DHS home | Policies | Administrative policies | Admin policies index | policy

DHS Policy: Oregon Department of Human Services
Administrative Services
 
Policy Title: Desktop and Laptop Computer Security
Policy Number: DHS-090-009
Version:
1.0
Effective Date:
 11/08/2004

Approved By: DHS Chief Administrative Officer
Approved Date: 11/08/2004



policy section link  link to procedures section  link to forms section  link to references  link to definitions section  link to contact section  link to history section

Overview

Description: Most of DHS business is conducted with the use of desktop or laptop computers dedicated to a single user's activity. It is essential to protect DHS information assets created, gathered, shared or stored with desktop and laptop computers, related computer media (e.g. diskettes, CDROMs, Personal Digital Assistants (PDAs), flash drives, etc.) and peripheral equipment such as fax machines, printers and copiers.

Purpose/Rationale: The purpose of this policy is to set security provisions for securing desktop and laptop computers, related computer media and peripheral equipment.

Applicability: All individuals granted access to the DHS network and information systems including but not limited to full and part-time employees, temporary workers, volunteers, contractors, and those employed by others to perform DHS work, are covered by this policy and shall comply with this and associated policies, procedures and guidelines.

This policy includes all computers (e.g., desktops and laptops), stand alones as well as those connected to the DHS Network.

The same physical and technical security measures shall be implemented for mobile and remote computers.

Failure to Comply: Failure to comply with information security policies or other associated policies, standards, guidelines, and procedures may result in disciplinary actions up to and including termination of employment for employees or termination of contracts for volunteers, contractors, partners, consultants, and other entities. Legal actions also may be taken for violations of applicable regulations and laws.

Back to top

Policy

  1. General
    1. DHS will ensure reasonable physical safeguards to maintain desktop and laptop computers and peripheral equipment in such a way to avoid inadvertent disclosure of DHS information. Refer to DHS Privacy Policies for disclosure and physical safeguards requirements.
    2. The Office of Information Services shall be responsible for secure installations, configurations, distribution, management and removal from service, of DHS desktop and laptop computers. OIS must document if these responsibilities are assigned to another program area or office.
    3. DHS may withdraw permission for any or all business or personal uses of its network or information systems at any time.
  2. Securing Desktop and Laptop Computers
    3.

    Individuals granted access to the DHS Network or information systems shall secure desktop and laptop computers from inadvertent or unauthorized access.

    1. When leaving a desktop or laptop computer unattended, users shall apply the "Lock Workstation" feature (ctrl/alt/delete, enter) where systems allow.
    2. Unattended desktop and laptop computers shall be secured from viewing by password protected screen savers. Refer to procedure DHS-090-009-01, Setting Automatic Password Screensaver Feature.
    3. Desktop and laptop computers shall be set to activate the automatic screensaver feature after a period of non-use. The period of non-use shall be for no more than five (5) minutes. Refer to procedure DHS-090-009-01, Setting Automatic Screensaver Password Feature.
    4. Desktop computer users shall store confidential and sensitive information on a networked drive (shared directory on the DHS Network) and not the users hard drive.
    5. Laptop computers that store confidential or sensitive information must have encryption technology. Users should contact OIS to request or confirm that DHS standard encryption technology is installed on their assigned laptop computer.
    6. Desktop and laptop computers and monitors shall be turned off at the end of each workday.
    7. Desktop and laptop computer users shall not disable or alter security safeguards, such as virus detection software, installed on DHS desktop or laptop computers.
  1. Physical Security Measures
    2.

    Physical security measures shall be used to secure laptops, computer media, and other forms of information storage media containing confidential or sensitive information.

    1. Mobile laptop computers actively connected to the network or information systems must not be left unattended.
    2. Laptop computers left in a vehicle shall not be visible. If possible, the laptop should be stored in a locked trunk. (Weather conditions should be considered when leaving electronic equipment in a vehicle for long periods of time.) Unattended vehicles shall be locked at all times.
    3. Mobile laptop computers, computer media and any other forms of removable storage (e.g. diskettes, CD ROMs, zip disks, PDAs, flash drives) shall be stored in a secure location or locked cabinet when not in use.
    4. Other information storage media containing confidential data such as paper, files, tapes, etc. shall be stored in a secure location or locked cabinet when not in use. Refer to DHS-100-005, DHS Administrative, Technical and Physical Safeguards Policy.
  1. Peripheral Equipment
    2.

    Peripheral equipment (e.g. printers, faxes, copiers) that store, produce and/or transfer confidential or sensitive information shall be protected from inadvertent or unauthorized access.

    1. Fax and telex machines that store or transmit confidential or sensitive information shall be placed in secure locations and monitored.
    2. All documents containing confidential or sensitive information shall be cleared from printers and copiers immediately.
  2. Unauthorized Software
    3.
    1. Individual users shall not install or download software applications and/or executable files to any DHS desktop or laptop computer without prior authorization from the Office of Information Services. Refer to DAS and DHS Information Technology Policies
    2. The Office of Information Services shall make available to users, a list of authorized and accepted software and applications approved by DHS. The list is available at: http://www.dhs.state.or.us/technology/standards/software.html
  3. Viruses
    4.
    1. Desktop and laptop computer users shall not write, compile, copy, knowingly propagate, execute, or attempt to introduce any computer code designed to self-replicate, damage, or otherwise hinder the performance of any computer system (e.g. virus, bacteria, worm, Trojan horse, or the like).
    2. Suspected viruses should be reported immediately to the Help Desk.
    3. Viruses shall not be deleted without expert assistance unless instructed by the Office of Information Services.
  4. Monitoring of desktop and laptop computers.
    1. DHS reserves the right to monitor individual user desktop and laptop computers at random or for cause.
  5. Technical Security
    6.

    Desktop and laptop computers shall be configured to reduce the risk of inadvertent or unauthorized access to DHS information and systems.

    1. All DHS desktop and laptop computers shall be configured according to OIS desktop and laptop configuration standards.
    2. User identification (name) and authentication (password) shall be required to access the operating system of all desktop and laptop computers whenever turned on or booted.
    3. Mainframe terminal sessions shall be configured to log a user off the system during extended periods of non-use. The period of non-use shall be for no more than 60 minutes.
    4. Local hard drives shall not be accessible when a desktop or laptop computer is booted from mobile media, e.g., a diskette or compact disk.
    5. All information stored in a shared directory on the DHS Network shall be backed up daily by OIS.
    6. DHS standard virus detection software shall be installed on all desktop and laptop computers, mobile, and remote devices and shall be configured to check files when read and routinely scan the system for viruses.
    7. Desktop and laptop computers shall be configured to log all significant computer security relevant events. (e.g., password guessing, unauthorized access attempts or modifications to applications or systems software.)
  6. Policy exceptions
    7.
    1. The Information Security Office shall be authorized to approve or deny policy exceptions regarding elements of any Information Security Policy. Policy exception requests shall be submitted electronically or in hard copy form to the Information Security Office.
Back to top

Procedure(s)

Back to top

Form(s)

Back to top

Reference(s)

Back to top

Definition(s)

Back to top

Contact

Back to top

Policy History

Back to top

If you have comments about this site, send email to dhs.policyinfo@state.or.us.

Oregon.gov, FindOR state search engine, and Get Acrobat Reader icons

Oregon Department of Human Services
500 Summer St. NE E25, Salem, OR 97301-1098
Phone: (503) 945-5944
Fax: (503) 378-2897
TTY: (503) 947-5330