Public Health IT Policies

The following policies apply to all employees of the School of Public Health. All users of the school’s computer resources are expected to know and follow these policies.

01-01 Computer Access and Use Policy

CATEGORY:  SUPPORT SERVICES
SECTION:  Computing, Information, and Data
SUBJECT:  Computer Access and Use
EFFECTIVE DATE:  January 2021 Revised

 

I.    SCOPE

This policy establishes restrictions regarding the access and use of University-owned and maintained computers, computer systems, computer networks, electronic communications facilities, and other related computing facilities used to store and process data, text, and software used by the University.
 

II.   POLICY

The School of Public Health will refer to the University of Pittsburgh Policy A0 10 for Computer Access and Use and follow all policies therein.

01-02 Data Security Policy

CATEGORY:  SUPPORT SERVICES
SECTION:  Computing, Information, and Data
SUBJECT:  Data Security Policy
EFFECTIVE DATE:  January 2021 Revised
 

I. SCOPE 

This policy is designed to protect data located on Public Health computers and computer systems from computer viruses and other malicious code, and to prevent computer loss or theft. This policy is also intended to prevent damage to applications, data, files, and hardware. 

Data confidentiality is a critical component of security. A good understanding of data types, their risk levels, and minimum security precautions is necessary to prevent unauthorized access.  Refer to http://technology.pitt.edu/security/data-classification-matrix for an overview of University guidelines on data classification and security. Also, refer to University of Pittsburgh’s HIPPA Compliance policy document.

The policies listed below aim to provide as much data security as possible.  There are many different avenues of attack; therefore, different protections must be in place to help protect data.

This policy applies to all employees of the School of Public Health, as well as vendors, contractors, partners, students, collaborators, and any others doing business or research with the School. Any other parties, who use, work on, or provide services involving School computers and technology systems will also be subject to the provisions of this policy.  Every user of the School’s computer resources is expected to know and follow this policy. 

 

II. DEFINITIONS

Anti-Virus software is a program or set of programs installed on a server or workstation and used to detect, prevent, and remove malicious software.  Anti-virus software is generally reactive, meaning a signature file must be developed for each new virus discovered and these virus definition files must be uploaded to the software in order for it to scan for the most recently released malicious code.  Anti-virus software is available for download on the software download service via My.Pitt portal.

Desktops are computers that are accessed by users on a daily basis.  They are not intended to be moved and are located behind locked doors.

Desktop management software is software that is used to inventory computer software and hardware.  It also automates the update process to several applications.  Furthermore, it provides checks for potential security risks that may otherwise go unnoticed.

Laptops are computers that are operated by users on a daily basis.  They are intended to be moved to different locations and may be exposed to situations where theft could occur.

Malicious software is any type of computer code that infects a machine and performs a nefarious action.   Computer viruses, worms, trojans, and ransomware are all examples of malicious software. 

Mobile devices are small and easily transportable.  They are generally moved to different locations and may be exposed to a high risk of theft.  Examples of these devices include tablets and smartphones.

Servers are machines that are used to centrally store data or run applications.  Users do not work directly on these machines.  They are not intended to be moved and are protected behind locked doors.

 

III. POLICY

Servers

All servers will be managed either by Public Health IT or by Pitt IT, which will provide the following:
  • Central management of Microsoft updates.
  • Central management of overall system health, including hardware, software, events, and performance monitoring.
  • Central management of anti-virus software.
All servers will have security software (anti-virus and anti-malware) installed and configured to automatically update definition files. These programs must be actively running, and it is imperative that these processes are not disabled or impeded in any way. A full disk virus scan will be periodically conducted with findings reported to an internal server. All files on the server will be scanned periodically for personally identifiable information.  All files found with personally identifiable information will be removed unless the server has been designated to store such information by PITT IT. All servers will have desktop management software installed.  This software is NOT to be disabled, modified or removed. Any server that is using an operating system that is no longer supported must be upgraded or decommissioned.  

 

 

Exceptions to this policy may be granted if a user and/or installed software cannot operate under these policies.  Each exception will be evaluated to determine the risks associated with omitting specific protections.  Users that require exceptions will be required to undergo training to understand the risks and develop habits and strategies to mitigate those risks.  These users will also be required to sign an annual agreement. 

This policy will not supersede any University of Pittsburgh policies but may introduce more stringent requirements. 

Mobile Devices

Currently, mobile devices are not managed by the School of Public Health.  If the use of such a device is required, collaboration with the Public Health IT group will be necessary to recommend the best hardware and current protections available for the device.

NEVER store sensitive or confidential data directly onto a mobile device unless you have authorization from PITT IT to do. 

 

All Devices

 

Confidential data will NOT be stored on USB or external devices without encryption.   If a device has become infected or compromised, it will be disconnected from the network until the infection has been removed.  Data loss may occur depending on the severity. Any local accounts created on devices will use complex passwords.  Contact Public Health Technology Services for details. Local accounts are not to be modified without the permission of Public Health Technology Services. Disabling or modifying any security software or security policy is prohibited without the permission of Public Health Technology Services. It is not permissible for anyone other than a workstation’s primary user, that user’s supervisors, or IT personnel to access a workstation or resources on the University network as harm could inadvertently be done to Public Health or University resources, assets or research. All devices must be locked when not in use. The installation of hardware on any device is prohibited. The installation of any software is not permissible without the permission of the Public Health IT group. University approved services and software must be used for all University work. Approved service providers ensure adequate data protections and support in the case of issues involving University data. Services like Box, OneDrive, DocuSign, Qualtrics, Office 365, Microsoft Teams, Zoom, etc., are all examples of approved service providers. The use of common document storage and communication services, such as Google (including Gmail, Docs, Sheets, and Slides), Discord, and Dropbox for University work is strictly prohibited. The University currently has no data storage/services agreement with these companies. The use of these services exposes University data and intellectual property to potential hacking threats. The use of Cloud File Storage Solutions (Box, Dropbox, OneDrive, etc.) for confidential and sensitive data is prohibited.  Contact Public Health IT group for details.

Laptops

All laptops will be managed by the Public Health IT group, which will provide the following:
  • Central management of Microsoft updates.
  • Central management of software updates.
  • Central management of overall system health, including hardware, software, events, and performance monitoring.
  • Central management of antivirus and anti-malware software.
All laptop computers connected to the network will have security software (anti-virus and anti-malware) installed and configured to automatically update definition files. These programs must be actively running, and it is imperative that these processes are not disabled or impeded in any way. A full disk virus scan will be periodically conducted with findings reported to an internal server. All laptops will be configured with encryption software to protect all data on the device. The encryption software is not to be disabled, modified or removed. Standard user accounts will be required to limit exposure to and installation of malicious software. All users will scan their computer using Spirion (formerly called Identify Finder) every six months.  Any files found containing personally identifiable information will be redacted or deleted. All laptop computers will have desktop management software installed.  This software is NOT to be disabled, modified or removed. Any laptop using an operating system that is no longer supported (End of Life) must be either upgraded or decommissioned.  

 

Desktops

All desktops will be managed by the Public Health IT group, which will provide the following:
  • Central management of Microsoft updates.
  • Central management of software updates.
  • Central management of overall system health, including hardware, software, events, and performance monitoring.
  • Central management of antivirus and anti-malware software.
All desktops connected to the network will have security software (anti-virus and anti-malware) installed and configured to automatically update definition files. These programs must be actively running, and it is imperative that these processes are not disabled or impeded in any way. A full disk virus scan will be periodically conducted with findings reported to an internal server. Desktops that access confidential or PII data will be encrypted.   Standard user accounts will be required to limit exposure to and the installation of malicious software. All users will scan their computer using Spirion (formerly called Identify Finder) every six months.  Any files found containing personally identifiable information will be redacted or deleted. All desktop computers will have desktop management software installed. This software is NOT to be disabled, modified or removed. Any desktop computer using an operating system that is no longer supported (End of Life) must be either upgraded or decommissioned.  
01-03 Software Licensing Policy

CATEGORY:  SUPPORT SERVICES
SECTION:  Computing, Information, and Data
SUBJECT:  Software Licensing Policy
EFFECTIVE DATE:  January 2021 Revised
 

I.SCOPE 

This policy sets forth the framework to secure the software installed on all School of Public Health computers and computer systems. Unpatched software security flaws leave computing systems vulnerable to nefarious attacks and increase the potential for data theft.

 

Licensing is an important aspect of software security. Appropriate licensing must be observed to protect computers and avoid fines.  Illegal or improperly licensed software cannot be updated. Unpatched security flaws increase the possibility of data theft.  Regular audits are performed to reconcile software purchases against installed software titles and versions.  Improper licensing can lead to fines for the University and the user.

 

This policy applies to all employees of the School of Public Health.  Every user of the School of Public Health's computer resources is expected to recognize and respect this policy. 

 

 

 

II.DEFINITIONS

Software licensing is the purchase of one or more licenses allowing for the permissible and legal use of a software title.  Typically, a licensed software title is purchased on a per user basis, but it can also be executed per computer, per department, per school, or across the University as a whole.

 

A University computer/computing device is one purchased with University funds (through a direct purchase requisition or a reimbursement of monies through a University account).

 

 

 

 

III.POLICY

License Purchases

 

All license purchases should be submitted/approved through the Public Health IT group to ensure the correct number/type of licenses are ordered. For those products that require license renewals (usually annually), notifications are generally received by the software purchaser. Software renewals are to be reconciled with the user's School/Department.

 

License Usage

All University computers require the appropriate licensed software from Pitt Software Distribution Services (SDS) or from an approved software vendor via purchase requisition. All terms of the license agreement are to be enforced. Read the terms and conditions for departmental use of licensed university software. Prompt payment of annually renewable SDS software license fees is expected and required. Expired software titles must be removed from the applicable workstation. Illegally installed software discovered on a University-purchased computer will be removed immediately and the user will be required to purchase the appropriate license for installation.

 

 

This policy will not supersede any University of Pittsburgh policies but may introduce stricter requirements.

  • Installation of Pitt student-licensed software onto ANY University-purchased device is forbidden! Student-licensed software is intended for individual student use on said individual’s personal device. Violation of the Software Compliance for Students policy can result in disciplinary action.
01-04 Computer Hardware Purchasing and Replacement Policy

CATEGORY:  SUPPORT SERVICES
SECTION:  Computing, Information, and Data
SUBJECT:  Hardware Purchasing and Replacement
EFFECTIVE DATE:  January 2021 Revised
 

I.SCOPE 

This policy is designed to provide the accepted procedures for computer hardware purchases and data transfers to a new computer.

This policy applies to all employees of the School of Public Health. Every user of the School’s computer resources is expected to know and follow this policy. 

 

II.DEFINITIONS

Hardware refers to any computer device, including, but not limited to, servers, desktops, laptops, monitors, printers, and tablets.

 

 

 

III.POLICY

Hardware Purchases

All hardware purchases should be submitted through the Public Health IT group to ensure that the computer configuration will meet the needs of the user. All computer purchases shall follow Public Health IT and PITT IT recommendations and guidelines.

Exceptions to this policy may be granted.  Each exception will be evaluated on an individual basis.  

Hardware Replacement

Hardware replacement will follow these guidelines:

Data stored on an old device will be copied to the new device. A backup of the device data or the original hard drive will be stored by the Public Health IT group for two weeks. This will ensure that any missed data can be retrieved and copied to the new device. Any request for a permanent static backup of the replaced unit’s hard drive (either partial or full image) will require the user to purchase an external drive that will be encrypted and to which the data will be copied.

 

 

This policy will not supersede any University of Pittsburgh policies but may introduce more stringent requirements.

Retired Hardware

Hardware marked for retirement will be sent to University surplus. Typically, retired hardware will have data wiped from the hard drive and/or the hard drive removed and sent for physical destruction.  Users that wish to take retired hardware for personal use will be required to complete a request form, indicating all serial numbers/service tags of the requested equipment, understanding that the machine’s hard drive has been wiped and the proper software licenses have been applied, transferred, or purchased.

Additional Documents