UAMS ADMINISTRATIVE GUIDE

NUMBER: 7.1.03
DATE: 10/01/98
REVISION:

PURPOSE

A great amount of sensitive data resides on UAMS computer systems, including patient, physician, education, research, and employee information. As a result, every personal computer (PC) user must assume responsibility for the security, accuracy and integrity of his/her data. Authorized access to this information is a privilege granted to assist in performance of work functions. Software is defined as programs, purchased or developed by individuals in the employ of UAMS.

POLICY

Access to information and systems must be restricted based on the need-to-know. Users are responsible for the security of all data for which they are authorized to access. All UAMS data and documentation is confidential, and must not be taken elsewhere when an employee, consultant, or contractor leaves the employment of UAMS. For stand-alone microcomputers, the data stored on the system is owned by the department; the primary user of that system is responsible for backups and any other measures necessary to insure the security and integrity of the data and software. For network file servers, the data stored on the system is owned by the department; and the Network Administrator is responsible for the backups and other measures necessary for the overall security of the software and data stored on the network storage space. Individual workstation users on the network are responsible for backups and data security for local storage space.

PROCEDURE (PASSWORD SECURITY)

1. The personal computers and software belong to UAMS and should be used in accordance with UAMS policy. Each campus department shall determine individual computer use.
   
2. The use and/or copying of software shall be governed by license agreement. Illegal copying or distribution of software is strictly prohibited.
   
3. All UAMS personal computers must have approved virus protection software installed and operational. UAMS owned software, which is used off-site, must be write protected.
   
4. Products obtained from bulletin boards services or shareware and public domain products must be checked for viruses prior to installation on UAMS personal computers.
   
5. Inbound modem access is prohibited on networked workstations. Individual modems must be configured as outbound only. Inbound calls must be routed through the UAMS Secure Inbound modem pool. Individual exceptions may be granted by the Information Technology Steering Committee if a specific need is present and adequate security is provided.
   
6. Passwords must be a minimum of 5 characters and should be a combination of alphabetic and numeric characters. Passwords should also be changed periodically as a matter of good user practice. When changing a password, the new password must not be the same as the current or previously used password.
   
7. Programs used to automatically log intelligent workstations onto the host must not contain hard-coded passwords. Automated log-on programs are acceptable provided the user is prompted for the password at initial log-on time and the password is not permanently stored for further use.
   
8. E-mail is the property of UAMS. UAMS e-mail must not be used: For commercial business purposes, to send inappropriate materials (such as chain letters, pornography, etc.), or to threaten other employees. Messages may not be broadcast to "Everyone" within UAMS without prior permission from the UAMS e-mail administrator and non-UAMS function announcements will not be approved.