Prince Sultan University PSU
Policy Management System
Workstation Configuration Security

Policy Code: IT0007
Policy Title: Workstation Configuration Security
Owner: Information Technology Center
Responsible Office/Department: Vice President for Academic Affairs
Approved by: University Council
Date Created: 02 February 2017
Recent Review: December 2023
Effective date:

POLICY STATEMENT

The Workstation Configuration Security Policy is designed to establish robust and standardized security measures for configuring and managing workstations within PSU. This policy aims to protect sensitive data and ensure the integrity of our IT infrastructure by defining clear guidelines for the setup, maintenance, and usage of workstations. It addresses aspects such as software installation, user access controls, security updates, and the handling of confidential information. The policy is crucial for mitigating risks associated with cyber threats and maintaining a secure and efficient working environment. It applies to all employees and contractors who use or manage PSU’s workstations, underscoring our commitment to a proactive and security-conscious approach in our IT practices.

BACKGROUND AND JUSTIFICATION

This policy is to establish standards for the base configuration of workstations that are owned or operated by the ITC. Effective implementation of this policy will minimize unauthorized access to PSU’s Information Technology Network and other Proprietary Information and technology.

SCOPE AND PURPOSE

This policy is intended for all ITC workstations either owned or operated by ITC or any department/center within PSU.

PRINCIPLES OF THE POLICY

General Configuration Standards

  1. Operating System configuration should not violate the Information Security Standards.
  2. Only needed applicable services and applications should be activated and used.
  3. Protected access to services is required through authorized access-control methods.
  4. Regular security patches should be installed on the workstation.
  5. When needed, a secure channel connection is used.

Monitoring

Any incident or potential violation of security should be reported immediately to ITC personnel, who will analyze the logs to determine the issue. Corrective actions will be taken to remedy the situation.

Compliance

  1. Regular audits are implemented by ITC staff.
  2. These regular audits are compliant with the Audit Policy documentation.
  3. ITC will try its best to prevent these audits from causing any outage of its services operation.

DEFINITIONS

  1. Workstation: A personal computer that includes both desktop and laptop/notebook computers used to store information or access information systems of the Centre
  2. Configuration: the arrangement of the hardware and software of IT system
  3. Sensitive Information: Information assets classified as restricted, confidential or for internal use
  4. Operating System:  a system software that manages computer hardware and software resources, and provides common services for computer programs
  5. Unauthorized Access: when someone, internally or externally, gains access to a computer system, network, or data without permission
  6. Access Control: a security technique that regulates who or what can view or use resources in a computing environment
  7. Security Patch: a software update for existing applications or operating systems to correct errors or security vulnerabilities in a timely manner.
  8. Secure Channel: A path for transferring data between two entities or components that ensures confidentiality, integrity and replay protection, as well as mutual authentication between the entities or components
  9. Log: the automatically produced and time-stamped documentation of events relevant to a particular system

RESPONSIBILITIES AND IMPLEMENTATION STRATEGIES

All ITC workstations at PSU are the responsibility of the department/center/faculty/staff that operate them. The standard configuration should be maintained, based on business needs. Any need for change in the configuration should be approved by ITC.

  1. Workstations should be cataloged in the ITC inventory System. The following information is required to identify the point of contact:
    1. Phone Number and Email of the contact person
    2. Operating System and Hardware numbers
    3. The main purpose of the workstation
  2. ITC inventory system information should be maintained and updated regularly.
  3. Any changes to the configuration should be within the Change Management Policy documentation.

PROCEDURES FOR HANDLING POLICY VIOLATION

Any Authorized User found to be in violation of this policy will be considered an Unauthorized User, and as such are subject to disciplinary action pursuant with the Enforcement section of the Unauthorized Use Policy.

REFERENCES