There are a wide variety of threats to university information systems and computing environments. In order to reduce the risk of compromise, and minimize the impact in the event of a compromise, the university has developed policies, standards, and guidelines to assist in improving security.
This document applies to all desktop and laptop computers in use at the University of Waterloo.
- The host-based firewall must be enabled.
- The operating system must be configured to receive automated updates.
- Threat protection (e.g. anti-virus and anti-malware) software must be installed, up-to-date and configured with real-time scanning.
- The system must be configured to enforce password complexity requirements on accounts.
- Application software should only be installed if there is an expectation that it will be used.
- Application software not in use should be un-installed.
- All application software must have security updates applied on a regular basis.
- Shared login accounts should be avoided. Shared login accounts are forbidden on multi-user systems where the manipulation and storage of Restricted information takes place.
- Users need to lock their desktops when not in use. This is normally accomplished by enabling a password-protected screen saver that is enabled automatically after a reasonable period of inactivity.
- Users should logout or shutdown if away from the the computer for extended periods of time.
Users are strongly encouraged to store information on campus file servers that meet the standards for secure hosting. Where this is not practical, users are responsible for:
- Ensuring that any confidential information stored locally on the system or on removable media is encrypted using approved encryption software.
- Performing regular backups, and securely storing such backups.
To help prevent the unintended disclosure of information:
- Anyone responsible for the management of a desktop or laptop computer should re-image that system before re-assigning to a different user.
- University of Waterloo's media disposal guidelines must be followed when equipment is destined for disposal/recycling.