Understanding Workstation Security Standards for Remote Work

Overview

All workstations used for remote work must adhere to the University’s security standards below. Only University-managed devices may be used to transmit, process, or store Restricted Data.

Category	Standard
Physical	University-owned workstations may only be used by University employees and for business purposes only Be conscious of your work environment and who may be able to see your screen or hear your calls
Operating System	Only supported operating systems may be installed The operating system must be configured for automatic updates, so that patches are applied at least monthly Only install and configure services that are required No workstation should be configured to run as a server of any kind
Applications	Only authorized, supported, and properly licensed software can be installed Any application updates and patches should be applied at least monthly When possible, applications should be configured to update automatically File sharing software must not be installed
Authentication	Enterprise Active Directory must be used for authentication whenever possible All systems must have a password-protected screensaver configured to launch after a minimum of 15 minutes of inactivity
Malware Protection	All systems must use endpoint protection software that is kept up to date. Please see https://www.technology.pitt.edu/software/antivirus-and-anti-malware-malwarebytes-protection
Network Protection	The workstation must use a wired ethernet connection or an encrypted wireless router Public networks must be used with a VPN (GlobalProtect) Ensure the default passwords for private wireless routers have been changed to a strong password A host-based firewall should be installed and configured to block unnecessary inbound ports The workstation should be disconnected from the University’s network when daily remote work is complete
Encryption	All laptops must utilize hard disk encryption such as BitLocker or FileVault Removable media used to store high-risk data must be encrypted
Cloud Storage	Only authorized cloud storage services may be used to store University data Please see our Data Classification Compliance chart and Security Guides at https://services.pitt.edu/TDClient/33/Portal/KB/ArticleDet?ID=44
Data Destruction	Any printed copies of high-risk data must be shredded before disposal When no longer needed, hard drives and removable media must be securely sanitized or destroyed and not simply discarded
Training	Learn the basics of protecting University information assets by taking the Security Essentials training course Please see https://www.technology.pitt.edu/security/information-security-awareness-training