Syracuse University's S0106 - Secure Data Access Standard defines required tools and practices to ensure that faculty and staff can access University data from remote locations in a secure manner. University Data, which is fully defined in the Syracuse University Information Security Standard, can generally be grouped into three, broad categories:
- Confidential Data: This category includes the most sensitive data (example: Social Security numbers, credit card data and other personally identifiable information (PII)) and requires special protection.
- Enterprise Data: This category includes sensitive information (example: university pay records, other infrastructure plans, and other business records) that must be protected.
- Public Data: This information is generally widely disseminated and can be accessed without higher levels of security protection.
Different security requirements apply to each of the categories of data. The objective of the University's secure data access standards is to keep University data on internal, secure systems whenever possible and apply high levels of security in the rare cases when sensitive data must be moved to or viewed on unmanaged systems.
Level 1 - Basic Minimum Computer Security Requirements:
The requirements below apply to all computers that are used to access University data.
At a minimum, all devices used to access University data must:
Desktops and Laptops:
- Have unique usernames and passwords configured for each user of the system.
- Have patches and updates applied automatically.
- Be running anti-malware software with updates being applied automatically (either as provided by the operating system or a 3rd party product).
- University owned laptops must also have full disk encryption enabled. It is HIGHLY recommended that personally owned laptops have full disk encryption enabled.
Mobile Devices (smartphones/tablets):
- Require a PIN, password or biometric logon at the device level, (i.e. not just at the application level)
ITS also highly recommends that all employees, who use their own computers to access University data, adhere to the safe computing practices.
Level 2 - Elevated Access with managed device - Computer Security Requirements:
Faculty and staff members who need access to university resources while using their university managed devices fall into this category. For this type of acecss:
- The computer must be managed by University IT staff.
- Whole disk encryption must be applied to the system and must be installed by University IT staff.
IMPORTANT NOTE: Level 2 Computer Security Requirements presume that only university managed laptops are used to access campus and all of the enterprise and confidential data which the employee can access remains within campus boundaries (on campus servers/machines). If that is not the case, then the employee is required to adhere to Level 3 Computer Security Requirements.
Level 3 Elevated Access with an unmanaged endpoint (Maximum Requirements):
These requirements apply to faculty and staff who directly access enterprise and/or confidential data and/or transport such information off campus, either by using a remote computer or device, an unmanaged laptop computer, or any type of removable media.
Requirements for those who need direct, remote access to file shares containing enterprise data or other access that may bring the data onto the remote computer:
- All the requirements from basic level.
- The user must attend traning as defined in the Data Access Authorization Process on the risks involved in data access.
IMPORTANT NOTE: Level 3 security access should only apply to a small number of SU faculty and staff members.
Technical Note: When high-level security access involves Windows file shares, IT staff will need to customize the computer's VPN/SURA configuration. By default, staff members do not have access to AD file shares that hold home directories or other departmental shares. Faculty members currently do have such access.
For complete information on handling removable media, please review the following University standards: