Regulated Computer Policy
Security and Management Requirements for Computers Housing Sensitive Data
on the University Network
October 2003
A great deal of important and sensitive data now resides on computers
throughout the University. This has fostered a substantial number of
Web-based services and local uses of information. Unfortunately, it
also had made those sensitive data vulnerable to compromise that is,
to unauthorized access and/or manipulation, sometimes for nefarious
purposes.
The risk of compromise is serious and increasing. In general,
individuals and departments should avoid keeping sensitive data on
local servers or workstations. Rather, it is best to rely on data that
are stored in centrally-managed systems, or to store sensitive data in
centrally-managed, secure files.
Sometimes storing data on local servers or workstations is unavoidable,
despite the risk. To minimize exposure, on both the University's behalf
and that of individuals, it is critical that computers containing or
having automatic access to sensitive data prevent unnecessary and
unauthorized access. They must be managed carefully, thoroughly, and
professionally. Until now this responsibility has been left to
individual or departmental discretion. The risks have grown substantial
enough to require University policy.
Effective from 1 January 2004, computers that contain sensitive
data (called “regulated computers” in what follows) may not be connected
to the network unless they satisfy security and system-administration
requirements. The same requirement applies to University contractors,
even if the computers in question are not directly on the University
network.
See the definition of a regulated computer to find out if your computer qualifies.