writes: Recently IS at my small hospital created an "Acceptable Use Policy" for our institution. Being the sort of anal compulsive guy that I am, I actually read it. That prompted me to attempt to figure out where it came from which led me to the SANS site. This purports to be "the most trusted and by far the largest source for information security training and security certification in the world. It also develops, maintains, and makes available at no cost, the largest collection of research documents about various aspects of information security, and it operates the Internet's early warning system — the Internet Storm Center"
Be that as it may, I thought at least the Computer Use Policy had some real dumb features. I'm most concerned about the section on information ownership:
Hospital’s network administration desires to provide a reasonable level of privacy, users should be aware that the data they create on the organization’s systems remains the property of... Hospital.
Not sure how that is going to work out overall, seems a bit over arching — like what, precisely, is 'data'?
But the thing that really has me annoyed because it clobbers my work flow is the fun statement:
All PCs, laptops and workstations should be secured with a password-protected screensaver with the automatic activation feature set at 10 minutes or less, or by logging-off when the host will be unattended.
My point being that a generic, hardcoded time to lock the workstation is a dumb idea, especially when many of the computers are located within a controlled environment. Logging in a couple of dozen times per day is not how I would define a productive use of my time.
Has anyone else found an 'authorative" pontification of these ideas, especially in regards to healthcare systems in the US? (Hopefully the rest of the world isn't as batshit insane as we are).