Minimum Standards for Networked Devices

Policy Purpose


Policy Description
The following minimum standards are required for devices connected to the University network.
Software Patch Updates
University networked devices must run software that has security patches available. They also must have all currently available security patches installed. PCI-DSS systems should have the latest vendor security patches installed - critical security patches must be installed within one month of release. Exceptions may be made that compromise the usability of critical applications, such as research equipment. "Request for Exception" may be requested on the Minimum Standards for Networked Device Security Configurations. See University Desktop Compliance Matrix below. 

Anti-Virus Software
Anti-virus software for any particular type of device currently listed on the University software distribution website must be running and up-to-date on every device connected to the University network. See University Desktop Compliance Matrix below.

Host-Based Firewall Software
Host-based firewall software for any particular type of device currently listed on the University software distribution website must be running and configured according to the implementing guidelines on every device connected to the University network. While CaTS implements firewalls as part of the security strategy, those firewalls do not obviate the need for host-based firewalls. See University Desktop Compliance Matrix.
Spyware
Spyware or malware is any type of technology that collects and transmits information about a person or their browsing. Anti-spyware software for any particular type of device currently listed below on the University Desktop Compliance Matrix must be running and up-to-date on every device connected to the University network.
Passwords
University electronic communications systems or services must identify users and authorize access by means of passwords or other secure authentication processes.
All default passwords for access to network-accessible devices must be modified.
Passwords used by system administrators for their personal access to a service or device must not be the same as those used for privileged access to any service or device unless device is joined to an active directory domain.
No Unencrypted Authentication
Unencrypted device authentication mechanisms are only as secure as the network upon which they are used. Traffic across the campus network may be surreptitiously monitored, rendering these authentication mechanisms vulnerable to compromise. Therefore, all campus devices must use only encrypted authentication mechanisms unless otherwise authorized.

In particular, historically insecure services such as Telnet, FTP, SNMP, POP, and IMAP must be replaced by their encrypted equivalents.


Physical Security
Unauthorized physical access to an unattended device can result in harmful or fraudulent modification of data, fraudulent e-mail use, or any number of other potentially dangerous situations. When reasonable and appropriate, devices must be configured to authenticate upon logon. When reasonable and appropriate, devices must be configured to "lock" and require a user to authenticate if left unattended for more than ten minutes. Laptops and PDA devices must be secured from unauthorized access.

Unnecessary Services
If a service is not necessary for the intended purpose or operation of the device that service should be disabled.

University Desktop Compliance Matrix
Required Software  Microsoft OS (Windows)  Macintosh OS X  UNIX - Solaris, SUSE, Red Hat
OS Updates  X X X
Anti-Virus X X X
Spyware/Malware X  X 
Personal Firewall  X X X

Enforcement
Failure to comply with this policy may result in disciplinary action and/or the loss of use of university computing resources. The university also may refer suspected violations of applicable law to appropriate law enforcement agencies.