PROCEDURE:                                                                                 DATE:  August 18, 2003

                                                                                                            Updated:  May 16, 2017



SUBJECT:                  Computer Workstation Security


Prepared by:                       Danya Borowski                     


Approved by:                      Scott McCallum, Superintendent



1.       Purpose

Provide direction for state employees in securing the Washington State School for the Blind computing workstations and network.


2.       Scope

            All computers and workstations WSSB networks are affected.


3.       Policy

            Every workstation must meet the following configuration/usage standards:


1.      Employees shall use the operating system lock control mechanism whenever the system is left unattended.  This is done at the computer through a key sequence Ctrl-Alt-Delete and Lock computer.

2.      Usernames and passwords are assigned in Active Directory and are required to access the network.  Passwords must  be:

§  Changed when first assigned a login ID

§  Changed every 180 days

§  Be a minimum of 8 characters in length

§  Cannot be repeated within the last 5 password changes

§  Cannot contain the user’s name, UserID or any form of the full name

§  Not consist of a single complete dictionary word but included in a passphrase

§  Must be significantly different each time it’s changed

3.      Employees are prohibited from displaying or sharing their password.

4.      After 5 unsuccessful login attempts, the account will be locked for 1 hour.

5.      WSSB has the authority to perform audits on computers and devices connected to the network.  The audits are performed to ensure the integrity, confidentiality, and availability of information resources; to ensure conformance to policy; to identify and investigate possible security threats; and to monitor user or system activity.

6.      Software loaded on school computers must be approved by IT staff. These machines must be configured according to guidelines established by IT Support Services. Faculty and staff who need software loaded on their individual workstation should make the request to the IT department for “Software Installation.” If the IT staff member determines that the software should not be loaded, the reason must be provided to the requestor. It is not the intent to restrict loading of legitimate software of use to the faculty/staff member. This policy is to prevent the inadvertent loading of unlicensed software, software that can compromise the network and school data, or software that can interfere with machine or system operation. If an IT staff member determines that software should not be loaded, the requestor may appeal to their supervisor. The supervisor may request guidance from the IT staff..

7.      Users are prohibiting from downloading files from the internet without prior authorization.

8.      Computer workstations will operate with the minimum operating system configuration necessary to provide the necessary services.

9.      Devices will be hardened based on industry best practice such as NIST, SANS and vendor configuration.

10.   Any connection from WSSB network to outside agencies must be approved by WSSB.  Connections will be allowed only with external networks that have been reviewed by WSSB and found to have acceptable security controls.  All connections approved will pass through OCIO-approved firewalls.  An example would be the Fortress system which gives access to the State of Washington intranet.

11.   All access to data on the network other than those within the scope of the job must get approval from WSSB management.

12.   Backups are done on WSSB servers only.  Users should not store any confidential or data they don’t want lost on their workstation.

13.   Workstations utilizing the Windows 7-Windows 10 operating system get automatic updates and security patches.

14.   Anti-Virus software is installed and updated regularly to prevent attacks.

15.   The following items are prohibited on the WSSB network:

a.       Dial-in and Dial-out workstation modems

b.      Peer-to-Peer sharing applications

c.       Tunneling software designed to bypass firewalls and security controls

d.      Auto-launching applications such as U3 that execute from a mobile device and do not require installation on a host system.

e.       Publicly managed e-mail, chat and video

f.        Products that provide remote control of IT services


4.       Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.


5.       Definitions

            Term               Definition

            OCIO               Office of the Chief Information Officer

            WSSB             Washington State School for the Blind

            DES                 Department of Enterprise Services