This page contains general standards for workstations and mobile devices in compliance with UCF security policies and best practices. Such standards will provide an understanding of what departments should be doing in protecting computer systems against attack and lose of data.

Click here to view specific standards and guidelines for servers based on operating system.

Common Computing Standards For All Systems And Devices

  • User account passwords must be changed at least once every 60 days
    • Use a strong password containing six or more characters that are comprised of letters, numbers, and symbols
  • Enable screen lock-out or automatic account time-out on your systems and devices that activates after 10 to 15 minutes of idle time
    • General classroom computers may be set for a longer time period, but should not be longer than 30 minutes.
    • High traffic, publicly accessible computer may be set to a short time period, such as 5 minutes.
  • Set BIOS password to protect alteration of boot up procedures
  • All computing devices with firewall capabilities must have firewall enabled and only specific protocols allowed depending on applications running on them. There may be exceptions, such as Microsoft Domain Controls for reasons that everyone needs to connect to.  Database servers must be firewalled and only specific access granted to them
    • Major operating system vendors provide firewall software at no cost:
      • Windows firewall
      • MAC firewall
      • *nix IP filters
  • All data on computing devices must be erased before the device is transferred or surplused.  We recommend the following software  to erase drives:
  • Disable unnecessary protocols, such  NetBIOS, IPv6, etc. Enable only  what is necessary and required.
  • Disable all unused wireless communication technologies (i.e. Wi-Fi, Bluetooth, infrared) from devices
  • In general, for end-user devices, configure them to automatically receive and install operating system and application updates from our local sources
  • Run the latest compatible OS version
  • Install the latest compatible service packs and security and application patches
  • Remove administrative privileges from user accounts
    • Administrator level accounts should be used only for administrative purposes
  • Make frequent backups of your data and securely store it with encryption technologies Encryption is required for restricted data
    • Periodically test backups for integrity
  • System records generated by server services, such as web logs and DHCP logs, must be kept for at least 6 months in the event of an investigation or if we need to respond to a third party
  • Transmit restricted data (refer to the Data Classification Policy) by using only secure methods, such as SSL, SSH, etc.
    • Do not use e-mail, ftp, http, or telnet

Common Guidelines For All Systems and Devices

  • All computing devices capable of running antimalware software must have an A/V software installed and kept up-to-date. We recommend the following antivirus software:
    • Symantec
    • McAfee
    • Kaspersky Lab
    • Microsoft Forefront Security
      • Centrally managed antivirus software is strongly recommended
    • Microsoft Endpoint Protection MS Windows
    • Sophos A/V/Endpoint Protection for Macs  
  • If there is a strong business reason for having restricted data on a PC or mobile device, restricted data must be protected by disk encryption technologies. Storage of restricted data on a mobile computing device must be approved in writing by the employee’s dean, director, or vice president and based on a legitimate business need. We recommend the following encryption technologies:
    • PGP Desktop (Windows, Mac)
    • TrueCrypt (Windows, Linux)
    • BitLocker (Windows)
    • FileVault (Mac)
      • Care must be taken to protect access keys and passwords in order to recover data and information
  • Asset recovery software is strongly recommended for mobile devices that can run such technologies, e.g. laptops, especially for end-user devices containing restricted data. In the event of a theft, use of such technology enables authorities to locate and retrieve the asset. We recommend the following asset recovery technologies:

Standards for Mobile Devices

  • Storage of restricted data on a mobile computing device must be approved in writing by the employee’s dean, director, or vice president and based on a legitimate business need. Follow the guidelines above for proper protection of restricted data.
  • VPN technologies must be used, i.e. UCF Virtual Private Network (VPN), when accessing restricted resources from insecure networks such as publicly accessible wireless hotspots or public Internet service providers (ISP.)

Windows Workstation Standards

  • Do not save restricted data on workstations
  • If there is a strong business reason for having restricted data on a workstation, restricted data must be protected by disk encryption technologies.  Follow the guidelines above for proper protection of restricted data.
  • Do not share folders on a workstation