Minimum Security Standards

Minimum Security Standards

These standards are intended to reflect the minimum-security configurations necessary for devices that create, access, store or transmit University data. Devices should be configured in accordance with the highest data classification used on the device.

Please note that these standards will be revised and updated accordingly to ensure and compliance with current cyber security best practices.

Endpoint Security Configuration | Additional For Server Computers | Mobile Devices

Endpoint Security Configuration

security controlhigh risk datamoderate risk datalow risk data
Whole Disk EncryptionRequiredRequiredRecommended
No Administrative PrivilegesRequiredRequiredRecommended
Device/System RegistrationRequiredRequiredRecommended
Use Only Supported Operating SystemsRequiredRequiredRequired
Patching/Updates Installed within 30 days of release *automatic patching recommended*RequiredRequiredRequired
Anti-Virus/Endpoint Protection Installed & ActiveRequired-Managed AVRequired-Managed AVRequired
Enrollment in Enterprise Active DirectoryRequiredRequiredRecommended (personal machines N/A)
Use Enterprise AuthenticationRequiredRequiredRecommended
Inactivity LockRequired–10 minutesRequired–10 minutesRecommended
Only Use Approved ApplicationsRequiredRequiredRecommended
Use University Owned ComputersRequiredRequiredRecommended
Properly Secure (locks, locked offices, secured cabinets, etc.)RequiredRequiredRecommended
University SupportRequiredRequiredRecommended (personal machines N/A)

Additional For Server Computers

security controlhigh risk datamoderate risk datalow risk data
Configure using CIS Security StandardsRequiredRequiredRequired
University Supported by ITRequiredRequiredRecommended
Physically Secure in IT approved Data CentersRequiredRequiredRecommended
Must reside behind IT approved FirewallRequiredRequiredRecommended
Access to data requires MFARequiredRecommendedRecommended
Data files require encryption in transitRequiredRequiredRequired
Data files require encryption at restRecommendedRecommendedRecommended

Mobile Devices (Smartphones, Tablets)

security controlhigh risk datamoderate risk datalow risk data
Lock with a password or PINRequiredRequiredRecommended
Encrypt the deviceRequiredRequiredRecommended
Limit stored email messages with PII/Data to 200 msgs or 14 days of msgsRequiredRequiredN/A
Use University Approved AppsRequiredRequiredN/A
Manufacturer Supported Operating SystemRequiredRequiredRequired
Must have remote wipe capability enabled in the event of a lost or stolen deviceRequiredRequiredRecommended
No tampering with device (“Jail breaking”)RequiredRequired for University owned mobile devicesRequired for personally owned devices accessing University resources

For more details on the Minimum Security Standards configurations, view this PDF