Device Security Standard
Date Drafted: 08/02/2010
Approved Date: 06/22/2011
Approved Date: 06/22/2021
A set of controls for the management of desktop, mobile, and server computing devices, which are designed to minimize institutional risk.
Tens-of-thousands of computing devices are connected to the University of Iowa wired and wireless network. These devices have access to institutional services and data, and may be institutionally or personally managed. Automated, enterprise scoped system management is an effective method to reduce institutional risk with a reasonable assurance of success. Threats to the privacy and integrity of institutional and personal information will continue to exist when there are financial, political, environmental, and/or criminal profits to be obtained. Automated computer management can provide significant improvement in security, over manual computer management methods that are more time consuming and often less diligently applied.
This standard applies to all institutionally owned, networked devices such as desktop, mobile, and server computing devices. Some devices, such as clustered servers, fire walled or address obfuscated (NAT'd) servers, special purpose operating systems, research or IOT devices may not be eligible due to licensing constraints, or may not support all management options, and therefore are expected to have comparable controls implemented to the extent possible.
In addition, this standard describes comparable controls for personally owned devices that connect to the university network. Some personal devices may not be able to implement all controls listed below, and therefore are expected to have comparable controls implemented to the extent possible.
- Domain Membership: Register (join) all supported institutionally owned computing devices for directory-enabled management purposes. For example, devices with Windows operating systems, and Macintosh devices with OS X operating system, should be joined to the UIOWA (campus) forest via an authorized administrative domain. Domain membership allows institutional best practice configuration policies to be automatically applied (via Group Policy Objects or GPO's) to many devices, enforces domain password policy, and provides an inventory of assets.
- Automated System Management: Subscribe all supported institutionally owned computing devices to an authorized management environment (e.g., Central MECM or JAMF service) for automated updates of both operating system and application software. Utilization of automated management solutions for client security (e.g., anti-spyware, intrusion prevention, or data loss prevention) is also required for eligible (supported) devices.
- Update/Configuration Parameters: Computer systems should be configured to utilize automated system management to:
- Configure and apply updates to the operating system at least monthly, with reboot as necessary
- Update the hardware BIOS
- Apply updates to installed software, including plug-ins, at least monthly
- Only install/utilize supported versions of software from companies or sources (for open-source software) that actively provide updates
- Accounts should be configured with passwords consistent with the Enterprise Password Standard.
- Personally owned systems that connect to the university network should be configured to use similar controls.
- Endpoint Protection: Eligible, supported devices must be configured with enterprise endpoint protection. Questions about whether a device is eligible or supported may be directed to the Information Security and Policy Office (ISPO.)
- Anti-virus: Eligible, supported devices that are institutionally owned have anti-virus included as part of Endpoint Protection. Personally owned devices must be configured with anti-virus software.
- Confidential Data Physical Protection: Protection of confidential data must adhere to the Institutional Data Policy, which defines levels of data sensitivity.
- Duplicate Services: Limit the number of services that must be protected, by avoiding development and implementation of parallel (duplicate) IT systems. Examples include Active Directory Forests/Domains, E-mail servers, and Servers hosting SQL and Oracle databases. This is not intended to eliminate redundancy or backups for disaster recovery or survivability of important resources, but to reduce the potential points of attack and avoid costs to secure and monitor duplicate systems.
- Technology Restriction: Adhere to institutional, state, and federal restrictions on the installation and use of certain technologies. See the Prohibited Technology List for additional information.
- Awareness: Know who provides technical support for the computers you use. Department IT support staff, central (ITS or HCIS) help desk, or other (contracted) support names, phone numbers, and/or email addresses should always be known and available. Register all systems that store Critical or Restricted data with the Information Security and Policy Office.
- Best Practices: Review and implement security best practices appropriate for the device in question. A collection of resources and documentation for best practices is available at the IT Security website.
- Disposal and reuse: Critical and Restricted data must be securely removed from all systems prior to disposal or reuse.
Summary of controls:
|Controls||Institutionally Owned||Personally Owned|
|Automated System Management||Yes||N/A|
|Anti-virus||Included in Endpoint Protection||Yes|
|Confidential Data Protection||Yes||Yes|
|Prohibited Technology||Yes||Varies depending on the technology|
|Disposal and reuse||Yes||Yes|
Exceptions to this standard must be filed with the Information Security and Policy Office (ISPO).
Related Policies, References and Attachments:
This collection of University of Iowa Information Technology policies and procedures contain acceptable use, security, networking, administrative, and academic policies that have been developed to supplement and clarify University of Iowa policy. They are incorporated into the University of Operations Manual (http://opsmanual.uiowa.edu) by reference, per the Policy on Acceptable Use of Information Technology Resources (http://opsmanual.uiowa.edu/community-policies/acceptable-use-information-technology-resources)
Self-managed Computer Responsibilities