OIT | OIT Security 

What's inside

Secure a University Machine

Secure a Personal Machine

Security Tools & Downloads

Copyright Issues

Safe Computing Topics
University Security Policies

System Status

Technology Helpline
Risk Assessment

The following questions can be used to assess risk related to private University data such as patient health information, legally protected student data, credit card information, etc. For examples of private data and more information regarding measures that must be taken to protect private data, see the Securing Private Data Standard at:
http://www.umn.edu/oit/security/privatedata.html

For more in-depth assessments, an excellent eScan Information Technology Security Assessment Tool is available from the National Institute of Standards and Technology at:
https://cip.nist.gov/sat/

Risk Assessment questions for situations where private data is involved:

  • Is there a local data owner identified who is responsible for the data and can act as a local point of contact?
  • Are computers and other electronic devices continuously managed or reviewed for appropriate security measures by a full-time information technology professional?
  • Is appropriately supervised professional technical support staff available?
  • Are computer and other device configurations reviewed immediately after received from the vendor to make sure they meet security standards?
  • Is a process in place to assure that security patches and upgrades are applied for all software in use?
  • Are strong passwords or other authentication required for access?
  • Are lower-privileged “user” level accounts, rather than “administrator” level accounts used for most daily activities like receiving email and web surfing?
  • Is data sent across the Internet encrypted?
  • Is private data stored on laptops encrypted?
  • Is an Anti-virus program used with automatic daily updates?
  • Is a software or hardware firewall used?
  • Is physical access to electronic devices restricted?
  • Are laptops protected by an anti-theft tether cable?
  • Are security event logs configured and reviewed periodically?
  • Are servers registered for security vulnerability scans?
  • Are regular backups made with periodic off-site secure storage?
  • Are backup media secured against theft?
  • Has restoration from the backup media been tested?
  • Is secure deletion software used prior to disposal of hardware?
  • Are higher-risk services removed or severely limited in scope (e.g ftp, peer to peer, instant messaging) ?
© Regents of the University of Minnesota. All rights reserved. Trouble seeing the text? | Contact U of M | Privacy
The University of Minnesota is an equal opportunity educator and employer.

Comments: safecomp@umn.edu