University of Northern Iowa
Administration and Finance
Windows Remote Desktop Services Activation Application
Date:
Name:
Department:
Telephone:
Location of Off-Site Computer:
Primary Off-Site Internet Service
Provider (i.e., CFU, Mediacom, etc.):
Name of UNI Computer to be accessed:
1. Is the off-site computer a University owned/managed device (circle one)?
YES
NO
2. Describe how remote access will be used:
3. Will information protected by law (i.e., social security numbers, driver’s licenses, credit card numbers, bank account
numbers, etc.) be accessed from the remote location? If so, please describe:
4. My off-site computer has the following security software and configurations installed, active, and current:
Check if
Present
Security Feature
Product Name
(Please enter below)
Example: Symantec Antivirus v10
Anti-Virus Protection (with autoprotect enabled)
Automatic install of security updates
n/a
Windows Firewall is active
n/a
5. My offsite computer is running Windows 7, 8, or 10. If your offsite computer is a Mac, it is running OS 10.9, 10.10, or
10.11 (circle one). YES NO
Signatures and Approvals:
I have read the attached policies and guidelines regarding workstation requirements and understand my responsibilities with
regard to proper handling of University data. Additionally, I verify that the off-site computer being used by me to remotely
connect to a University computer has the minimum security specifications listed above.
Applicant Signature:
Date:
Signature of Supervisor:
Date:
Signature of Departmental Director:
Date:
For processing, mail completed form to:
Director, AF Technology Services
West Gym 206-0192
Last Updated November 2015
INFORMATION TECHNOLOGY SERVICES
ELECTRONIC INFORMATION AND NETWORK SECURITY POLICY
Purpose
This policy serves to create an environment that mitigates threats to the electronic information resources of the University of
Northern Iowa (UNI) by improving the university’s ability to prevent, deter, detect, respond to, and recover from internal and
external compromises to its electronic information resources. These threats could violate the law as well as negatively affect
business operations, data integrity, privacy, productivity, reputation, and property rights of not only UNI but also those with
whom UNI interacts electronically.
Policy Statement
Electronic information and the UNI network are critical to the University’s business operations. In order to maintain the
stability and accessibility required for those operations and to protect university information including that obtained from
employees, students, and guests (some of which is protected by law), the university must reasonably secure its electronic
information resources. Each member of the campus community, depending on his or her responsibilities, shall play a role in
mitigating the security risks associated with his or her use of electronic information and the UNI network. Information
Technology Services (ITS) shall define the roles and responsibilities associated with this policy with the approval of the
Policy and Planning Committee for Information Technology (PPCIT).
Definitions
PROTECTED BY LAW All information assets for which there are legal requirements for preventing disclosure or financial
penalties for disclosure. Data covered by Federal and State legislation, such as FERPA, HIPPA, Gramm-Leach-Bliley Data
Protection Act, and Privacy Act are in this class.
CONFIDENTIAL Information about current and former students, staff, and faculty that, although not protected by law,
would cause severe damage to the University if disclosed or modified. Data considered Confidential includes information
about: research subjects, clients, patrons, and donors; certain business operations, finances, legal and other operational
matters of a sensitive matter; current, former, and prospective employees’ information such as employment status, pay,
benefits data, and other personnel information; information security data such as authentication, authorization, and usage
records and information about security-related incidents.
INTERNAL USE ONLY Information that requires protection but the sensitivity is less than with Confidential Data. This
data could include internal memos, emails, and other documents where distribution is limited by the author.
PUBLIC Information that can be disclosed freely to any person inside or outside the University.
Procedures
ITS shall use the following principles in developing roles and responsibilities:
All Data Protected by Law and all Confidential Data must be identified and assigned a Data Custodian
Unless otherwise identified, information shall be assumed to be of Internal Use Only.
Access to Data Protected by Law or identified as Confidential shall be granted on a Need-To-Know basis by the Data
Custodian.
Users are expected to maintain confidentiality of University Internal-Use and Confidential data regardless of security
measures that have been employed.
Users shall be provided training by Data Custodian on expectations, knowledge, and skills related to information security.
Users electing to store Internal-Use data on local media (CD, local hard disk, PDA, etc.) shall be responsible for ensuring
that its security, confidentiality and integrity are maintained per this policy.
Data Protected by Law shall not be stored outside the University central administrative systems and should only be used for
reports and data extracts as required by law.
Data identified as Confidential shall not be stored outside the University central administrative systems without prior
approval of data custodians and a server location certified by ITS as acceptable for storage. Such data shall never be stored
on local workstations or laptops and may be used for reports and data extracts only as approved.
Specific roles and responsibilities for all users of UNI data shall be defined, published and updated in the Electronic
Information and Network Security Roles and Responsibilities document.
Enforcement
Violations of this policy shall be handled consistent with University disciplinary procedures applicable to the relevant person.
Consistent with Acceptable Use and Network Policies, the University may temporarily suspend, block or restrict access to
information or resources when it appears this action is necessary to protect the integrity, security, or functionality of
University resources or to protect the University from Liability.
INFORMATION TECHNOLOGY SERVICES
ELECTRONIC INFORMATION AND NETWORK SECURITY ROLES AND RESPONSIBILITIES
1. Faculty, Staff, and students with access only to their own information that is classified as Protected By Law,
Confidential or Internal Use Only shall:
Maintain familiarity with and adherence to University Policies.
Create and secure strong passwords that meet recommended standards (even if these standards are unenforceable). Do not
share your password with others or write them down and store in places that are accessible to others. Passwords should be
at least 8 or more characters and composed of uppercase and lowercase letters, numbers and punctuation characters when
supported.
Secure desktop, laptop, and PDAs both physically and via network access. Be sure that Operating System and critical
applications are patched and up to date. Your Information Service Provider may have an automated way of doing this. Be
sure that generic accounts and passwords that come from vendor and software vendors are disabled. Use a physical security
device if you are using mobile technology in public locations.
Configure Remote Access to your workstations, if used, to prevent unauthorized access. Restrict remote access to central
authentication methodologies that support account lockout. Consult with your Information Service Provider before enabling
any Remote Access to your workstation.
Logoff of an application and locking your workstation upon inactivity.
Ensure that Anti-Virus and malicious code protection is installed on your system and set to receive automatic updates from
university or vendor servers. Software should be configured to provide active protection and scheduled to search for
vulnerabilities on a daily basis. Users need to remember that many viruses and much malicious code is distributed via email
and from web downloads. Users should not open attachments, run executables, macros or scripts or download files from the
Internet if they don’t know the source and integrity of the file.
2. Faculty, Staff, and students who have access to personal information other than their own that is classified as
Protected By Law, Confidential or Internal Use Only shall:
Meet all requirements from 1 above.
Not download or store data that is Protected By Law on local hard drives or local servers.
Ensure that distribution and transmission of Confidential and Internal-Use only information must not be made to persons
who are not authorized to access the information. This applies to all copies of the information. Confidential information that
is transported physically or electronically must be protected from unauthorized access. For electronic transmission
appropriate encryption is required if that information is sent over public networks. Confidential Information should not be
sent via E-mail. Information Service Providers are responsible for determining and implementing appropriate encryption for
data transmitted from central services.
Ensure that the destruction and disposal of information is done in such a manner to ensure it cannot be retrieved or
recovered. For Protected By Law and Confidential paper documents shredders are highly recommended. For electronic
documents be sure to use software that wipes and rewrites electronic media containing Protected By Law and Confidential
electronic data.
3. Faculty, Staff, and students who store Confidential information on local hard drives or servers shall:
Meet all requirements from 1 and 2 above.
Obtain permission from Data Custodian and ITS Information Systems identifying data elements and storage location.
Store information, whether computerized or on other media, in a place that provides a level of protection commensurate
with the classification of the data and risk faced by the university should compromise occur. Confidential data must be
encrypted if stored on local computers and must not be taken off campus unless you can ensure appropriate protection.
4. Faculty and staff who manage servers containing Internal Use Only or Public data shall:
Meet all requirements from 1, 2 and 3 above
Implement specific information security policies surrounding access to information stored on their systems via information
technology
Assure integrity for data and information technology, systems and network
Take steps to actively protect and monitor systems. This includes up-to-date patch management, intrusion detection
software, anti-virus software and active logging of activity, on-campus and off-campus access for users and administrators.
Assure that information technology authentication and authorization systems are appropriate and consistent with university
standards and managed responsibly.
Develop disaster recovery, backup and record retention plans
Report incidences of known compromises Provide physical security commensurate with the value of the data and risk faced
by the university should compromise occur.
5. Faculty and staff who manage servers that contain Protected By Law or Confidential information include domain
controllers and other authentication systems:
All requirements from 1, 2, 3 and 4 above
Obtain permission from Data Custodian and ITS Information Systems identifying data elements and storage location.
Acquire and operate software designated by the university as necessary for protecting Protected By Law or Confidential
data.
6. Data Custodians who are assigned primary responsibility for particular information shall:
Establish security policy and procedures regarding specific data
Assign classification to their information and mark appropriately
Determine authorization for access
Keep records of authorization
Report security incidences of known compromises
Offer appropriate training for university users of this information. Determine who should receive, content of training,
arrange for training opportunities.
7. Information Security Staff:
Stay current on evolving security threats, security standards, evolving State and Federal laws and guidelines regarding
information security
Establish campus standards for securing University information
Work with Information Service Providers to implement standards
Investigate and report on Security Incidences