MINIMUM SECURITY STANDARDS
- Policy Sections
- Software Patch Updates
- Anti-virus Software
- Host-Based Firewall Software
- Spyware
- Passwords
- No Unencrypted Authentication
- Physical Security
- Unnecessary Services
- University Desktop Compliance Matrix
Software Patch Updates
University networked devices must run software that has security patches available. They also must have all currently available security patches installed. Exceptions may be made that compromise the usability of critical applications, such as research equipment. "Request for Exception" may be requested on the Minimum Standards for Networked Device Security Configurations. See University Desktop Compliance Matrix.
Anti-Virus Software
Anti-virus software (Free Anti-Virus Software) for any particular type of device currently listed on the University software distribution website must be running and up-to-date on every device connected to the University network. See University Desktop Compliance Matrix.
Host-Based Firewall Software
Host-based firewall software for any particular type of device currently listed on the University software distribution website must be running and configured according to the implementing guidelines on every device connected to the University network. While CaTS implements firewalls as part of the security strategy, those firewalls do not obviate the need for host-based firewalls. See University Desktop Compliance Matrix.
Spyware
Spyware or malware is any type of technology that collects and transmits information about a person or their browsing. Anti-spyware software for any particular type of device currently listed below on the University Desktop Compliance Matrix must be running and up-to-date on every device connected to the University network.
Passwords
University electronic communications systems or services must identify users and authorize access by means of passwords or other secure authentication processes.
All default passwords for access to network-accessible devices must be modified.
Passwords used by system administrators for their personal access to a service or device must not be the same as those used for privileged access to any
service or device.
No Unencrypted Authentication
Unencrypted device authentication mechanisms are only as secure as the network upon which they are used. Traffic across the campus network may be
surreptitiously monitored, rendering these authentication mechanisms vulnerable to compromise. Therefore, all campus devices must use only encrypted
authentication mechanisms unless otherwise authorized.
In particular, historically insecure services such as Telnet, FTP, SNMP, POP, and IMAP must be replaced by their encrypted equivalents.
Physical Security
Unauthorized physical access to an unattended device can result in harmful or fraudulent modification of data, fraudulent e-mail use, or any number of other potentially dangerous situations. When reasonable and appropriate, devices must be configured to authenticate upon logon. When reasonable and appropriate, devices must be configured to "lock" and require a user to authenticate if left unattended for more than ten minutes. Laptops and PDA devices must be secured from unauthorized access.
Unnecessary Services
If a service is not necessary for the intended purpose or operation of the device will not be running.
University Desktop Compliance Matrix
| Required Software | Microsoft OS (Windows) | Macintosh OS X | UNIX - Solaris, SUSE, Red Hat |
|---|---|---|---|
| OS Updates | X | X | X |
| Anti-virus | X | X | X |
| Spyware/Malware | X | ||
| Personal Firewall | X | X | X |
