This content is viewable by Everyone
UCSF 650-16 Addendum B - UCSF Minimum Security Standards for Electronic Information Resources
Impacted Services IT Security Outreach and Training
Effective Date: December 2007, Updated December 2021
- Overview and Scope
- Exception from Minimum Security Standards
- Exception Requests Covering Legacy Systems
- Compatibility Exemptions
- Minimum Security Standards
- System Inventory and Protection Level Classification (PLC)
- Transmission of Restricted Information
- Physical Security
- System Management Agent
- Network Access Control (NAC)
- Host-Based Firewall
- Security Endpoint Detection and Response Agent (EDR)
- Device Encryption
- Software Patch Updates
- Application and Website Security
- Enterprise Vulnerability Management
UCSF Policy 650-16, Addendum B, defines a requirement for Minimum Security Standards for IT Resources. This document is a living document that defines the UCSF Minimum Security Standards that all campus IT Resources must comply with.
Overview and Scope
These standards apply to all units within UCSF, including UCSF Health.
Non-UCSF devices, including personal computing devices, are expected to meet these standards when used to connect to the UCSF network. For example, a personal computer that accesses the UCSF network through a VPN connection would be expected to meet these standards. Additionally, non-UCSF devices are expected to meet these standards when used to conduct UCSF business, including storing or processing UCSF information.
The minimum standards in this document are reviewed, updated for applicability, and approved by the Committee on IT Security at least once a year or more often as determined by the UCSF Chief Information Security Officer.
Individuals who believe that their devices or applications are unable to meet UCSF’s Minimum Security Standards must apply for a yearly exception by completing and digitally signing the online form linked below. Upon receiving the completed form with signatures from the individual's department leadership, IT Security will contact you for a consultation. After this consultation the University's Chief Information Security Officer (CISO) will respond to your request.
Exception Requests Covering Legacy Systems
If granted, exception requests for an operating system that is no longer supported by the vendor will be for 12 months from the date of approval. All exception requests, including renewals of previous exception requests, must document the controls implemented to mitigate the risk to the system and to UCSF. Failure to renew an exception may result in disconnection from UCSF's network.
For systems which access to or which store ePHI, departments are advised that this exception documentation and controls should be considered carefully to remain compliant with HIPAA section § 164.308(a)(1)(ii)(B), which requires UCSF to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level. Controls are countermeasures to help avoid or minimize security risks. These controls are generally implemented as technologies not directly associated with the system seeking exception from UCSF's Minimum Security Standards.
Systems incompatible with or unsupported by the UCSF-specific tools will be exempted from that requirement(s) of the Minimum Security Standards. Any Compatibility Exemption will be listed by security application and OS in the Security 2.0 FAQs.
For vendor-supported systems and/or appliances residing on the UCSF network where UCSF staff do not have administrative access, the vendor maintaining this system is responsible for adherence to standards. When P3/P4 data is involved in these circumstances, a Business Associates Agreement and/or Appendix DS may be required.
Computing devices found to be non-compliant to these standards and without an exception on file are subject to being disconnected from the UCSF network and prohibited from connecting to UCSF resources.
Minimum Security Standards
System Inventory and Protection Level Classifications
Systems must be inventoried as a configuration item in the enterprise configuration management database (CMDB); this includes but is not limited to: physical servers, virtual servers, systems, endpoints, networking devices, printers, load balancers, and Virtual IPs (VIP) . This applies to all devices used for UCSF business. Any changes to the system throughout its lifecycle must be recorded in the enterprise CMDB.
Devices meeting the System Management Agent standard are automatically inventoried. Devices that are incompatible or not supported by the System Management standards can be inventoried and/or their registration updated using the ServiceNow CMDB.
Additionally, systems must have their protection level classification set in the enterprise CMDB. UCSF protection level classifications are defined here.
Transmission of Restricted Information
Restricted and Sensitive Information (P4 and P3 data) that is transmitted over non-UCSF networks must be encrypted. Restricted and Sensitive Information includes, but is not limited to, ePHI and personally identifiable information such as Social Security numbers.
Transmit P4 and P3 data only when necessary.
All email that contains electronic Protected Health Information (ePHI) or other Restricted Information must be encrypted if it is addressed outside the UCSF network environment. An existing service is available to accommodate encrypted email at the Secure Email Procedure Page.
Non-UCSF or 3rd party email services are not approved for use by faculty, staff, or students for conducting UCSF business.
Unauthorized physical access to an unattended device (including mobile devices) can result in harmful or fraudulent modification of data, fraudulent email use, or any number of other potentially dangerous situations. Whenever possible and appropriate, devices must be configured to "lock" and require a user to re-authenticate if left unattended for more than 20 minutes.
Computing devices that are left unattended must be located in locked areas or otherwise physically secured (e.g., with a cable lock).
System Management Agent
In order to inventory computers and enable basic security compliance, users must install system management software provided by IT. This applies to both UCSF-owned and non-UCSF-owned endpoints.
The system management software uses BigFix and is available through the UCSF IT Software Download Page.
Network Access Control (NAC)
In order to identify computers connected to the UCSF network, assess endpoint security compliance, and prevent unauthorized computers from connecting to the UCSF network, users must install network access control software provided by IT. This applies to both UCSF-owned and non-UCSF-owned endpoints.
Anti-virus software must be active with current anti-virus signatures on computing devices connected to the network including laptop computers, desktop computers, and servers, except where there are significant compensating controls that would prevent virus infiltration.
IT currently has a contract with Symantec by Broadcom to provide anti-virus software as part of the Symantec Endpoint Protection (SEP) solution bundled with host-based firewall and IPS, available on the UCSF IT Software Download Page.
Host-Based Firewall Software
Firewalls that run on desktops, laptops, and servers are often referred to as host-based and/or personal firewalls. Host-based firewall software (if available for the platform) must be running and configured on networked computing devices, including laptop computers, desktop computers, and servers. While the use of departmental network firewalls is encouraged, they do not necessarily obviate the need for host-based firewalls.
IT currently has a contract with Symantec by Broadcom to provide host-based firewall software as part of the Symantec Endpoint Protection (SEP) solution bundled with anti-virus and host-based IPS, available on the UCSF IT Software Download Page.
Security Endpoint Detection and Response Agent (EDR)
In order to provide advanced protection monitoring and response capabilities, users must install the security endpoint detection and response agent provided by IT. This applies to both UCSF-owned and non-UCSF-owned endpoints.
The IT supported/integrated endpoint detection and response (EDR) agent is delivered through the system management software (BigFix). More information about the EDR agent is available at the EDR Service Page.
Given the prevalence of restricted data in the UCSF environment, all endpoints (desktops, laptops, and mobile devices including smartphones and tablets) used for UCSF business must be encrypted. This applies to both UCSF-owned and non-UCSF-owned endpoints.
Encryption keys must be securely escrowed to allow emergency access when approved by the CISO. Units or Individuals within UCSF who cannot use an IT-prescribed method of key escrow due to technical or business requirements must submit their key as prescribed by the Proof of Encryption Service Page.
Servers that store or process restricted information must be encrypted or have compensating security controls, such as those found in UCSF data centers.
IT provides encryption software for laptops and desktops at the How to Encrypt Your Computer Page.
Mobile devices must be connected to the UCSF Exchange/O365 email server with either Intune mobile device management (using Microsoft Intune Company Portal) or Intune mobile application management (MAM using Microsoft Authenticator) , which enforces the required security settings. More information regarding connecting your mobile device can be found at the Mobile Device Email Page.
Those who believe they need an exception to this device encryption standard due to a hardware or software incompatibility must submit a computer encryption waiver at the Request a Device Encryption Waiver Page.
All forms of authentication must use adequate encryption to protect against unauthorized access to login credentials, such as user accounts and passwords. Use of unencrypted authentication is prohibited. UCSF also requires MFA for administrative access to servers. Multi-Factor Authentication (MFA) is required in circumstances dictated by the UC Account and Authentication Management Standard.
Campus electronic communication systems or services must identify users and authorize access by means of passwords or other secure authentication processes. Shared-access systems must enforce the Unified UCSF Enterprise Password Standard whenever possible. Shared-access systems must, whenever possible and appropriate, require that users change any pre-assigned passwords immediately upon initial access to the account.
All default passwords for access to network-accessible devices must be modified. Passwords used by system administrators for their personal access to a service or device must not be the same as those used for privileged access to any service or device.
Privileged administrator accounts with access to sensitive Windows systems should use passphrases that are 15 or more characters.
Software Patch Updates
Networked computing devices must be kept updated with the most recent applicable security patches. Departments should document and implement a process to apply security patches in a timely fashion. Exceptions may be made for patches that compromise the usability of critical applications; these exceptions should be documented.
Application and Website Security
Application and website owners are responsible to ensure that applications and sites are secure, and must conduct periodic vulnerability assessments of these applications and sites. More information regarding secure coding best practices and vulnerability scanning services can be found at the Application and Website Security Page.
Enterprise Vulnerability Management
Systems connected to the UCSF network are subject to vulnerability scanning on a routine basis by IT Security to identify vulnerabilities. System owners must ensure that their devices do not inhibit the enterprise vulnerability management tool to scan their systems.
All devices connected to the UCSF network must meet the remediation timelines associated with the vulnerability severity and protection level classification. Remediation timeline begins when a vulnerability is announced. Major vulnerability exploits can lead to an adjustment of vulnerability remediation timelines and priorities. These out-of-band instances will be communicated by IT Security.
Please note that the below days are calendar.
The UCSF Minimum Security Standards Checklist can be used to determine, and/or document, the compensating controls necessary to minimize information security risks as outlined in the above UCSF Minimum Security Standards.