Secure computer management standard
Purpose
Computers are the tools generally used to process, transmit, and store University data. University data is often sensitive in nature. Therefore, University computers must adhere to the Information Security Computer Management Standard.
Scope
This standard shall apply to all computers which process, store, or transmit University data (e.g. laptop or desktop tower). Management of University computers includes, but is not limited to:
- Installing and patching supported operating systems and applications.
- Enabling host-based network protections such as a firewall.
- Configuring the system settings such as enabling a screen lock.
- Maintaining endpoint protections such as anti-virus.
- Adding, removing, disabling, and enabling user accounts and permissions.
Standard
Configuration: There are a wide variety of system configuration settings that can impact the security of a system. These settings must be managed. These computer configuration settings should conform to best-practice industry hardening guidelines (e.g. NIST, CIS, DISA, NSA) as follows:
- Deployed computers should have a defined System Security Plan.
- User permissions shall default to standard user permissions.
- Users shall be prompted to elevate to administrator-level permissions, if needed.
- Users shall not log in to computers with elevated permissions.
Patching: Most system compromises can be directly linked to a specific vulnerability in an application or the operating system that had not been patched. Many of those patches had been released by the vendor long before the vulnerability was exploited. All too often, unpatched computers are compromised and used to 鈥減ivot鈥 to other higher value targets within the institution.
Managed computers must be patched in accordance with the Patch Management Standard. All critical vulnerabilities must be patched within thirty days of the vendor release. All high severity vulnerabilities must be patched within sixty days of the vendor release.
A maintenance window must also be defined in order to restart the system. Many critical and high vulnerabilities have patches that require a system restart in order to provide effective protection.
Encryption: Local storage shall be encrypted using the default operating system application (e.g. Bitlocker, FileVault). The entire disk, including unused or free space, shall be encrypted. Removable storage should also be encrypted. The recovery keys should be archived to a central store (e.g. active directory) and/or maintained in a secure alternate location. Additional guidance about encryption can be found on the Information Security website.
Firewall: The firewall shall be configured to deny all inbound traffic by default. Only those applications that require access inbound should specifically be allowed. Firewall logging should also be enabled.
Backup: Critical business files should not be stored locally. Those files should be stored on a university enterprise storage system. If critical business files must be stored locally, then computers should have an associated backup and recovery plan.
Endpoint protection: University computers must have a current version of an anti-virus or anti-malware software installed. The configuration should allow the following functions:
- Daily definition updates;
- Real-time system protection;
- Periodic full file system scans;
- On-demand scans;
- Alert on anti-virus deactivation and activation;
- Audit logging.
Data loss prevention: University computers have the potential to store, process, and transmit sensitive information. In order to protect the information appropriately, it must be classified according to its level of sensitivity. Therefore, university computers should utilize data loss prevention software to scan the local system to determine if and where the sensitive information exists.
Physical security and device inventory: University resources must be protected from theft or damage. Appropriate physical controls should be used in order to maintain regulatory or compliance needs. Business units should maintain a physical inventory of all university computing resources assigned to individuals within their respective units. The inventory should be periodically reviewed for accuracy. The inventory should include:
- Device manufacturer and model
- Unique serial number or identifier
- Network MAC address (if applicable)
User education: Users should receive periodic information security training in order to help protect university assets, recognize threats, and report incidents accordingly. Requests for enrollment in information security training can be submitted to security@ohio.edu.
Incident reporting: All suspected or confirmed security incidents must be immediately reported to Information Security via email to security@ohio.edu or via telephone to 740566-SAFE.
Regulatory and compliance data security controls: Specific data at the university have additional controls and audit requirements based on their respective regulatory or compliance authorities (e.g. FERPA, GLBA, PCI-DSS, HIPAA). Such data must be properly classified as described above and protected according to the data type. For additional information relating to these additional security controls consult the Information Security Office.
References
- NIST 800 Series Publications
- NIST Special Publication 800-123, Guide to General Server Security
- NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices
- NIST Special Publication 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations
- Center for Internet Security, 20 CIS Critical Security Controls
- Policy 91.003 Data Classification
- Policy 91.005 Information Security
- 91探花 Information Security Standard: Patch Management
Exceptions
All exceptions to this standard must be formally documented with the ISO prior to approval by the Information Security Governance Committee (ISGC). Standard exceptions will be reviewed and renewed on a periodic basis by the ISO.
Request an exception:
Complete Exception Request Form.
Governance
This standard will be reviewed and approved by the university Information Security Governance Committee as deemed appropriate based on fluctuations in the technology landscape, and/or changes to established regulatory requirement mandates.
Reviewers
The reviewers of this standard are the members of the Information Security Governance Committee representing the following University stakeholder groups:
- Information Technology: Ed Carter (Chair)
- Human Resources: Michael Courtney
- Faculty: Hans Kruse
- Finance and Administration: Chad Mitchell
- Associate Dean: Shawn Ostermann
- Regional Higher Education: Larry Tumblin
- Research and Sponsored Programs: Maureen Valentine
- Enterprise Risk Management and Insurance: Larry Wines
History
Draft versions of this policy were circulated for review and approved November 20, 2020.