University-Owned Devices Standard
Standard Number: IT.1.1.1S
Category: Acceptable Use of Technology
Effective: February 1, 2019
Revision History: None
Review Date: January 31, 2022
PURPOSE, SCOPE, AND RESPONSIBILITIES
Information Technology Services ("ITS") is responsible for maintaining the reliability and security of the West Virginia University ("University") Campus Network, University Data, and University Technology Resources. Appropriate steps must be made to ensure that all University-owned devices ("University Devices") that connect to the University Campus Network have adequate security to prevent a breach that may result in the loss of University Data, damage to critical applications, and/or financial loss. The purpose of this Standard is to identify the minimum requirements for all University Devices.
All University Devices used by faculty, staff, students, or other Authorized Individuals must meet this Standard. Personally-owned devices that connect to the University Campus Network must meet the requirements of the Bring Your Own Device Standard.
- ITS’s Executive Director for Enterprise Support is responsible for the implementation of this Standard. Endpoint Management & Outbound Support is responsible for the deployment, management, and support of ITS-managed, University Devices as well as maintaining an inventory of all ITS-managed IT assets.
- College IT Directors are responsible for maintaining an IT Asset Inventory, ensuring that all departmentally-managed, University Devices meet or exceed this Standard, and for approving use of out-of-date or unsupported software on University Devices within their oversight.
- Information Security Services (ISS) is responsible for conducting scans of the WVU network to identify security vulnerabilities and approving exceptions to this Standard.
DESKTOPS, LAPTOPS, AND NOTEBOOKS
- All Windows machines must be authenticated against the Enterprise Directory Service.
- University Devices must be configured to lock and require a user to re-authenticate if left unattended for more than 15 minutes. Devices that do not support this capability must be secured alternatively, such as restricting physical access to it in a locked room.
- University Devices must run a supported operating system.
- Patches and security must be deployed to devices as soon as practically possible, but not longer than ninety (90) calendar days after public release for any device. Patches should be tested on development systems prior to being rolled out to production, where possible.
- Out-of-date operating systems that are not being actively updated to address new security concerns are prohibited.
- All newly-purchased, University-owned Windows machines must be enrolled in SCCM and/or Intune to ensure consistency of device management across campus.
- All newly purchased, University-owned Mac desktops, laptops, and notebooks must be enrolled in Jamf Pro and NoMAD to ensure consistency of device management across campus.
- If the University Device will utilize Microsoft Office, a Microsoft-supported version of Office is required. Office 365 ProPlus client is preferred.
- The following security software must be installed and kept up-to-date on all
Anti-Virus. University-provided anti-virus software must run real-time
scanning and/or scan the device regularly; and,
- Identity Finder ("IDF"). IDF scans all devices to identify and remove data classified as Sensitive Data in the Sensitive Data Protection Policy that is stored on University Devices.
- Anti-Virus. University-provided anti-virus software must run real-time scanning and/or scan the device regularly; and,
- All University Devices must be tracked on an IT Asset Inventory.
- Software updates must be deployed through SCCM/Jamf/InTune as soon as practically possible but not longer than ninety (90) calendar days after patch becomes available. Out-of-date software or software that is no longer supported by the vendor is strongly discouraged.
- A host-based firewall must be enabled (if available) and configured to block
all inbound traffic that is not explicitly required for the intended use
of the University Device. Use of a network- based firewall does not remove
the need for the host-based firewalls.
- All desktops, laptops, and notebooks must be configured to allow ISS to scan them for potential vulnerabilities.
- All newly purchased University-owned desktops, laptops, and notebooks must support encryption (e.g., TPM chip 1.2 or higher).
- All desktop, laptops, and notebooks that support encryption must be encrypted with whole disk encryption using BitLocker or SecureDoc for Windows or FileVault for MacOS. Devices that do not support encryption must be protected with compensating security controls (e.g., used off-network) and replaced as soon as possible with devices that do support encryption.
- Administrative privileges must be restricted to faculty and staff on the devices assigned to them based on approval of their unit. University IT staff will maintain administrative access to all University Devices in their unit. Administrative access for other users or on multiple devices is granted by approval of college IT director.
- All desktops, laptops, and notebooks must be sanitized prior to going to surplus to prevent unauthorized access to University data or University-licensed software.
- All efforts must be made not to use or repurpose University Devices that are out of warranty.
- The following controls must be applied to all University Mobile Devices (e.g., smartphones, tablets) that store, have access to, and/or process University Data. All University Mobile Devices must be:
- Secured with, at minimum, a four-digit PIN to prevent Unauthorized Access when the device is left unattended;
- Configured to lock after being inactive for 15 minutes;
- Configured to encrypt local data to protect data stored on the device in the event it is lost or stolen;
- Configured with a remote location/erase application (e.g., Find my iPhone) so that the device can be located and recovered if lost. It should also be configured so that it can be erased if it is not recoverable;
- Sanitized prior to disposal or reuse; and,
- All new Apple mobile devices purchased will be set up via Apple School Manager and managed by Jamf. All new Apple mobile devices must not be associated with an individual’s personal Apple ID account.
- Devices with the intended purpose of providing unauthenticated access (e.g., kiosks) will not be required to use Enterprise Directory Services
- ISS must approve all devices that have a business requirement to opt out of locking after 15 minutes of inactivity.
- The use of out-of-date software or software no longer supported by the vendor must be approved for use by the appropriate college IT director in conjunction with ISS to ensure appropriate security controls are in place. When ISS identifies that an out-of-date software has security vulnerabilities, it will notify the appropriate IT director to remove the software.
- All efforts should be made to remove individual Apple ID’s from University-owned Apple mobile devices purchased previous to the implementation of Apple School Manager; however, the timeline for this to be done is at the discretion of the individual IT director.
- This Standard does not include University-owned servers, Internet of Things ("IoT") devices (e.g., smart TVs), or audio-visual equipment (e.g., monitors, projectors). Minimum security requirements for University servers can be found in the Secure Server Standard.
- University Devices used for research purposes may be subject to specific data protections (e.g., federal regulations, data use agreements, NDAs) that require exceeding the requirements identified within this Standard, due to the sensitivity of the data associated with the device.
- University Devices used for research purposes may not have the ability to meet the requirements identified in this Standard because they are operating highly-specialized equipment. Researchers and IT directors must work with ITS to determine the appropriate compensating security controls for such devices. Should a device be identified as High-Risk to the University Campus Network, it must be removed.
- "Authenticate" means the requirements that individuals enter their WVU Login credentials in order to access a University Device or the University Campus Network.
- "Enterprise Directory Services" means the shared information gathered from authoritative sources on campus that provides the comprehensive picture of an individual's relationship with the University. Technical components that work in whole, or in part, to verify the authenticity of a personal identity or resource include Active Directory, Active Directory Federation Services, Shibboleth, and Central Authentication Service.
- "Internet of Things" means objects or devices not traditionally connected to the network that contain electronics, software, sensors, and actuators which allows them to connect, interact, and exchange data with the University Campus Network such as appliances, automobiles, smart TVs, and smart speakers.
- "IT Asset" means a University-owned information system, hardware, software, or services used in the course of University business activity.
- "IT Asset Inventory" means a detailed record of the University-owned IT Assets including classification of assets in accordance with business criticality. It is the decision of the individual IT directors as to how they maintain an adequate IT asset inventory provided it offers the ability to add, assign, locate, and remove all IT assets within their responsibility. ITS manages its IT asset inventory and warranty information using Lansweeper.
- "Firewall" means a system designed to prevent unauthorized access to or from
the University Campus Network. Insufficient restrictions on system access
over the network increases exposure to attack from viruses, worms, spyware,
and may also facilitate undesired access to resources. Not having a rule
that denies incoming traffic by default unnecessarily exposes a system to
compromise. Firewalls include host-based, which run on an individual computer
or device connected to the network to protect the individual hosts from spreading
viruses and malware, and network-based that is built into the infrastructure
of the cloud or a virtual firewall service that filters data as it travels
from the Internet to the devices on the University Campus Network.
- "High-Risk" means a device that has vulnerabilities or weaknesses within an application, process, or design that can be leveraged to compromise or use it maliciously. The risk level can be further escalated based on the sensitivity of the data associated with the device.
- "Intune" means a software that enables ITS to manage Windows PCs running legacy operating systems (e.g., Windows 7) which cannot be managed as mobile devices.
- "Jamf Pro" means a product that enables ITS to manage the deployment and security of Mac devices across the WVU enterprise.
- "Lansweeper" means an IT asset management and network inventory software tool for Windows OS.
- "Malware" means malicious software that is designed to provide unauthorized access or perform unauthorized actions on a system.
- "NoMAD" means a product that allows Macs to be moved off Enterprise Directory Services while still allowing users to sign in with their WVU Login credentials.
- "Privileged Account" means access that bypasses access controls, so errors made by a privileged user may have catastrophic consequences, resulting in data loss or significant downtime. Many types of malware infect systems by changing system configurations and installing new services, activities generally limited to privileged users. Any malware encountered by a privileged user will also run as a privileged user. Network services that run as privileged accounts also present a significant risk if a vulnerability is exploited by an attacker.
- "Real-Time Scanning" means anti-malware software that analyzes files and programs as they are copied to a system to prevent the user from unknowingly becoming infected.
- "SCCM" means the Microsoft System Center Configuration Manager, which is a product that enables ITS to manage the deployment and security of Windows devices and applications across the University enterprise.
- "SecureDoc" means a WinMagic product that provides full-disk encryption for Windows machines.
- "Software Patch Updates (patches)" means a solution for fixing vulnerabilities in an OS or software that are provided by the entity supporting the OS or software.
- "Supported Operating System" means the entity providing the OS, be it a vendor, open source, or an individual, is actively and routinely providing and deploying patches and security updates for the OS.
- “Unauthorized Access” means when someone gains access to University Data or Technology Resources using someone else’s credentials or other methods such as accessing University Data for reasons unrelated to intended access.
- “University Data” means data created, received, maintained, or transmitted by or on behalf of the University through the course of its academic, administrative, research, or outreach activities.
- "University Devices” means laptops, computers, notebooks, tablets, and smartphones owned by the University that are used to collect, store, access, transmit, carry, use, or hold any University Data whether during or outside of normal working hours and whether it is used at a normal place of work or not.
- "University Campus Network" means both wired and wireless components, devices, or networks that are connected to the campus network.
- Acceptable Use of Data and Technology Resources Policy
- Network Vulnerability Assessment Procedures
- Bring Your Own Device Standard
- Secure Server Standard