Computer Purchases Guidelines

Definitions

University funds include:

  • Research funds
  • Start-up funds
  • Grant funds
  • Departmental funds, and
  • Dean’s office (DCI and other) funding.

Computers include

  • Individual workstations (including laptops)
  • Computers and server-computers used to monitor or record experimental data
  • Server-computers used to host applications for multiple users, and
  • Server-computers used to store data for access by multiple people.

All computers purchased with University funds belong to the University and must be managed by IT professionals. 

  • Before purchasing any workstations or server-computers, the departmental IT professional (LSP) must be consulted to ensure the device meets institutional standards. 
  • All workstations and server-computers must be disclosed to the departmental IT professional (LSP) and logged in the dean’s office database for hardware tracking.
  • Workstations are configured and managed through centralized systems to ensure OS and software patches are in place. 
  • Server-computers must be housed in the University Data Center (which only allows for rack-mounted systems).
  • Server-computers must be configured with appropriate security settings and managed for appropriate patches.
  • Documentation needs to be maintained for server-computers including the configuration settings and administrative management processes.
  • Requirements for server-computers with Highly Sensitive data will include (but not limited to):
    • Server will be located behind the JointVPN firewall
    • Physical security with access only to specific allowed key holders
    • Follow the principle of “least privilege” when granting access permissions
    • Logging of all connections and logins from users
    • Carbon Black configured on the machine
    • Yearly (quarterly?) nessus/nmap scan by InfoSec
    • Qualys vulnerability scanning software must be installed 
    • No generic (shared) accounts
    • No root account access
    • The identity of the person responsible for oversight of the server.
    • A functioning backup strategy is in place
    • University-approved anti-virus installed and running
    • University account authentication used for account management
    • Automated updates enabled
  • Requirements for server-computers with less sensitive data include (but not limited to):
    • Firewall configuration to only allow access to UVa IP’s (if possible)
    • Physical security with access to specifically allowed key holders
    • Follow the principle of “least privilege” when granting access permissions
    • Logging of all logins and actions taken
    • Yearly nessus/nmap scan by InfoSec
    • Qualys vulnerability scanning software must be installed 
    • No generic (shared) accounts
    • No root account access
    • The identity of the person responsible for oversight of the server.
    • University-approved anti-virus installed and running
    • University account authentication used for account management
    • Automated updates enabled
    • A functioning backup strategy is in place

Surplus

Computers purchased with University funds must be provided to the LSP for disposal (or reassignment) when either:

  • The computer is no longer in service, or
  • The person to whom the computer is assigned is separated from the University.

Exceptions

Business/research may require exceptions to these guidelines such as:

  • a server-computer that must be part of an experiment run in the lab instead of being housed in the data center,
  • a computer that cannot be patched in order for unique software to function,
  • a root level account may be needed occasionally for some apps or maintenance (but not as the default user account),

Exceptions require:

  • Alternative measures to protect the computer (physically and network-wise) must be documented.
  • Approvals must be given by
    • Departmental LSP
    • Department chair (or the department’s Information Security designee), and
    • A&S Director of Analytics & IT Support.

29 August 2023