Information Technology Standard 02.2.0

Workplace Device Technologies Standard


Date of Current Revision or Creation: November 1, 2021


The purpose of an Information Technology Standard is to specify requirements for compliance with Â鶹´«Ã½ Information Technology policies, other University policies, as well as applicable laws and regulations. Standards may include business principles, best practices, technical standards, migration and implementation strategies, that direct the design, deployment and management of information technology.

Purpose

The purpose of this compliance standard is to provide the University community with a clear understanding of the proper practices in the use of various communication technologies available in the workplace.

This standard seeks to ensure that University content is appropriately protected.

Definitions

Institutional Data - Recorded information that documents a University business-related transaction or activity by or with any appointed board member, officer, or employee of the University. Regardless of physical form, characteristic, or source, the recorded information is a University record if it is produced, collected, received or retained in pursuance of law or in connection with the transaction of University business. The medium upon which such information is recorded has no bearing on the determination of whether the recording is a University record. University records include but are not limited to personnel records, student records, academic records, financial records, patient records and administrative records. Record formats/media include but are not limited email, electronic databases, electronic files, paper, audio, video and images.

Protected Information is data subject to special precautions in its storage, usage and transmission as classified in University Policy #3504, Data Administration and Classification Policy.

Social Engineering is the term used for the practice of manipulating people to reveal private or sensitive information as a way to circumvent security.

User includes anyone who accesses and uses the Â鶹´«Ã½ information technology resources.

Standards Statement

Â鶹´«Ã½ provides a communication network offering data, video and voice devices and facilities for use by individuals and groups. The use of communication resources is permitted if users are aware of the information security issues involved and act in compliance with relevant regulations.

Clear Desk Practice

All protected information must be removed from the desk or other public areas and locked in a drawer or file cabinet when the workstation is unattended and at the end of the workday. All protected information must be stored in lockable drawers or cabinets. File cabinets containing protected information must be locked when not in use or when not attended. Keys used to access protected information must not be left at an unattended work area.

Providing Services or Instructions by Telephone

Instruction and service information is routinely provided by University employees by telephone. The University prohibits the release of private information. Be aware of all relevant policies and procedures when sharing information by telephone. Use a verification procedure to assist in determining the identity of the caller. Be aware of techniques, such as social engineering, used to gain information by deception.

Recording Telephone Conversations

Federal and state laws require that all parties must be informed in advance if calls are recorded (save and except Virginia, where only one party's consent is required so long as all parties are within that state). Quality assurance calls should identify that monitoring used to improve training. Recorded material must be safeguarded from unauthorized access and disclosure.

Clear Screen Practice

Computers and displays should be logged off or protected by a screen and keyboard locking mechanism controlled by a password or similar user authentication mechanism when unattended or protected by key locks, passwords or other controls when not in use. Passwords must not be posted on or under a computer or in any other accessible location.

Printers and Facsimile Transmissions

Prevent the unauthorized use of photocopiers, facsimiles, multifunctional and other reproduction technology. Designate a responsible individual to handle secure photocopies and faxed communications. Copies of documents containing protected information must be immediately removed from printers and facsimile machines. Whenever possible, use printers with that use University ID cards or authentication that limit use to only those who originate the document. To the extent possible, isolate the devices to a secure location accessible only to authorized employees.

For facsimile transmissions, use cover sheets that clearly identify the intended recipient and the total number of pages faxed. Use caution when sending or receiving confidential information by fax by confirming the number before dialing, requesting confirmation and reviewing activity reports. Confidential communications should explicitly state that the fax should not be distributed, copied or disclosed to any unauthorized person. Instructions on the handling of facsimile communications received in error should be provided on the cover sheet.

Removable Storage Media

Removable media should be encrypted if storing protected information. Protected information should be locked away from the workstation when not required and at the end of the workday. Protected information must be stored in lockable drawers or cabinets.

Mobile Devices

Mobile devices should follow the practices described in ITS Standard 02.9.0 Mobile Device Management Standard.

Conference Calls/ Videoconferencing

Use caution when discussing sensitive content. Public communication lines can be compromised. If conference calls or videoconferences are required on a regular basis, or if confidential data is discussed; use appropriate encryption on the lines. It is important to establish a procedure to verify the identities of the parties participating in a conference call.

Procedures, Guidelines & Other Related Information

History

Date Responsible Party Action
October 2009 ITAC/CIO Reaffirmed
October 2010 ITAC/CIO Reaffirmed
October 2011 ITAC/CIO Reaffirmed
April 2012 IT Policy Office Revised for clear screen policy, clear desk and printers
December 2012 IT Policy Office Numbering revision
August 2013 IT Policy Office Departmental Name update
August 2015 IT Policy Office/ISO Scheduled review, reaffirmed
December 2018 IT Policy Office/ISO Scheduled review, reaffirmed; definitions and links checked, wording updated.
November 2021 IT Policy Office Definitions and links checked.
Ìý