• Keep all software (OS and application) up to date to the extent possible.
• Critical updates/patches shall be applied within 5 days, normal patches within 30 days.
• Only use actively-supported Operating Systems and applications.  Systems with unsupported or outdated OS and applications may not be directly connected to the campus network.

IT-08 Network Citizenship Policy, Appendix A: Baseline Security Standards

IT Standard 05 - Computer Security Standard

• Utilize campus, college, or unit inventory service/procedures to track all devices.

• All institutional data and licensed software must be reliably erased from all devices prior to transfer within the UI, as well as out of University Control.
• If data cannot be erased, the media must be destroyed.
• Research data must be approved by the OVPR before it can be transferred out of University control.

• Whole disk encryption is required on all laptops and tablet computers, USB storage devices with Level III data, and for desktops in units that regularly handle Level III data.
• Enable FileVault2 for Mac, BitLocker for Windows, BitLocker2Go for Windows USB devices, LUKS or similar software for Linux.
• Systems must be domain-attached and using device management to use whole-disk encryption.

• Endpoints that store institutional data locally must have data backed up in accordance with the UI Records Management Program.
• System and data backups must exist to enable prompt recovery/restoration of service.

IT-17 Backup & Recovery Policy 

UI Operations Manual, Ch. 17 - Records Management

• All suspected or confirmed security events must be immediately reported to the Security Office.
• No actions, including but not limited to sensitive data scans (IdentityFinder), repairs, reimaging, copying data, or other actions, may be performed without prior direction from the Security Office.

• Endpoints that store Level II/III data locally must be registered with the Security Office.

• All devices with Level II & III data and all mobile devices must be kept in a physically secure location when staff are not present.
• Location must be protected by physical access controls such as keys, biometrics, or proximity cards.

• Automated system change control management must be utilized for devices, such as UI Capser or MS-SCCM services.
• CM process must monitor and control hardware and software configuration changes.

IT-18 Information Security Framework

IT Standard - 05 Computer Security Standard

• Implement additional FISMA, PCI-DSS, HIPAA, or Export Control requirements as applicable.
• Links to applicable controls are on the IT Security website.

• Keep all software (OS and application) up to date to the extent possible.
• Critical updates/patches shall be applied within 5 days, normal patches within 30 days.
• Only use actively-supported Operating Systems and applications.  Systems with unsupported or outdated OS and applications may not be directly connected to the campus network.

IT-08 Network Citizenship Policy, Appendix A: Baseline Security Standards

IT Standard 05 - Computer Security Standard

• Install anti-virus software on all eligible devices, using UI recommended or site-licensed software where possible.
• Make certain the virus detection signatures are updated on a daily basis.
• Configure the software to scan all incoming files

• Utilize campus, college, or unit inventory service/procedures to track all devices.
• Servers located in Enterprise Data Centers are inventoried by facility personnel.

• All institutional data and licensed software must be reliably erased from all devices prior to transfer within the UI, as well as out of University Control.
• If data cannot be erased, the media must be destroyed.
• Research data must be approved by the OVPR before it can be transferred out of University control.

• Recommend whole-disk encryption where feasible.
• Use certificates for encryption where applicable.

• System backups must exist to enable prompt restoration of UI services.
• Backup of "UI Record" information must be performed in accordance with the UI Records Management Program.
• Disaster Recovery Plan must exist & be reviewed annually.
• Disaster Recovery Plan must be tested.

IT-17 Backup & Recovery

UI Operations Manual, Ch. 17 - Records Management

• All suspected or confirmed security events must be immediately reported to the Security Office.
• No actions, including but not limited to sensitive data scans (IdentityFinder), repairs, reimaging, copying data, or other actions, may be performed without prior direction from the Security Office.

• Enable host-based firewall in default deny mode and permit minimum necessary services.
• Servers with Level III data must be housed in an Enterprise Data Center.

• Conform to UI Password Policy.
• Utilize HawkID authentication in lieu of local accounts.
• Quarterly review of user accounts, Access privileges, and procedures/policies.

• Activity Logging required on all servers.
• Remote log forwarding required for servers handling Level II / III data.

• Systems not in an Enterprise Data Center that store Level II / III data must be registered with the Security Office.

• A system for change control management must be implemented for systems handling level II & III institutional data.
• System must monitor and control hardware and software configuration changes.

IT-18 Information Security Framework

IT STANDARD 05 - Computer Security Standards

• SysAdmins must receive Media Disposal Training, as well as Network Security Training Seminars and Security Awareness Training for IT Personnel.

• Systems attached to the University Network are subject to periodic vulnerability assessments by the Security Office.
• High-severity vulnerabilities must be resolved within 5 days; Medium-severity vulnerabilities within 30 days of identification.

• Host-based monitoring and alerting tool, such as OSSEC, must be installed and configured if Level III data is handled.

• All servers with Level II & III data must be kept in a physically secure location.
• Location must be protected by physical access controls such as keys, biometrics, or proximity cards.

• 2-Factor authentication required for all remote access.
• Utilize available privileged remote access services (Bastion Host, Terminal Server, etc.)

• Recommend all servers undergo a Security, Privacy, & Legal review and implement recommendations prior to deployment.

• Multi-Factor Authentication required for all Privileged Access (Root, Administrator)

• Implement FISMA, PCI-DSS, HIPAA, or Export Controls as applicable.
• Links to applicable controls are on the IT Security website.

• Keep all application software up to date to the extent possible.
• Critical updates/patches shall be applied within 5 days, normal patches within 30 days.
• Only use actively-supported OS and applications only.

IT-08 Network Citizenship Policy, Appendix A: Baseline Security Standards

IT Standard 05 - Computer Security Standard

• All applications will be inventoried using the UI Application Portfolio Management system.

• Recommend whole-disk encryption where feasible.
• Use certificates for communication encryption where possible.

• Application backups must exist to enable prompt restoration of UI services.
• Backup of institutional data must be performed in accordance with the UI Records Management Program.
• Disaster Recovery Plan must exist & be reviewed annually.
• Disaster Recovery Plan must be tested.

IT-17 Backup & Recovery

UI Operations Manual, Ch. 17 - Records Management

• Enable host-based firewall in default deny mode and permit minimum necessary services.

• All software must undergo software review prior to purchase, or installation/use by the University.

• Conform to UI Password Policy.
• Utilize HawkID authentication in lieu of local accounts.
• Quarterly review of user accounts, Access privileges, and procedures/policies.

• All suspected or confirmed security events must be immediately reported to the Security Office.
• No actions, including but not limited to sensitive data scans (IdentityFinder), repairs, reimaging, copying data, or other actions, may be performed without prior direction from the Security Office.

• Multi-factor authentication recommended for applications that handle sensitive institutional data, particularly accounts with Privileged (administrator) access.

• Application activity logging required.
• Remote log forwarding required for servers handling Level II / III data.

• Systems attached to the University Network are subject to periodic vulnerability assessments by the Security Office.
• High-severity vulnerabilities must be resolved within 5 days; Medium-severity vulnerabilities within 30 days of identification.

• System & application software must be tested before installation in a production environment.
• Production version must be protected from unauthorized changes.
• Separation of duties required between software developer and production implementers.

• Developers involved in support of systems that process payments must complete developer-specific security training annually, including secure coding techniques.

• Recommend all applications undergo a Security, Privacy, & Legal review and implement recommendations prior to deployment.

• Implement FISMA, PCI-DSS, HIPAA, or Export Controls as applicable.
• Links to applicable controls are on the IT Security website.