Public Health IT Policies

The following policies apply to all employees of the School of Public Health. All users of the school’s computer resources are expected to know and follow these policies.

01-01 Computer Access and Use Policy

CATEGORY:  SUPPORT SERVICES
SECTION:  Computing, Information, and Data
SUBJECT:  Computer Access and Use
EFFECTIVE DATE:  April 2023 Revised
PAGE(S):  1

I.    SCOPE

This policy establishes restrictions regarding the access and use of University-owned and maintained computers, computer systems, computer networks, electronic communications facilities, and other related computing facilities and devices used to store and process data, text, and software used by the University.

II.   POLICY

The School of Public Health will refer to University of Pittsburgh Technology Policy 10-02-05 for Computer Access and Use and follow all policies therein.  

01-02 Data Security Policy

CATEGORY:  SUPPORT SERVICES
SECTION:  Computing, Information, and Data
SUBJECT:  Data Security Policy
EFFECTIVE DATE:  April 2023 Revised
PAGE(S):  4

I. SCOPE

This policy is designed to protect data located on Public Health computers and computer systems from viruses and other malicious code, and to prevent data loss in the event of a computer being lost or stolen.  This policy is also intended to prevent damage to applications, data, files, and hardware. 

Data confidentiality is a critical component of security.  A good understanding of data types, their risk levels, and minimum-security precautions is necessary to prevent unauthorized access.  Refer to http://technology.pitt.edu/security/data-classification-matrix for an overview of University guidelines on data classification and security.  Also, refer to the University of Pittsburgh’s HIPPA Compliance policy document 07-02-06.

The policies listed below aim to provide as much data security as possible.  There are many different avenues of attack; therefore, different protections must be in place to help protect data.

This policy applies to all employees of the School of Public Health, as well as vendors, contractors, partners, students, collaborators and any others doing business or research with the School.  In addition, any other parties who use, work on, or provide services involving Public Health computers and technology systems are subject to the provisions of this policy.  It is required of every user of the School’s computer resources to know and follow this policy.

II. DEFINITIONS

Anti-Virus software is a program or set of programs installed on a server or workstation and used to detect, prevent, and remove malicious software.  Anti-virus software is generally reactive, meaning a signature file must be developed for each new virus discovered and these virus definition files must be uploaded to the software in order for it to scan for the most recently released malicious code.  Anti-virus software is available for download from the My.Pitt portal.

Desktops are computers that are accessed by users on a daily basis.  They are not intended to be moved and are located behind locked doors.

Desktop management software is software that is used to inventory computer software and hardware.  It also automates the update process to several applications.  Furthermore, it provides checks for potential security risks that may otherwise go unnoticed.

Laptops are computers that are operated by users on a daily basis.  They are intended to be moved to different locations and may be exposed to situations where theft could occur.

Malicious software is any type of computer code that infects a machine and performs a nefarious action.   Computer viruses, worms, trojans, and ransomware are all examples of malicious software. 

Mobile devices are small and easily transportable.  They are generally moved to different locations and may be exposed to a high risk of theft.  Examples of these devices include tablets and smart phones.  

Servers are machines that are used to centrally store data or run applications.  Users do not work directly on these machines.  They are not intended to be moved and are protected behind locked doors.

III. POLICY

Servers

  1. All servers will be managed either by the Public Health IT group or by PITT IT, which will provide the following: 
    • Management of Microsoft updates. 
    • Management of overall system health, including hardware, software, events, and performance monitoring. 
    • Management of anti-virus software. 
  2. All servers will have security software (anti-virus and anti-malware) installed and configured to automatically update definition files. These programs must be actively running, and it is imperative that these processes are not disabled or impeded in any way. 
  3. A full disk virus scan will be periodically conducted with findings reported to an internal server. 
  4. All files on the server will be scanned periodically for personally identifiable information.  All files found with personally identifiable information will be removed unless the server has been designated to store such information by PITT IT. 
  5. All servers will have desktop management software installed.  This software is NOT to be disabled, modified, or removed. 
  6. Any server that is using an operating system that is no longer supported must be upgraded or decommissioned. 
 

Desktops

  1. All desktops will be managed by the Public Health IT group, which will provide the following: 
    • Management of Microsoft updates. 
    • Management of software updates. 
    • Management of overall system health, including hardware, software, events, and performance monitoring. 
    • Management of antivirus and anti-malware software. 
  2. All desktops connected to the network will have security software (anti-virus and anti-malware) installed and configured to automatically update definition files. These programs must be actively running, and it is imperative that these processes are not disabled or impeded in any way. 
  3. A full disk virus scan will be periodically conducted with findings reported to an internal server. 
  4. Desktops that access confidential or PII data will be encrypted.   
  5. Standard user accounts will be required to limit exposure to and the installation of malicious software. 
  6. All desktop computers will have desktop management software installed. This software is NOT to be disabled, modified, or removed. 
  7. Any desktop computer using an operating system that is no longer supported (End of Life) must be either upgraded or decommissioned. 

Laptops

  1. All laptops will be managed by the Public Health IT group, which will provide the following: 
    • Management of Microsoft updates. 
    • Management of software updates. 
    • Management of overall system health, including hardware, software, events, and performance monitoring. 
    • Management of antivirus and anti-malware software. 
  2. All laptop computers connected to the network will have security software (anti-virus and anti-malware) installed and configured to automatically update definition files. These programs must be actively running, and it is imperative that these processes are not disabled or impeded in any way. 
  3. A full disk virus scan will be periodically conducted with findings reported to an internal server. 
  4. All laptops will be configured with encryption software to protect all data on the device. The encryption software is not to be disabled, modified, or removed. 
  5. Standard user accounts will be required to limit exposure to and installation of malicious software. 
  6. All laptop computers will have desktop management software installed.  This software is NOT to be disabled, modified, or removed. 
  7. Any laptop using an operating system that is no longer supported (End of Life) must be either upgraded or decommissioned.   

Mobile Devices

Currently, mobile devices are not managed by the School of Public Health.  If the use of such a device is required, collaboration with the Public Health IT group will be necessary to recommend the best hardware and current protections available for the device. 

All Devices

  1. Confidential data will NOT be stored on USB or external devices without encryption.   
  2. If a device has become infected or compromised, it will be disconnected from the network until the infection has been removed.  Data loss may occur depending on the severity. 
  3. Any local accounts created on devices will use complex passwords.  Contact Public Health IT for details. 
  4. Local accounts are not to be modified without the permission of Public Health IT. 
  5. Disabling or modifying any security software or security policy is prohibited without the permission of Public Health Technology Services. 
  6. It is not permissible for anyone other than a workstation’s primary user, that user’s supervisors, or IT personnel to access a workstation or resources on the University network as harm could inadvertently be done to Public Health or University resources, assets, or research. 
  7. All devices must be locked when not in use. 
  8. The installation of hardware on any device without permission is prohibited. 
  9. The installation of any software is not permissible without the permission of the Public Health IT group. 
  10. University approved services and software must be used for all University work. Approved service providers ensure adequate data protections and support in the case of issues involving University data. Services like OneDrive, DocuSign, Qualtrics, Office 365, Microsoft Teams, Zoom, etc., are all examples of approved service providers. 

Exceptions to this policy may be granted if a user and/or installed software cannot operate under these policies.  Each exception will be evaluated to determine the risks associated with omitting specific protections.  Users that require exceptions will be required to undergo training to understand the risks and develop habits and strategies to mitigate those risks.  These users will also be required to sign an annual agreement. 

This policy will not supersede any University of Pittsburgh policies but may introduce more stringent requirements.  

01-03 Software Licensing Policy

CATEGORY:  SUPPORT SERVICES
SECTION:  Computing, Information, and Data
SUBJECT:  Software Licensing Policy
EFFECTIVE DATE:  April 2023 Revised
PAGE(S):  2

I.SCOPE 

This policy sets forth the framework to secure the software installed on all School of Public Health computers and computer systems. Unpatched software security flaws leave computing systems vulnerable to nefarious attacks and increase the potential for data theft.

Licensing is an important aspect of software security. Appropriate licensing must be observed to protect computers and avoid fines.  Illegal or improperly licensed software cannot be updated. Unpatched security flaws increase the possibility of data theft.  Regular audits are performed to reconcile software purchases against installed software titles and versions.  Improper licensing can lead to fines for the University and the user.

This policy applies to all employees of the School of Public Health.  Every user of the School of Public Health’s computer resources is expected to recognize and respect this policy.

II.DEFINITIONS

Software licensing is the purchase of one or more licenses allowing for the permissible and legal use of a software title.  Typically, a licensed software title is purchased on a per user basis, but it can also be executed per computer, per department, per school, or across the University as a whole.

University computer/computing device is one purchased with University funds (through a direct purchase requisition or a reimbursement of monies through a University account).

III.POLICY

License Purchases

All license purchases should be submitted/approved through the Public Health IT group to ensure the correct number/type of licenses are ordered. For those products that require license renewals (usually annually), notifications are generally received by the software purchaser. Software renewals are to be reconciled with the user's School/Department.

License Usage

  • All University computers require the appropriate licensed software from Pitt Software Distribution Services (SDS) or from an approved software vendor via purchase requisition. All terms of the license agreement are to be enforced. Read the terms and conditions for departmental use of licensed university software
  • Prompt payment of annually renewable SDS software license fees is expected and required. Expired software titles must be removed from the applicable workstation. 
  • Illegally installed software discovered on a University-purchased computer will be removed immediately and the user will be required to purchase the appropriate license for installation.
  • Installation of Pitt student-licensed software onto ANY University-purchased device is forbidden! Student-licensed software is intended for individual student use on said individual’s personal device. Violation of the Software Compliance for Students policy can result in disciplinary action.

This policy will not supersede any University of Pittsburgh policies but may introduce stricter requirements.

01-04 Computer Hardware Purchasing and Replacement Policy

CATEGORY:  SUPPORT SERVICES
SECTION:  Computing, Information, and Data
SUBJECT:  Hardware Purchasing and Replacement
EFFECTIVE DATE:  April 2023 Revised

I.SCOPE 

This policy is designed to provide the accepted procedures for computer hardware purchases and data transfers to a new computer.

This policy applies to all employees of the School of Public Health.  Every user of the School’s computer resources is expected to know and follow this policy. 

II.DEFINITIONS

Hardware refers to any computer device, including, but not limited to, servers, desktops, laptops, monitors, printers, and tablets.

III.POLICY

Hardware Purchases

All hardware purchases should be submitted through the Public Health IT group to ensure that the computer configuration will meet the needs of the user. All computer purchases shall follow Public Health IT and PITT IT recommendations and guidelines.

Exceptions to this policy may be granted.  Each exception will be evaluated on an individual basis.   

Hardware Replacement

Hardware replacement will follow these guidelines:

  1. Any request for a permanent static backup of the replaced unit’s hard drive (either partial or full image) will require the user to purchase an external drive that will be encrypted and to which the data will be copied. 
  2. A backup of the device data or the original hard drive will be stored by the Public Health Technology Services Group for two weeks.  This will ensure that any missed data can be retrieved and copied to the new device. 
  3. Data stored on an old device will be copied to the new device.   

Retired Hardware

Hardware marked for retirement will be sent to University surplus.  Typically, retired hardware will have data wiped from the hard drive and/or the hard drive removed and sent for physical destruction.  Users that wish to take retired hardware for personal use will be required to complete a request form, indicating all serial numbers/service tags of the requested equipment.

It shall be understood that the requester will receive the device (computer) after the hard drive has been wiped clean and restored approximately to its original factory build. It is also understood that the requester is responsible for the proper application, transfer or purchase of any and all software titles for said device. 

This policy will not supersede any University of Pittsburgh policies but may introduce more stringent requirements.