1. Intranet
  2. AskIT
  3. Staff
  4. Account & Password
  5. Work Space & Device Security

Systems up or down

 

Staff Work Space & Device Security

Be aware of the Classification of the Information you hold

University information has been classified into four high level categories that are detailed in the UniSA's information security policies and guidelines:

  • Public Data can generally be made available or distributed to the general public;
  • Internal Information is for general internal University use only and not for external distribution (internal information may be accessed by authorised staff and students);
  • Confidential Information is for internal use only with access only by staff who require it in the course of performing their University responsibilities (confidential information includes information that is protected by Federal and/or State legislation); and
  • Restricted Information which is to be kept strictly confidential with access on a strictly “needs to know” basis.

Clear Desk/Clear Screen

UniSA Staff need to be mindful of 'soft' copies (electronic copies - accessed and/or reading on a screen) of the University's data is secure (whether on/off campus or UniSA owned/personal device) and be aware that security can also be breached when 'hard' copies of data are photographed from your screen/desk or 'collected' by another party from a printer.

Ensure your Desk and Surrounding Workspace is clear of papers and clutter

A clear desk assist in clear thinking, enables you and your colleagues to find items quickly, and promotes a more professional image to visitors. Maintaining a clutter-free workspace can also help to reduce workplace accidents and falls.

Tips on how to keep your desk and surrounding workspace clear of paper and clutter include:

  • Papers containing Confidential or Restricted information should be kept locked away if you are working on them but are temporarily away from your desk. A locked drawer is suitable for this purpose, or if you have your own office locking the door to your office will serve the purpose.
  • Post-its should not be used to record Confidential or Restricted information, such as passwords or other similar information.
  • If large numbers of files are required a lockable filing cabinet should be procured, and when you are finished with a file it should be filed away and the filing cabinet locked as soon as possible.
  • Don't print out emails or papers only to read them and throw them away.  Only print what you absolutely need a hard copy of.
  • Always clear your desk before you leave for the day.  This will ensure information is not left unsecured, and you will be ready to commence work when you arrive the next morning.
  • All waste-paper containing Confidential or Restricted information must be shredded or placed in 'confidential waste' bins. Under no circumstances should this type of waste paper be thrown away in normal waste or recycle bins.

Ensure Confidential or Restricted Information is not on show

A clear screen works in a similar way to a clear desk and allows you to think more clearly:

  • Close any applications or windows that are not required.  Any that are required on an ongoing basis (e.g. Outlook) can be minimised to reduce clutter on your PC desktop.
  • Every time you leave your desk, even if only for a few minutes, you should lock your screen (on your keyboard press the Windows and L keys at the same time). A quick chat or coffee break can turn into an extended time away from your desk, and it only takes a moment for information or data to be stolen or corrupted.  University computers are configured to require a password to unlock, and this should not be disabled.

Automated workstation locking

ISTS have developed a policy for workstations that can protect you and the University by automatically locking your workstation after 5 minutes of inactivity.

What if a workstation needs to be exempted from the automated locking policy?

It is recognised that some workstations may be used in a way that is not compatible with this policy. If a workstation needs to be exempted from the policy raise a call with the IT Help Desk, stating your business case, machine blue plate and the location of the computer. Our Security team will then review the request and if the business case is sound an exemption will be enabled for that workstation.

Why should I lock my workstation?

If you walk away from your workstation and do not lock it or log off, it poses a security risk to you and the University as someone could use your workstation in an unauthorised way to:

  • Send email from your account
  • Tamper with or delete your files
  • Access and download confidential data

The easiest way to prevent unauthorised access to your workstation is to lock it when you are away. Locking the workstation will not shut down any program or close any files that you are working on. All you have to do to get back in is enter your password and you can pick up where you left off.

How can I lock the workstation manually?

Hold down the Windows key and press the L key.

Know where your Mobile and Portable Storage Devices are at all times

Theft or misuse of devices leaves the University susceptible to exploitation of any data the devices may hold.

Every time you leave your desk ensure any mobile devices (such as USBs, external hard drives and mobile phones) are locked away or taken with you.

UniSA Staff are STRONGLY ADVISED AGAINST storing any confidential data on portable storage devices.

UniSA's information security policies requires staff to use encryption or equally strong measures on sensitive data stored in mobile or portable computing devices, and confidential data must not be downloaded to mobile computing or storage devices unless approval has been obtained from the relevant data owner.

NOTE: If you access your email or other UniSA data on your mobile and it is lost or stolen (regardless of whether or not its UniSA owned or personal), you must call the IT Help Desk ((08) 8302 5000) IMMEDIATELY to ensure your account remains secure. 

Keep your copies safe

Confidential or Restricted information left lying around in printer trays may be picked up and/or used maliciously by someone who shouldn't have access to that information.

All printers should be cleared of papers as soon as they are printed. This helps ensure sensitive documents are not left in printer trays for the wrong person to pick up.

Security policy for shared laptops

Laptops used by multiple users such as shared laptops will only retain the cached profile of the last user. The user who last logged on is remembered. This means that before you take the laptop off campus check that you have logged on successfully while on campus.
 
Once you have left the campus you will not be able to logon if you have not already done this.

Additional for working off campus, you also need to ensure that no files are stored locally on the laptop hard drive - that is the C: drive including My documents. You need to store your files on OneDrive or on the Shared drive. See the page Data Storage Options at UniSA for more information.
 

Local Administrative Access

By default UniSA Staff DO NOT get local administrative access to devices they are the primary user of.

If a staff member believes they require a local administrator account on the PC they are using they can complete Local Admin Access request for consideration.

Remote Desktop Access Request

If a staff member requires remote desktop access to a PC or device they must complete Remote Desktop Access request for consideration.

COW and AVPC security

Shared devices are used by multiple users and are configured to only retain the cached profile of the last user for security purposes. The user who last logged on is remembered.
 
You need to ensure that no files are stored locally on the device hard drive - that is the C: drive including My documents. You need to store your files on OneDrive or on the Shared drive. See the page Data Storage Options at UniSA for more information.
 
In addition, if you are using a COW or AV PC you will need to login to Teams as a separate process - Teams is not automatically connected as it is on your own workstation. Once you have logged on to Teams you will see your recent document history in the Office 365 apps such as Word, Powerpoint etc.
 

How do I complete the Privileged Access Request form ?

Local admin is granted via the Appian form located here:
https://bpi.unisa.edu.au/suite/sites/privileged-access-request

Local admin requests consist of several sections:

Section 1 - Details:

  1. Contact phone number
  2. Blueplate
    1. Local admin requests are always a single-party transaction.
      This means that the blueplate that is entered into the request is the sole machine that you will be granted access to.
      If you require additional machines, additional requests must be raised and justified accordingly.
  3. End Date for Access
    1. Local admin will only be valid for a maximum of 12 months.
      Before the 12 months expires, you will be notified to resubmit a justification for your access.
      This will then be reviewed and your access will either be removed, or retained.

Section 2 - Business case:

A business case justification relates to the justification you have for requiring local admin access.
The justification must include:

  • Business impacts to UniSA for this access not being granted (ie. Inability to deliver course content to students)
  • A description of your role within the organisation and how privileged access lends itself to this role.
  • The justification must relate directly to the person writing the request. Justifications that are plagiarised or are written collectively will not be approved. 
  • If applications are being installed that are presently unknown, specify which genre of applications you are most likely to need to install.
    We understand that you may not know all applications that will come up, but there is an element of trust from ISTS that you will use privileged access only for tasks related to the justification you have provided.
  • The business case justification must ultimately provide a strong rationale, and should objectively make sense without any other context.

Requests that do not meet the above requirements are likely to be declined by ISTS.

Section 3 - Justification:

The request must include all known applications and the estimated number of weekly escalations they require.
This should be truthful and serve to represent why elevated privileges are required.
If you are only elevating privileges once a week for a single application, this would not be representative of a reasonable request.

Additionally, ITHD can connect to your machine and provide access as needed - there must be a justification as to why this is not a reasonable alternative to elevated privileges.

Section 4 - Endorsements:

You must select a line manager to endorse this request.
This will be your direct manager, or anyone above that person in the management hierarchy of your business unit.

Section 5 - Terms and Conditions:

Terms and conditions are provided and must be read and accepted.
If these terms are accepted and subsequently breached, it is considered a breach of the Acceptable Use Policy.

Section 6 - Review:

This provides an opportunity to review your submission before it reaches your manager for approval, and ISTS for subsequent approvals.