The following are required and recommended steps to keep your computer, accounts, and data more secure. The steps involving setup, installation, or configuration require administrative/root privileges.
Note: Staff machines under SEASnet support have many of these configured already. Please check with the Help Desk before making changes.
Required: Meeting UC’s Minimum Security Standard and UCLA’s Minimum Security Standard (note that there is overlap). Below is UC’s standard for reference:
- Anti-malware: Anti-malware software must be installed and running up-to-date definitions.
- Approval and Inventory: Confirm that devices can be secured before making a purchasing decision. Make sure IT Resources and Institutional Information are appropriately recorded in Location inventory.
- Backup and Recovery: Institutional Information classified at Availability Level 3 or higher must be backed up and recoverable. Backups must be protected according to the classification level of the information they contain.
- Encryption: All portable computing devices must be encrypted.
- Encrypt Portable Media: Portable media containing Institutional Information classified at Protection Level 3 or higher must be encrypted and safely stored.
- Host-based Firewall: If host-based firewall software is available on a device, it must be running and configured to block all inbound traffic that is not explicitly required for the intended use of the device.
- Local Admin or Administrator: Non-privileged user accounts must be used and only elevated to root or administrator when necessary.
- Password/PIN lock: Secure devices with a strong password, PIN, smart card, or biometric lock.
- Patching: Supported security patches must be applied to all operating systems and applications. When possible, allow the updates to happen automatically.
- Physical Security: Devices and Institutional Information must be physically secured. You can submit a SEASnet Service Request to do so.
- Session Timeout: Devices used to store or access Institutional Information or IT Resources classified at Protection Level 2 or higher must implement a lockout, screen-lock, or session timeout mechanism that activates after a defined period of inactivity (e.g., 15 minutes or based on location). These mechanisms must require re-authentication before allowing a return to interactive use. Guidance is available for configuring this on both Windows and macOS systems.
- Supported Operating Systems: Use an operating system version that is currently supported by the vendor. Unsupported (also known as “End of Life”) operating systems include, but are not limited to:
- Microsoft: Windows NT, Windows XP, Windows 7, and earlier versions of Windows 10 (ver 1507, 1511, 1607, etc)
- Apple: macOS 11.0 or earlier.
- Linux: Ubuntu 16.04 LTS, RHEL 6, CentOS 8
Recommendations
- Log off the machine when you leave for the day.
- Implement user account hygiene: check for and delete old and unused accounts.
- Create strong passwords for all computer accounts and change them every 6 months.
- Use a password manager; do not re-use passwords. UCLA has licenses for 1Password.
- Do not save passwords in web browsers.
- Do not keep any Sensitive Data on your computer unless absolutely necessary – if you must keep sensitive data on your computer it should be Secured – compromised computers containing sensitive data will be subject to UCLA Policy 420.
- If you have passwords or other sensitive data in hard copy (on paper), keep it secure. In a locked cabinet, for example.
- Beware of Social Engineering Attacks.
- SecureID cards (if one is assigned to you) should be considered like a master key: Keep its location secure, do not let anyone borrow/use it, do not write your username and/or password on the device, nor place any identifiable marks, stickers, or notes of any kind on the device.
Windows-Specific:
- Lock down and/or disable Shared Folders.
- If you use Remote Desktop, tighten security.
Protection of Personally Identifiable Information as outlined in UCLA Policy 420:
- Avoid transferring protected information to easily lost or unsecured devices, such as USB drives or CDs, which can be accessed by unauthorized individuals if misplaced.
- Email and Protected Data: Avoid sending email that contains protected data whenever possible. If it is absolutely necessary, carefully verify the recipient and ensure the information is being sent only to those who need it. If forwarding an email that contains protected data, remove any sensitive information that is not relevant to the recipient before sending. When health or medical information is included—for example, an employee emailing their supervisor about a medical condition—the message becomes protected data. Supervisors must ensure such messages are not forwarded to non-HSSEAS accounts. Email accounts not managed by SEASnet may not meet campus security requirements.
- Be cautious when browsing the internet on your work computer. Avoid visiting websites that you are unsure about or that may not be trustworthy. If you’re uncertain about a site’s credibility, do not access it from a work device.
- Always assume responsibility for keeping data secure. If you have access to the data, you are responsible for its protection.
Computer security requirements evolve as new vulnerabilities and methods of compromise are discovered. Please check this page regularly to ensure your system remains as secure as possible.