Secure System Usage

Computer system security is everyone's responsibility. Please use the information provided in this memo as a guideline while working on computers that access ORI applications.

Passwords

Passwords are an important aspect of computer security. Compromise of a password can compromise sensitive data as well as the enterprise wide network itself. All ORI application users must use their own password and are responsible for taking the appropriate steps, as identified below, to select and secure their password(s).

  • An individual account is issued to an individual and is not to be shared with any other individual or group.
  • A shared password is considered to be a compromised password and must be changed immediately.
  • Take adequate measures to prevent unauthorized personnel from obtaining your password, including guarding against "shoulder surfers".
  • Observe whether the date and time of the last login reported is reasonable when you login to Faculty Central.
  • If you have been given access to several systems you may use the same password for each system.
  • If you think your password has been comprised, contact the ORI Information System Security Administrator (ISSA) immediately.

Only strong passwords, defined as follows, are permitted:

  • Minimum for user accounts is six characters
  • Contains at least two letters and one non-letter
  • Must start with a letter
  • Must be changed at least every 180 days or when it is believed to have been compromised, whichever comes first
  • Must not be re-used in less than three years

Please Do Not:

  • Share your passwords with anyone, including administrative assistants, managers and IT staff
  • Reveal a password over the telephone or in an e-mail message to anyone, including technical support staff
  • Say a password in front of others
  • Use an initial password more than once before changing it
  • Write a work related password down
  • Store an unencrypted password on any computer system (including on a PDA)
  • Use the same ID and password for ORI accounts and for non-work related accounts

f you need assistance resetting your password, Duke Health users should contact the DHTS Help Desk at (919) 684-2243. Campus users should contact the OIT Help Desk at (919) 684-2200.

Workstation/Application Use

It is your responsibility to:

  • Arrange computer monitors so that, as much as possible, they are facing only the individual working on them.
  • Not permanently disable or remove virus protection software from any workstation.
  • Not leave a workstation unattended in a logged on state. Exit all programs containing sensitive information and either log off or lock the workstation prior to leaving it unattended.
  • Retrieve printed sensitive information immediately upon printing, when printer is in an area shared with others.
  • Ensure that any mobile workstation, (e.g. a laptop, handheld, etc.) is returned to a physically secure environment when not in use.
  • Not attach a modem to a workstation for dial-in access. Remote access should be established through the use of appropriate remote control software and an approved secure communication channel (e.g., VPN).

If you are responsible for administering user accounts for an ADG application, you must:

  • Ensure that ORI application users in your area of responsibility have been educated on the proper use of accounts/passwords and appropriate workstation/application use.
  • Notify the ORI Information System Security Administrator (ISSA) when any user leaves the Department or Duke so that their user account is disabled.

Stand-Alone Media Handling and Disposal

Stand-alone media is any media that is not integrated into equipment (e.g., floppy disks, CDs and zip drives). Such media containing sensitive information must be handled securely. If you need to dispose of stand-alone media contact your supervisor or manager about approved disposal techniques.

Encryption

No form of data from any ORI application should be sent outside of the protected network without encryption. If you have questions about encryption packages, contact the ORI Information System Security Administrator (ISSA).

Acronyms used in this guide:

ORI - Office of Research Informatics
ISSA - Information Security System Administrator - the person responsible for escalating security incidents.
PDA - Personal Data Assistant, also known as a Palm Pilot, Pocket PC, or handheld
VPN - Virtual Private Network - used to connect to Duke resources from outside Duke
DHTS - Duke Health Technology Solutions - IT department for Duke Health
OIT - Office of Information Technology - IT department for Campus