IT Security Standard - University Owned Devices

Overview

All University -owned computing devices are governed by this standard, including systems made available as primary workstations, assigned within a department office, or purchased through grant funds. The steps within this standard provide guidance for university owned devices. 

  1. Purpose, Scope, and Responsibilities
    1. The purpose of this IT Security Program  Standard is to identify the minimum requirements for all University-owned devices (“University Devices”) including desktops, laptops, notebooks, and mobile devices, to ensure the reliability and security of University Technology Resources and University Data.
    2. All University Devices used by faculty, staff, students, or other Authorized Individuals must meet this Standard, regardless of manufacturer, function of the system, or whether the device is primarily connected to the Campus Network or not.
    3. The Chief Information Security Officer (CISO), supported by the Chief Information Officer (CIO), is responsible for the implementation of this Standard.
    4. The Directors of Technical Services and Academic Technology are responsible for the deployment, management, and support of USI managed devices, as well as maintaining an inventory of all USI managed devices, ensuring devices meet or exceed this Standard, identifying any out-of-date or unsupported software on devices within their area of responsibility, and ensuring all requests for exceptions to this Standard are reviewed.
    5. The Directors of Technical Services and Academic Technology are responsible for inventory and conducting ongoing scans for identifying new devices.
    6. Any exceptions must be authorized by CIO/CISO.   
  1. Desktops, Laptops, and Notebooks
    1. To ensure consistency of University Device management across campus, all newly purchased devices must:
      1. Be enrolled on the USI domain and/or Azure (Windows machines);
      2. Be enrolled in Jamf Pro and NoMAD/Jamf Connect (Mac machines); and,
      3. Support encryption (e.g., TPM chip 1.2 or higher); and,
      4. Must be imaged from the K2000 to ensure software standards are met (Windows machines).
    2. The following University-provided security software must be installed and kept up to date on all University Devices:
      1. Anti-Virus. Must run Real-Time Scanning and/or scan the device regularly to prevent, detect, and remove malware.  This occurs automatically when added to the domain (including Azure domain, or enrolled in JAMF;
      2. Lansweeper. Gathers hardware and software information to facilitate tracking and inventorying of devices.
    3. All University Devices must:
      1. Be configured to lock and require a user to re-authenticate if left unattended for more than 15 minutes.;
      2. Run a Supported Operating System. Use of out-of-date operating systems that are not being actively updated to address new security concerns is prohibited;
      3. Be configured to allow Microsoft Defender to scan them for potential vulnerabilities;
      4. Be encrypted with whole disk encryption using BitLocker or SecureDoc for Windows or FileVault for MacOS unless the device is used solely for Presentation Stations, within Computer Labs, or within Teaching Labs. Sensitive Data must never be downloaded to unencrypted University Devices.;
      5. Enable a host-based Firewall (if available) and be configured to block all inbound traffic that is not explicitly required for the intended use of the device. Use of a network-based Firewall does not remove the need for the host-based Firewalls;
      6. Restrict Administrative Privileges to faculty and staff on the devices assigned to them based on approval of their unit. University IT staff will maintain administrative access to all University Devices.
      7. Be sanitized by IT Services staff prior to being reused to prevent unauthorized access of University Data or University-licensed software; and,
      8. Be returned to the IT Services staff when no longer being used.
    4. All Windows machines must be authenticated against Enterprise Directory Services.
    5. Software Patch Updates and security must be deployed to University Devices as soon as practically possible through Intune/SCCM/Jamf but not longer than ninety (90) calendar days after the patch becomes available. Out of date software or software that is no longer supported by the vendor is strongly discouraged. Pursuant to the Vulnerability Management Standard, all Critical Patches must be implemented within 45 days.
    6. All efforts must be made to replace, and not to repurpose, University Devices that are out of warranty.
  2. Exceptions
    1. Devices that do not support the capability to lock after 15 minutes of inactivity must be submitted as an exception and reviewed by the appropriate IT director to ensure they are secured alternatively, such as restricting physical access to it in a locked room. The use of out-of-date software or software no longer supported by the vendor must be submitted as an exception and approved for use by the appropriate IT director, to ensure appropriate security controls are in place.
    2. This Standard does not include University-owned servers, Internet of Things (“IoT”) devices (e.g., smart TVs), or audio-visual equipment (e.g., monitors, projectors). Minimum security requirements for University servers can be found in the Information Security policy.
Print Article