist can be used to determine, and/or document, the compensating controls necessary to minimize information security risks as outlined in the above UCSF Minimum Security Standards.