Policy Number: 
IT - STANDARD 05
Date Drafted: 
08/02/2010
Approved Date: 
10/20/2011
Description: 
A set of standards for the management of university owned desktop, mobile, and server computing devices, which are designed to minimize institutional risk.

Tens-of-thousands of computing devices are connected to the University of Iowa data network. These devices typically have access to institutional services and data. Automated, enterprise scoped system management is an effective method to reduce institutional risk with a reasonable assurance of success. Threats to the privacy and integrity of institutional and personal information will continue to exist as long as there are financial, political, environmental, and/or criminal profits to be obtained. Automated computer management facilities can provide significant improvement in security, over manual computer management methods that are more time consuming and often less diligently applied to secure our assets. Scope: This standard applies to all university owned, networked devices such as desktop, mobile, and server computing devices. Some devices, such as clustered servers, firewalled or address obfuscated (NAT'd) servers, special purpose operating systems, or research devices may not be eligible due to licensing constraints, or may not support all management options, and therefore are expected to have comparable management implemented to the extent possible.

Statement:

  1. Domain Membership: Register (join) all supported institutionally owned computing devices for directory-enabled management purposes. For example, devices with Windows operating systems, and Macintosh devices with OS X operating system, should be joined to the UIOWA (campus) forest via an authorized administrative "domain" unless granted an exception. Domain membership allows institutional best practice configuration policies to be automatically applied (via Group Policy Objects or GPO's) to many devices, enforces domain password policy, and also provides an inventory of assets.
  2. Automated System Management: Subscribe all supported institutionally owned computing devices to an authorized management environment (e.g., Central SCCM or Casper service) for automated updates of both operating system and application software. Utilization of automated management solutions for client security (i.e., anti-virus, anti-spyware, intrusion prevention, or data loss prevention) is also required for eligible (supported) devices.
  3. Update/Configuration Parameters: Institutionally owned computer systems, in addition to the baseline requirements outlined in the University's Network Citizenship Policy, should be configured to utilize automated system management to:
     
    • Configure and apply updates to the operating system at least monthly, with reboot as necessary
       
    • Apply updates to installed software, including plug-ins, at least monthly
       
    • Only install/utilize supported versions of software from companies or sources (for open source software) that actively provide updates
       
    • Implement a managed version of client security software where possible, that updates at least daily, and actively scans all incoming files
       
  4. Confidential Data Physical Protection: Protection of confidential data must adhere to the Institutional Data Access Policy.
  5. Duplicate Services: Limit the number of services that must be protected, by avoiding development and implementation of parallel (duplicate) IT systems. Examples include Active Directory Forests/Domains, E-mail servers, and Servers hosting SQL and Oracle databases. This is not intended to eliminate redundancy or backups for disaster recovery or survivability of important resources, but rather to reduce the potential points of attack and avoid costs to secure and monitor duplicate systems.
     

Related Policies, References and Attachments:

This collection of University of Iowa Information Technology policies and procedures contain acceptable use, security, networking, administrative, and academic policies that have been developed to supplement and clarify University of Iowa policy. They are incorporated into the University of Operations Manual (http://opsmanual.uiowa.edu) by reference, per the Policy on Acceptable Use of Information Technology Resources (http://opsmanual.uiowa.edu/community-policies/acceptable-use-information-technology-resources)

Information Security Framework Policy
Network Citizenship Policy (includes Baseline Security Standards)
Institutional Data Access Policy
Self-managed machine responsibility/checklist
UIowa System Registry (USR) application