SEC-S009 University Owned Device Standard

Body

  1. OBJECTIVE: 
    1. Austin Peay State University (APSU) is responsible for ensuring the confidentiality, integrity, and availability of data stored on its systems.  This Standard defines the acquisition, allocation, use and minimum requirements of all university owned endpoint devices. A security breach when using a university owned endpoint device could result in loss or compromise of university data, damage and/or unauthorized access to university information technology resources, and/or financial harm to the university.
  2. RESPONSIBILITIES: 
    1. All university owned endpoint devices used by faculty, staff, students, or other university affiliated individuals must meet this Standard regardless of manufacture, function of the system, or whether the device is primarily connected to the campus network or not.  Personally owned devices that connect to the campus network must meet the requirements of the Bring Your Own Device Standard.
    2. Information Technology Security (ITSec) is responsible for conducting security vulnerability scans of the campus network devices and for reviewing all exceptions to this Standard. All exception requests will be forwarded to the ITSec director for approval.
    3. The Information Technology Technical Services (ITTS)  director is responsible for implementation and enforcement of this Standard. ITTS is responsible for the deployment, management, support, and inventory of all university owned endpoint devices.
  3. APPROVAL AUTHORITY:
    1. Chief Information Officer
  4. SCOPE:
    1. This Standard, operating under University Policy 4:042 Information Security and Data Classification, defines and establishes the acquisition, allocation, use, and minimum requirements for university owned endpoint devices that connect to university information technology resources and/or access university data.  These devices include but are not limited to smart phones, tablets, laptops, and notebooks.  For the purposes of this Standard, university servers are not included.  
  5. DEFINITIONS:
    1. Administrative Privileges – Access on a computer that gives the user the ability to make major changes to the computer or applications on the computer.  This access is defined as a level of access above that of a normal user and can be used by a malicious actor to compromise the computer or network the computer resides on.
    2. ​​Authentication – Verifying the identity of a user, process, or device to allow access to a university information technology resource.
    3. Campus Network – The wired and wireless components and information systems connected to the network managed by the university.  Excluded are: the residence hall network, student wireless, and guest wireless.  
    4. Device – A server, computer, laptop, or mobile device used to enter or access university data from a university information system.
    5. Enterprise Directory Services – The shared information gathered from authoritative sources on campus that provides the comprehensive picture of an individual’s relationship by merging identification and role information.  The technical controls that work in part to verify the authenticity of a personal identity or resource include Active Directory (AD), Active Directory Federation Services (ADFS) and Ethos.
    6. Firewall – A system that is designed to prevent unauthorized access to or from the campus network. Firewalls are both host-based, which run on an individual computer or device connected to the network, or network-based, which run on the campus network, usually at the network perimeter, to filter data as it travels to and from the Internet.
    7. Internet of Things (IoT) – Devices not traditionally connected to the network that contain electronics, software, sensors, and actuators which allows them to connect, interact, and exchange data with the campus network.  Such devices include appliances, automobiles, smart TVs, smart speakers, HVAC controls, etc.
    8. Intune – A cloud-based mobility management tool that provides both device management as we as application management.  This application is part of the Microsoft security suite.
    9. Jamf – A product that enables OIT to manage the deployment and security of Apple devices across the campus network
    10. Kace – A product that enables OIT to manage the deployment and security of Dell computers across the campus network.
    11. Risk – A device that has vulnerabilities or weaknesses within an application, process, or design that can be leveraged to compromise or use it maliciously.  The risk level can be further escalated based on the sensitivity of the data associated with the device.
    12. Software patch updates – A solution for fixing vulnerabilities in an operating system or software application that is provided by the entity supporting the operating system or software application.
    13. Supported operating system – The entity (ex: vendor, open source or an individual) providing the operating system is actively and routinely providing and deploying patches and security updates for the operating system.
    14. University Endpoint Computer – A desktop, laptop, or notebook computer purchased by the university and used by employees, students, or any other university affiliated persons.  This definition does not include any computers acting as servers.
    15. University data – Anything that contains information regarding the university made or received in connection with its operations and/or that the university has collected and stored on university personnel, students, and others.  University data resides as both hard copy and electronic media.
    16. University Information System – An application or software that is used to support academic, administrative, research, and outreach activities of the university, whether operated and managed by the university or a third-party vendor.
    17. University Information Technology Resources – University owned hardware, software, and network equipment; technology facilities; and other relevant hardware and software; as well as personnel tasked with the planning, implementation, and support of information technology.
  6. REQUIREMENTS:
    1. University Owned Endpoint Device Acquisitions
      1. All technology purchases must be approved by the Office of Information Technology (OIT).  To request a quote:  Request a Quote
      2. The campus standard vendors for laptops are Dell and Apple. Information on the current campus standard for purchasing a university laptop is found here:  Employee Campus Standard - Laptop
      3. For mobile device, the campus standard models are Apple mobile devices to include iPad and iPhone and Microsoft Surface tablets
      4. For supported network printers, information is available here:  Supported Network Printers
    2. University Owned Endpoint Device Allocations
      1. ​​​​​​​The University provides a new computer for each new full-time position and funds a computer replacement program for all full-time faculty and staff. Computer replacements are done on a four-year cycle. This program is overseen by OIT.​​​​​​​
      2. Find information on the replacement program including who is eligible for the program click on this document: Employee Equipment Replacement Program
      3. For frequently asked questions about the replacement program:  Employee Equipment Replacement Program FAQs
    3. University Owned Endpoint Device Use
      1. ​​​​​​​The university provides the use of university owned endpoint computers to all full-time employees if a computer is required for their work-related duties.  Adjunct faculty members, part-time employees, temporary employees, visiting professors, graduate assistants, and student workers are authorized to use shared workstations located within their respective departments and/or computers issued from the university’s surplus pool if available.  If a university owned endpoint computer is assigned or available for use, it is expected that the employee will use this device as their primary means to create, store, send, or receive university data.  ​​​​​​​
      2. The use of personally owned devices is authorized for infrequent work-related use.   For more information on the use of personally owned devices to access university data and/or conduct university business, reference:  Bring Your Own Device Standard.
      3. The Acceptable Use of Information Technology Resources provides required information on what employees can and cannot do on university owned endpoint computers.
    4. University Minimum Security Requirements for Endpoint Computers
      1. ​​​​​​​For the purposes of this Standard, a university endpoint computer is defined as a desktop, laptop, or notebook computer purchased by the university and used by employees, students, or any other university affiliated persons.  This definition does not include any computers acting as servers.​​​​​​​
      2. All university owned endpoint computers must:
        1. Be enrolled in Kace and/or Intune;
        2. Be enrolled in Jamf (Mac computers):
        3. Be enrolled in Microsoft Defender for Endpoint (MDE);
        4. Be enrolled in Rapid7 InsightVM;
        5. Be configured to lock and require a user to re-authenticate if left unattended for more than 15 minutes.  Devices that do not support this capability must be secured alternatively; such as restricting physical access to it in a locked room;
        6. Run a supported operating system.  Use of out-of-date operating systems that are not being actively updated to address new security concerns is prohibited;
        7. Be encrypted with whole disk encryption using BitLocker for Windows or FileVault for MacOS.  Devices that do not support encryption must be protected with compensating security controls (e.g. used off-network) and replaced as soon as possible with endpoint computers that do support encryption;
        8. Enable a host-based firewall (if available) and configure to block all inbound traffic that is not explicitly required for the intended use of the endpoint computer.  (Use of a network- based firewall does not remove the need for the host-based firewall.)
        9. Restrict administrative privileges on the endpoint computer to Office of Information Technology (OIT) staff only.  
        10. Administrative access for other users or on multiple endpoint computers is granted by approval of the ITSec director if the university requesting this access has a legitimate and documented need for this access: Request for this access is made here: Request Administrator Access;
        11. Be returned to OIT when no longer being used by the employee or lab where it was assigned.  Employees who are clearing the university will return their university owned endpoint computer directly to Human Resources(HR); HR will provide the computer to OIT to prepare for use by the new employee replacing the clearing employee. OIT staff will sanitize the endpoint computer before reallocating the endpoint computer or disposing of the endpoint computer as appropriate.
      3. All Windows endpoint computers must be authenticated against the university Enterprise Directory Services.
      4. Operating System and software patch updates and security updates must be deployed to endpoint computers as soon as practically possible through Kace/Intune/Jamf but not longer than 30 calendar days after the patch becomes available. Patches should be tested on development systems prior to being rolled out to production where possible.  Out of date software or software that is no longer supported by the vendor is strongly discouraged and will be prohibited if causing risk to the campus network.
      5. All efforts must be made to not repurpose endpoint computers that are out of warranty.
    5. University Minimum Security Requirements for Mobile Devices
      1. ​​​​​​​The following controls must be applied to all university owned mobile devices (e.g. smartphones, tablets) that store, have access to, and/or process university data. All university owned mobile devices must be:​​​​​​​
        1. Secured with, at minimum, a four-digit PIN to prevent unauthorized access when the device is left unattended;
        2. Configured to lock after being inactive for 15 minutes;
        3. Configured to encrypt local date to protected data stored on the device in the event it is lost or stolen;
        4. Configured with a remote location/erase application (e.g. Find my iPhone) so that the device can be located and recovered if lost.  It must also be configured sot that it can be erased if it is not recoverable; and
        5. Sanitized prior to disposal or reuse.
      2. All purchased Apple mobile devices will be set up via Apple School Manager and managed by Jamf.  All Apple mobile devices must be associated with an individual’s personal Apple ID account.
    6. Exceptions
      1. ​​​​​​​This Standard does not apply to personally owned devices.  For more information regarding personally owned devices refer to the Bring Your Own Device Standard.
      2. Devices with the intended purpose of providing unauthenticated access (e.g. Kiosks) will not be required to use Enterprise Directory Services.
      3. ITSec must approve all devices that have a business requirement to opt out of locking after 15 minutes of inactivity.
      4. The use of out-of-date software or software no longer supported by the vendor must be approved for use by ITSec to ensure appropriate security controls are in place.  When ITSec identifies that an out-of-date software has security vulnerabilities, it will notify OIT to remove the software.
      5. This Standard does not apply to university owned servers, Internet of Things (IoT) devices (e.g. smart TVs), or audio-visual equipment (e.g. monitors, projectors).
      6. University owned endpoint computers used for research purposes may be subject to specific data protections (e.g. federal regulations, data use agreements, NDAs) that require exceeding the requirements identified within this Standard due to the sensitivity of the data associated with the device.
      7. University owned endpoint computers used for research purposes may not have the ability to meet the requirements identified in this Standard because they are operating highly specialized equipment.  Researchers and OIT must work with ITSec to determine the appropriate compensating security controls for such devices.  Should a device be identified as a high risk to university campus network, it must be removed from the network.
  7. ASSOCIATED DOCUMENTS:
    1. ​​​​​​​4:042 Information Security and Data Classification Policy
    2. 4:029: Acceptable Use of Information Technology Resources
    3. 4:039 Password Management Policy​​​​​​​
  8. RECORD RETENTION TABLE:

Identification

Storage

Retention

Disposition

Protection

OITManagers Network Share

Electronic

Perpetual

Delete

Electronic Back-up

  1. REVISION HISTORY:

Date:

Rev.

Description of Revision:

8/18/2022

 

Initial Release

 

Details

Details

Article ID: 146777
Created
Thu 9/22/22 2:40 PM
Modified
Thu 2/1/24 5:12 PM