Minimum Security Standards
These standards are intended to reflect the minimum-security configurations necessary for devices that create, access, store or transmit University data. Devices should be configured in accordance with the highest data classification used on the device.
Please note that these standards will be revised and updated accordingly to ensure and compliance with current cyber security best practices.
Endpoint Security Configuration | Additional For Server Computers | Mobile Devices
Endpoint Security Configuration
security control | high risk data | moderate risk data | low risk data |
---|---|---|---|
Whole Disk Encryption | Required | Required | Recommended |
No Administrative Privileges | Required | Required | Recommended |
Device/System Registration | Required | Required | Recommended |
Use Only Supported Operating Systems | Required | Required | Required |
Patching/Updates Installed within 30 days of release *automatic patching recommended* | Required | Required | Required |
Anti-Virus/Endpoint Protection Installed & Active | Required-Managed AV | Required-Managed AV | Required |
Enrollment in Enterprise Active Directory | Required | Required | Recommended (personal machines N/A) |
Use Enterprise Authentication | Required | Required | Recommended |
Inactivity Lock | Required–10 minutes | Required–10 minutes | Recommended |
Only Use Approved Applications | Required | Required | Recommended |
Use University Owned Computers | Required | Required | Recommended |
Properly Secure (locks, locked offices, secured cabinets, etc.) | Required | Required | Recommended |
University Support | Required | Required | Recommended (personal machines N/A) |
Additional For Server Computers
security control | high risk data | moderate risk data | low risk data |
---|---|---|---|
Configure using CIS Security Standards | Required | Required | Required |
University Supported by IT | Required | Required | Recommended |
Physically Secure in IT approved Data Centers | Required | Required | Recommended |
Must reside behind IT approved Firewall | Required | Required | Recommended |
Access to data requires MFA | Required | Recommended | Recommended |
Data files require encryption in transit | Required | Required | Required |
Data files require encryption at rest | Recommended | Recommended | Recommended |
Mobile Devices (Smartphones, Tablets)
security control | high risk data | moderate risk data | low risk data |
---|---|---|---|
Lock with a password or PIN | Required | Required | Recommended |
Encrypt the device | Required | Required | Recommended |
Limit stored email messages with PII/Data to 200 msgs or 14 days of msgs | Required | Required | N/A |
Use University Approved Apps | Required | Required | N/A |
Manufacturer Supported Operating System | Required | Required | Required |
Must have remote wipe capability enabled in the event of a lost or stolen device | Required | Required | Recommended |
No tampering with device (“Jail breaking”) | Required | Required for University owned mobile devices | Required for personally owned devices accessing University resources |
For more details on the Minimum Security Standards configurations, view this PDF