 |
|
|
|
|
|
||
      |
|
||
 |
 |
|
|
|
|||
 |
| Infrastructure Services GROUP |
| IRT Information |
School of Medicine Minimum
Security Measures and Computer Support configurations and requirements
Bob Burkhardt / Todd Ferris
November 11, 2004
This document defines the minimum security measures that must be maintained
on all School of Medicine computer assets. It then identifies system
configurations and requirements to be eligible for IRT Central Help Desk
Support.
There are several different types of machines in use throughout the School
of Medicine (SoM).
- Personal Workstations
- Local Servers
- Lab Equipment
- Vendor supplied computers
Appendix 1 shows the security measures that must be taken on all School of Medicine computers by 3/1/05 in order to continue to be connected to the network. Should one decide to remain on the General SoM network, they will need to certify that they take responsibility to insure no sensitive data will be on the machine.
Please note that there are both Legacy / Non-supported machines as well as Supported machines listed. The table below identifies the supported and non-supported machines. See Appendix 2 for clarifications on Table 1.
Table 1
| 'Green' Fully supported, modern OS. |
Windows XP Pro Windows 2000 |
Mac OS 10.3 | Unix / Linux Current patched vendor support O/S |
| 'Yellow' Must be upgraded to Mac OS 10.3. |
Mac OS 10.0-10.25 | ||
| 'Red' Outdated OS. Not supported. Should be replaced as soon as possible. |
Windows XP Home 1 Windows ME Windows 98 2 Windows NT 4.x 3 Windows 95 4 |
Mac OS 9 Mac OS 8.6 Mac OS 7 |
Non-vendor supported O/S |
Supported computers that meet the criteria below are eligible to use the IRT Central Support Help Desk.
Central Helpdesk Criteria:
- IRT has contact information for local support
- Agreement to allow remote assistance
- IRT Approved Remote diagnostic Software is loaded
- Machine is built and maintained to the following SoM Specifications
- Standard Build
- Lockdown procedures completed
- Applications loaded in standard locations
- Data storage in standard locations
- ext file on the desktop “IRTexceptions.txt” defines any necessary exceptions to 4c and 4d.
For further information on how to participate with the IRT Central Help Desk or to schedule your group for assistance with being brought up to standard, please call x5-8000.
Appendix 1
| Legacy / Non-supported System |
General SoM Network |
Trusted SoM Network |
Clinical SoM Network Supported System Access to SHC / LPCH |
| 1. No IRT Support
2. Limited SoM Network (1) 3. No Sensitive data 4. Cannot participate in SoM central support |
1. Anti Virus
2. Latest Patches (2) 3. Standard Personal FW (3) 4. Part of SoM Domain (3) 5. SoM Lockdown procedure A. 6. If no BigFix, lockdown process performed monthly |
1) Big Fix or equivalent, auto-reboot can be forced
2) SoM lockdown procedure B a) If on the net before lockdown, security scan required 3) Must be physically secure or data must be encrypted (4) 4) Standard Personal Firewall On 5) Clearly identified support person that is certified to IRT
requirements |
1) Big Fix or equivalent
a) Auto Reboot mandatory 2) SoM lockdown procedure (C) 3) On the trusted network 4) No unauthorized program installs 5) Part of SoM domain (3) |
| 1. No IRT Support
2. Limited SoM Network (1) 3. No Sensitive data(1) 4. Cannot participate in SoM central support |
1. Anti Virus
2. Latest Patches (2) 3. Standard Personal FW(3) 4. Part of SoM Domain (3) 5. SoM Lockdown procedure A. 6. If no BigFix, lockdown process performed monthly |
1) Big Fix or equivalent
a) Auto-reboot not forced, but highly recommended. b) Local console operator suggested by department c) periodic audits to confirm compliance d) Upgrades must be timely 2) SoM lockdown procedure B a) Security scan required 3) Must be physically secure or data must be encrypted (4) 4) Standard Personal Firewall On 5) Clearly identified support person that is certified to IRT
requirements |
Not Applicable |
Notes: 1) Security Review Required for Exceptions 2) Big Fix Recommended 3) Recommended 4) Encryption Procedure a) Security team has master password for devices with SoM data |
| General Network | Trusted Network | SUMC Clinical | |||||||
| Legacy Systems | No Sensitive Data | Sensitive Data | Network Machines | ||||||
| Desktop Laptop |
Lab Vendor |
Desktop Laptop |
Lab Vendor |
Desktop Laptop |
Lab Vendor |
Desktop Laptop |
Lab Vendor |
||
| Antivirus | |||||||||
| Any Recommended |  |
|
|||||||
| Approved Anti-Virus Installed & On | |
|
|
|
|
|
|||
| Patch Management | |||||||||
| OS auto-updates | |
|
|||||||
| Big Fix, no forced reboot | |
|
|
||||||
| Big Fix, w/ forced reboot | |
|
|
||||||
| SoM Domain | |||||||||
| can't join | |
|
|||||||
| Recommended | |
|
|
|
|||||
| Highly Recommended | |
|
|||||||
| Network Access | |||||||||
| Public Access | |
|
|||||||
| General Network | |
|
|||||||
| Trusted Network | |
|
|||||||
| SUMC Clinical Network | |
|
|||||||
| Host based Firewall | |||||||||
| Any recommended | |
|
|||||||
| Only supported FW, rec. on | |
|
|
|
|||||
| Only supported FW, required on | |
|
|||||||
| Installed Programs | |||||||||
| Any non-malicious allowed | |
|
|
|
|
|
|||
| Only approved apps, by cert support | |
|
|||||||
| Encryption | |||||||||
| Not required | |
|
|
|
|||||
| Required for sensitive data | |
|
|
|
|||||
| Portable Devices (Laptop, PDA, other non physically secure devices) | |||||||||
| Encryption of SenstiveData | NA | NA | NA | NA | |
|
|
|
|
| IRT Certified Desktop Support | |||||||||
| Not Available | |
|
|||||||
| Available | |
|
|
|
|||||
| Required | |
|
|||||||
Appendix 2
This recommendation deals with computers for general academic and administrative use. For the purposes of this recommendation, general academic, research and administrative needs are defined as:
- the ability to run at least four applications concurrently (e.g., Internet Explorer, Eudora, Microsoft Word, and Microsoft Excel)
- the ability to install and run current, off-the-shelf, general purpose business applications
- the ability to install and run current Stanford-specific administrative applications
This standard must be adjusted accordingly for users who place either higher or lower demands on their systems (e.g., for special purpose applications on the high end or simply as a Web-browsing terminal on the low end).
Three to Four Year Replacement Rule of Thumb
Based upon experience with the continuing changes and improvements in desktop computing capabilities, it is recommended that a three to four year replacement cycle would create an adequate platform to support standard business applications. However, each computer should be assessed on a regular basis to ensure that it continues to support the unique work applications of its user.
If Your Computer is Below This Line...
If your computing needs fall into the profile of "general academic or administrative use," as described above, and your current computer falls below the standards listed, you should plan to replace your computer in the 2004 - 2005 academic year.
For Windows Computers:
- Windows 2000 or Windows XP
- Pentium IV
- 512 MB RAM
For Macintosh Computers:
- Mac OS X v10.3
- G4 processor
- 512 MB RAM*
*You can upgrade your RAM without replacing your computer in most cases.
For All Computers:
If you spend more than a few hours each week using any of Stanford's web-based administrative applications, such as PeopleSoft or Oracle Financials, ITSS strongly encourages you to have at least a 17" display, or better still, a 19"or 20" display, whether it be an LCD flat panel or conventional CRT monitor. Display size is measured diagonally from corner to corner; and in the case of CRTs, the actual viewable area - the part of the screen that lights up - is smaller than the exposed glass screen itself. A bigger display means less scrolling and squinting, as you try to view a large amount of graphic information within a limited space.
More specific information about operating system requirements is in
the following table and notes.
| 'Green' Fully supported, modern OS. |
Windows XP Pro Windows 2000 |
Mac OS 10.3 |
| 'Yellow' Must be upgraded to Mac OS 10.3. |
Mac OS 10.0-10.25 | |
| 'Red' Outdated OS. Not supported. Should be replaced as soon as possible. |
Windows XP Home 1 Windows ME Windows 98 2 Windows NT 4.x 3 Windows 95 4 |
Mac OS 9 Mac OS 8.6 Mac OS 7 |
Notes:
1. Security Note on Windows XP Home Edition:
There are inherent security problems with Windows XP Home Edition. Both
Information Security Services and Stanford Procurement recommend against
purchasing this product. Windows XP Professional provides similar functionality
(better, actually), but with better security.
2. Note on Windows 98:
Microsoft originally planned to end support for Windows 98 on January
16, 2004 but extended the support to June 30, 2006 because customers
in the smaller and the emerging markets needed additional time to upgrade
their product. If you are running a computer with Windows 98 operating
system, you should replace it.
3. Note on Windows NT 4.x:
Microsoft officially declared Windows NT 4.x "non-supported" as
of June 30, 2003. If you are running a computer with Windows NT operating
system, you should replace it. For more information on this topic, see
the letter from Microsoft.
4. Note on Windows 95:
Microsoft officially declared Windows
95 to be "End of Life" as
of December 31, 2002. This means there will not be any enhancements or
patches. If you are running a computer with Windows 95 or older operating
system, you should replace it.
5. Note on Mac OS 10.0, 10.1, and 10.2:
If you are running Mac OS 10.0, 10.1, or 10.2, you should upgrade to
10.3 or later. Version 10.3 (also known as Panther) incorporated several
changes in the operating system that are especially significant in
Stanford's computing infrastructure.
