Safe Computing Policies
Windows XP machines must be replaced or have compensating controls documented in a Risk Acceptance Memo.
Microsoft and Apple only provide operating system support – continue to create and release security patches – for a limited number of years. For example, Windows is no longer providing security patches for Windows XP or Vista, and Apple is no longer providing security patches for Apple Mavericks or Mountain Lion. An unsupported operating system is vulnerable to attack because the vendor is no longer providing patches to fix known security vulnerabilities.
Because an attack on an unsupported operating system poses a risk to personal and BU information, unsupported operating systems are prohibited by our BU Data Protection Standards, Minimum Security Standards.
Contact BUMC IT (email firstname.lastname@example.org or call 617-638-5914) to purchase or get advice on purchasing a new computer.
If a medical device can only be used with a Windows XP machine, contact BUMC IT to implement compensating controls and start the Risk Acceptance Memo process.
There are two options for compensating controls:
- BUMC IT removes internet capability (wired and wireless), or
- BUMC IT places on private network if internet resource is required
Starting August 19, 2018, Windows XP computers cannot communicate with Y drive because we are disabling SMB1, an outdated protocol that even Microsoft strongly encourages disabling.
Ticket is then routed to BUMC Information Security to complete Risk Acceptance Memo process.
What else is required for personal and BU Computers – desktops, laptops, mobile phones, tablets?
- Operating system must be supported (e.g., no Windows Vista or XP, no Apple Mavericks or Mountain Lion) and updated with available patches. BU computers are patched with KACE, but personal computers must be updated within a few days of notification.
- Disk encryption is required for laptops and any computer used to access, process, or store Restricted Use data, such as HIPAA data, checking account or debit/credit card #, SSN, or personally identifiable human subject research data.
- Anti-Malware (McAfee is free for BU faculty, staff, and students) must be set to auto update and scan
- Auto Screen Lock – 15 minute maximum (BU computers are set by policy, but personal computers must be configured)