The University of Arizona

UITS IT Security Policies and Standards

The following internal IT Security Policies and Standards are the responsibility of all UITS staff. 

1. Remote Access
UITS employees remotely connect to our network, and such access requires the use of the University provided VPN software. Our policy requires that the computers you use to connect to the server be patched and running up to date virus protection software. It is your responsibility to ensure that this is the case for your computers. Please also review any new or changed applications or services that you connect to remotely, and whether remote access is needed and if so, is appropriately protected.

2. UAWiFi
Reminder: UAPublic connections are insecure. You are required to only use the UAWiFi connection for business transactions.

3. Vendor-configured unit systems
For in-house unit systems, if they are configured by a hardware supplier or reseller, instead of by your internal staff, you should transition to internally-controlled configuration as soon as possible. Systems should be configured by internal staff following a tested build image. Incorporate this requirement in your unit's secure build procedures.

4. Spyware detection and removal software
Install spyware detection and removal software on all systems for which it is available, and keep it updated, as required by the Minimum Security for Networked Devices Standard. The current site license for Sophos provides a viable solution for individuals to use to protect their systems. For Macintosh and other Unix-based systems that cannot have software (such as Sophos or CounterSpy) installed from a central console, responsibility for maintaining these belongs to the user of the system.

5. Password-protected screen savers
Computers in the CCIT domain and the UITS OU in the CatNet domain have password-protected screen savers installed via mandatory domain policy. Computers that are not members of a domain must also run password-protected screen savers, following the guidelines in Security Policy IS S701. It is your responsibility to ensure that password-protected screen savers with a short time-out period are configured on all of your computers.

6. Strong password controls on key applications
You need to be aware of the key applications you use and what the password policies on these applications are. "Key applications" are defined below.

Do you use key applications that do not authenticate via WebAuth, and that do not have strong password policies? If so, and if you have control over the password controls, you are responsible for modifying the applications to enforce strong password controls. If you do not have control over the password policies on these applications, consider transitioning to an alternative application.

"Key Applications" are applications that are critical to the operations of your unit, and/or that provide access to sensitive data.

Password policies should employ complex passwords, password expiration, and account lock out. Strong passwords should be 8 to 14 characters in length, with alphanumeric and special characters. Set password expiration to ensure a maximum length of 90 days. New accounts must change password at login, and a password history of 7 passwords (8 days minimum). Administrative access to systems should be protected with the strongest forms of authentication available.