Workstation, Portable Computer, and PDA (Personal Digital Assistant) Security
Number: ENT-SEC-112
Established for: State of Montana Information Technology Enterprise
Steve Bender, Acting Director
Department of Administration
Jeff Brandt, Acting Chief Information Officer
Information Technology Services Division
Department of Administration
October 2004
Policy - Requirements
SCOPE
This policy applies to all computers that are owned by the state and/or are connected to state resources. This policy does not apply to colleges and universities, the Commissioner of Higher Education Office, or public access computers in libraries.
PURPOSE
This policy is intended to establish minimum standards for the security of workstations, portable computers and PDA's owned by the State of Montana.
DEFINITIONS
Portable - for the purposes of this policy, a portable computer includes a laptop, pocket PC, tablet, or notebook.
REQUIREMENTS
Computer users are responsible for maintaining the physical security of their own workstation, portable computer, and/or PDA and for following the security requirements implemented by the Department of Administration and by the agency at which they are employed. Workstations, portable computers, and PDA's should be kept out of sight and covered when stored in a vehicle.
Any software installed on workstations, portable computers or PDA's that uses script files must not contain a userID or password for the state's computer system.
Workstations with unattended processes running on them must have some type of screen saver with password protection or keyboard locking program enabled on them.
Portable computers MUST be transported as carry on luggage when traveling by plane or bus, unless the carrier requires otherwise.
All workstations, portable computers, and PDA's must be updated with the latest security patches, virus scanning software and virus data files. Agencies are responsible for installing the patches, virus scanning software and virus data files on their devices. Patches and updates to virus data files should be installed through an automated process if applicable.Agencies are required to install patches for high-risk vulnerabilities within 48 hours of notification.
Firewall software must be installed, updated, and used according to standards set by the security committee on all portable computers used to connect outside of the state (Internet) firewall.
All PDA's used to connect directly to state computers must be state owned. Exceptions to this must be documented and approved by ITSD.
Background - History on the creation of or changes to this policy
This policy was originally created by the NetWare Managers Group Policy Committee. This policy was updated by the Security Section of ITSD in January 2002 and reviewed with the Information Technology Managers Council prior to adoption.
Guidelines - Recommendations, not requirements
If highly sensitive or confidential information is stored on a portable computer or PDA, the data should be encrypted.
In accordance with ENT-SEC-071, the following information should appear on portable computers when powered on: "This computer is the property of the State of Montana, Department of xxxxxxx and subject to the appropriate use policies located at: http://itsd.mt.gov/policy/itpolicy.asp. Unauthorized use is a violation of 45-6-311, MCA."
Power on or system passwords should be used on workstations that are in highly accessible areas and on portable computers. Power on passwords should be provided to the Network Administrator and kept in a secure place.
Patches and updates should be completed with an automated process if applicable.
References - Laws, rules, standard operating procedures and applicable policies
2-17-534, MCA; 2-15-114, MCA; 45-6-311, MCA; 1-0250.00, MOM