Shared Computing Device Security

  • Policy Type: Information Technologies
  • Policy Title: Shared Computing Device Security
  • Policy Number: NA
  • Office Responsible: Information Technologies
  • Related Policies: Information Technologies & Resources
  • Related Procedures: NA
  • Related Laws: NA
  • HLC Criterion: NA

Objective
In accordance with the Information Security and Acceptable Use Policy, all systems owned or managed by the Oakland Community College must be adequately protected to ensure confidentiality, integrity, availability, and accountability of such systems. Collaborative Computing Devices include shared PC (meeting rooms/podiums, kiosks, Classrooms, Labs, Libraries), Technology Enhanced Classrooms (TEC), cameras, microphones, video conferencing equipment, etc.

Access Control
Built-in system accounts should be disabled if not used and must not have blank or default passwords if they are used. Access to configuration settings must be limited to authorized administrators only. If individual access control for basic functions is needed, all users must be assigned a unique identifier.

DNS Registration
All systems must be registered with the Directory Name Service (DNS) network addressing system in order to properly communicate on the OCC wired network. It is recommended that a static address reservation be used to promote consistency over time. Connecting a collaborative computing device to the wireless network is not recommended. Wireless functionality should therefore be disabled when not required.

Management Protocols
When feasible for business operations, unnecessary or clear-text management protocols (HTTP, FTP, Telnet, SNMP, etc.) should be disabled.

Patching
All applications must be at least at version n-1. Security patches must be installed in a timely manner, depending on the likelihood and impact of vulnerability exploitation, at least within 14 days of release.

Remote Access
Collaborative computing devices may not be activated from remote, unless designated by business needs and objectives for such access.

Indicators
Collaborative computing devices must provide visual or auditory indicators to signify when such devices are in use
(e.g., lights, tones).

Logging
The system must be configured to retain logs for a minimum of 30 days to facilitate troubleshooting and support investigations. When possible, electronically sending logs in a central location is recommended. This includes logs related to user activity as well as audit logs of configuration changes.

Internal Hard Drive Protection
Internal storage components, such as hard drives, are subject to encryption if Confidential Data will be stored to the device. Ongoing disk wiping is also required, where compatible. When a system is decommissioned, disposed of, or returned to a lease provider, the internal storage components must be physically destroyed or the data rendered unreadable in such a manner to prevent disclosure to unintended parties.

Exemptions
None.

Change Log

  • 07-01-2018  Effective date

OCC Logo