High Risk Systems, Workstations, and Users
Overview
In an effort to protect and maintain data security on our campus, SSU is required to track systems, workstations, and users who store and/or have access to high risk information. Per the High Risk/Critical Workstation Standard, a High Risk Workstation is any workstation that is used for elevated access to critical systems or stores or accesses level 1 information in such quantities as to require notification of a government entity (i.e. over 500 records under HIPAA or CA 1798.29), or information classified as protected level 1 due to severe risk.
Level 1 data is defined as confidential information that include (but are not limited to):
- Passwords or credentials that grant access to level 1 and level 2 data
- PINs (Personal Identification Numbers)
- Birth date combined with last four digits of SSN and name
- Credit card numbers with cardholder name
- Tax ID with name
- Driver’s license number, state identification card, and other forms of national/ international identification (such as passports, visas, etc.) in combination with name
- Social Security number and name
- Health insurance information
Additional information regarding data definitions can be found on our website.
Critical systems are systems that access level 1 date and/or are necessary to conduct University business.
Impact to Users
Users identified as high risk with access to level 1 data and/or critical systems can only access sensitive data systems through high risk workstations. When a high risk user logs into a machine, that machine becomes high risk, receives the high risk configurations via group policy, and is added to an inventory of high risk workstations. High risk users who try logging into non-high risk configured workstations will be met with the following prompt:
“WARNING! User Account __________ has been identified as a High Risk User Account. However this Device ____________ is Not setup for High Risk Access. If you continue this Device will be automatically secured for High Risk Access and IT will be notified. Non High Risk User Accounts will lose access to this device. Do you want to Continue Logging into this compers?
Do not log into a non-high risk workstation.
User Login Behavior by Workstation Type
Type of Computer | High Risk User | Non-High Risk User |
Department Computers | It displays a message and moves it to the high risk OU. | No change. |
Lab Computers | They are denied login. | No change. |
Library Computers | They are denied login. | No change. |
IT Loaner Computers | It displays a message and moves it to the high risk OU. | No change. |
High Risk Computers | No change. | They are denied login. |
High Risk Department (Counseling, SHC, IT, PD, etc.) | No change. | They are denied login. |
Encrypted Flash Drives
High risk users can no longer use unencrypted USB flash drives for external storage. High risk workstation configurations allow for reading unencrypted USB flash drives but not saving new files to them. Users can encrypt unencrypted drives using Bitlocker Drive Encryption. The following prompt will appear when plugging an unencrypted USB flash drive to a high risk workstation.
Network Protections
High risk users with desktops are connected to a section of the campus network that is specifically configured for high risk access. Once a person is identified as high risk, the IT Department will submit a ticket on the user's behalf to move their machine(s) to the appropriate secured network.
High risk users with laptops are protected by an always-on VPN connection, which ensures high risk workstations are isolated and can only connect to SSU’s protected VPN network that provides the same level of protection as the high risk network. If you have a laptop, connect to Global Protect to enable always-on VPN. Connecting to off-campus networks, such as a coffee shop or hotel wifi, should work via a captive portal.
Information for Administrators of High Risk/Critical Systems
If you have been identified as an administrator of a high risk/critical system, you are responsible for identifying users who are granted access to level 1 data. In order to track the appropriate access, those users with access must be added to or removed from the group created for that system.
Log into the Application Access Manager (AAM) tool using your SSU username and password.
- To add members, search for people to add by entering an ID (LDAP UID, Emplid, Regid, etc.) or Last Name in the Search Term field below, then click the "Search" button.
- To remove members, select the member or members you want to remove by clicking on them in the select box below, then click the "Remove Selected Members" button to remove them.
- To make changes to the administrator, such as adding a new administrator or removing an existing administrator, please contact the IT Help Desk.
- To add a new critical system or remove a critical system that is no longer in use, please contact the IT Help Desk.
General Information
Please note that users should refrain from accessing level 1 data and/or critical systems until they have received confirmation that workstation configuration and network changes have been made to your device(s). It is important that high risk users back-up their data to avoid accidental data loss. Do not store level 1 data on Google Drive. Options for storing and transmitting level 1 data can be found on our Data Security Quick Guide.