You are here: Home / Contracts / Security Plans / How to Secure a Stand-Alone Desktop Computer

How to Secure a Stand-Alone Desktop Computer

A stand-alone desktop computer is one that is in no way connected to another computer or networked device, such as a switch, hub, or router (with the possible exception of a printer), or to the Internet or a local area network (LAN). The stand-alone desktop computer can be running Windows 10 client or server, Linux, or Mac OS X. Because the stand-alone desktop computer is not connected to the Internet or a local or wide area network, the emphasis for securing the data is placed on physical security of the computer and controlling access to the data.

Here are the minimum steps you should take to secure the Add Health data on your stand-alone desktop computer:

Physical Security of a Stand-Alone Computer

  1. Configure the BIOS to boot the desktop computer from the hard drive only. Do not allow the stand-alone desktop computer to be booted from the diskette or CD-ROM drive.
  2. Password protect the BIOS so changes cannot be made to the BIOS without authorization.
  3. Secure the desktop computer on which the Add Health data resides in a locked room, or secure the desktop computer to a table with a lock and cable (locking the case so the battery cannot be disconnected, which would disable the BIOS password).
  4. Remove or disable the network interface card (NIC) so it cannot be used. 
  5. Store the data on a desktop computer only. Laptops may not be used to store the Add Health data.

Controlling Access to the Data

  1. Restrict access to the Add Health data to project personnel using the security features available via the operating system (e.g., login via userid/password and NTFS permissions in Windows 10, ACLs in Linux and OS X).
  2. Require strong passwords.
  3. Password protect screen saver and activate after three minutes of inactivity.
  4. Enable whole disk encryption (e.g., Bitlocker, PGP Whole Disk Encryption, FileVault2, Veracrypt) or directory-based encryption (e.g., Windows Encrypting File System or Veracrypt) for directories containing secure data.
  5. Configure your analysis software to point temporary work files to the encrypted Add Health data directory.
  6. Install and periodically run a secure erasure program. This program should be run monthly and after the secure data has been removed from the computer at the end of the contract period. (Heidi is free and works well. SDELETE also works well and can be scripted.)
  7. Do not copy or move the Add Health data out of the secured directory for any reason.


Please download and complete the Stand-Alone Desktop Computer Data Security Plan and include with your Add Health Restricted-Use Data Application.