Standard Number: 126.96.36.199.1
Category: Acceptable Use of Technology
Owner: Information Technology Services
Effective: September 7, 2022
Revision History: Originally effective February 1, 2019; updated December 31, 2019
Review Date: September 6, 2025
Purpose, Scope, and Responsibilities
- The purpose of this Standard is to identify the minimum requirements for all University-owned devices (“University Devices”) including desktops, laptops, notebooks, and mobile devices, to ensure the reliability and security of University Technology Resources and University Data.
- All University Devices used by faculty, staff, students, or other Authorized Individuals must meet this Standard, regardless of manufacturer, function of the system, or whether the device is primarily connected to the Campus Network or not. Personally owned devices that connect to the University Campus Network must meet the requirements of the Bring Your Own Device Standard.
- The Chief Information Officer, supported by the Executive Director for Enterprise Support, is responsible for the implementation of this Standard.
- Endpoint Management & Outbound Support is responsible for the deployment, management, and support of ITS-managed, University Devices as well as maintaining an inventory of all ITS-managed devices, ensuring devices meet or exceed this Standard, identifying any out-of-date or unsupported software on devices within their area of responsibility, and ensuring all requests for exceptions to this Standard are reviewed.
- College IT Directors are responsible for maintaining an inventory of all the University Devices for which they oversee to ensure that all departmentally-managed devices meet or exceed this Standard, and for identifying any out-of-date or unsupported software on University Devices within their area of responsibility. IT Directors are also responsible for ensuring that all requests for exceptions to this Standard are reviewed.
- Information Security Services (“ISS”) is responsible for conducting scans of the University Campus Network to identify security vulnerabilities and reviewing all exceptions to this Standard. All exception requests will be submitted, reviewed, and approved pursuant to the Compliance Exception Management Standard.
Desktops, Laptops, and Notebooks
- To ensure consistency of University Device management across campus, all newly
purchased devices must:
- Be enrolled in SCCM and/or Intune (Windows machines);
- Be enrolled in Jamf Pro and NoMAD/Jamf Connect (Mac machines); and,
- Support encryption (e.g., TPM chip 1.2 or higher).
- The following University-provided security software must be installed and kept
up to date on all University Devices:
- Anti-Virus. Must run Real-Time Scanning and/or scan the device regularly to prevent, detect, and remove malware;
- Identity Finder ("IDF"). Scans all devices to identify and remove data classified as Sensitive Data pursuant to the Sensitive Data Protection Policy; and,
- Lansweeper. Gathers hardware and software information to facilitate tracking and inventorying of devices.
- All University Devices must:
- Be configured to lock and require a user to re-authenticate if left unattended for more than 15 minutes.;
- Run a Supported Operating System. Use of out-of-date operating systems that are not being actively updated to address new security concerns is prohibited;
- Be configured to allow ISS to scan them for potential vulnerabilities;
- Be encrypted with whole disk encryption using BitLocker or SecureDoc for Windows or FileVault for MacOS unless the device is used solely for Presentation Stations, within Computer Labs, or within Teaching Labs. Sensitive Data must never be downloaded to these University Devices.;
- Enable a host-based Firewall (if available) and be configured to block all inbound traffic that is not explicitly required for the intended use of the device. Use of a network-based Firewall does not remove the need for the host-based Firewalls;
- Restrict Administrative Privileges to faculty and staff on the devices assigned to them based on approval of their unit. University IT staff will maintain administrative access to all University Devices in their unit. Administrative access for other users or on multiple devices is granted by approval of college IT director;
- Be sanitized by the appropriate college IT staff prior to being reused within the department or college to prevent unauthorized access of University Data or University-licensed software; and,
- Be returned to the college IT staff when no longer being used. Discarding University Devices directly through the Surplus Redistribution Center is strictly prohibited.
- All Windows machines must be authenticated against Enterprise Directory Services.
- Software Patch Updates and security must be deployed to University Devices as soon as practically possible through Intune/SCCM/Jamf but not longer than ninety (90) calendar days after the patch becomes available. Patches should be tested on development systems prior to being rolled out to production, where possible. Out of date software or software that is no longer supported by the vendor is strongly discouraged. Pursuant to the Vulnerability Management Standard, all Critical Patches must be implemented within 30 days.
- If the University Device will utilize Microsoft Office, a Microsoft-supported version of Office is required. Office 365 ProPlus client is preferred.
- All efforts must be made to replace, and not to repurpose, University Devices that are out of warranty.
- To ensure consistency of University Device management across campus, all newly purchased devices must:
- The following controls must be applied to all University-owned Mobile Devices
(e.g., smartphones, tablets) that store, have access to, and/or process University
Data. All University Mobile Devices must be:
- Secured with, at minimum, a six-digit PIN to prevent Unauthorized Access when the device is left unattended;
- Configured to lock after being inactive for no longer than 15 minutes;
- Configured to encrypt local data to protect data stored on the device in the event it is lost or stolen;
- Configured with a remote location/erase application (e.g., Find my iPhone) so that the device can be located and recovered if lost. It should also be configured so that it can be erased if it is not recoverable; and,
- Sanitized prior to disposal or reuse.
- All new Apple mobile devices purchased will be set up via Apple School Manager and managed by Jamf. All new Apple mobile devices must not be associated with an individual’s personal Apple ID account.
- The following controls must be applied to all University-owned Mobile Devices (e.g., smartphones, tablets) that store, have access to, and/or process University Data. All University Mobile Devices must be:
- Devices with the intended purpose of providing unauthenticated access (e.g., Kiosks) will not be required to use Enterprise Directory Services once reviewed by the appropriate IT director, in conjunction with ISS, and granted an approved exception.
- Devices that do not support the capability to lock after 15 minutes of inactivity must be submitted as an exception and reviewed by the appropriate IT director and ISS to ensure they are secured alternatively, such as restricting physical access to it in a locked room. The use of out-of-date software or software no longer supported by the vendor must be submitted as an exception and approved for use by the appropriate college IT director, in conjunction with ISS, to ensure appropriate security controls are in place. When ISS identifies that an out-of-date software has security vulnerabilities, it will notify the appropriate IT director to remove the software.
- All efforts should be made to remove individual Apple IDs from University-owned Apple mobile devices purchased before the implementation of Apple School Manager; however, the timeline for this to be done is at the discretion of the individual IT director.
- This Standard does not include University-owned servers, Internet of Things (“IoT”) devices (e.g., smart TVs), or audio-visual equipment (e.g., monitors, projectors). Minimum security requirements for University servers can be found in the Secure Server Standard.
- University Devices used for research purposes may be subject to specific data protections (e.g., federal regulations, data use agreements, NDAs) that require exceeding the requirements identified within this Standard due to the sensitivity of the data associated with the device.
- University Devices used for research purposes may not have the ability to meet the requirements identified in this Standard because they are operating highly specialized equipment. Researchers and IT directors must work with ISS to determine the appropriate compensating security controls for such devices. Should a device be identified as High-Risk to the University Campus Network, it must be removed.
- Devices that do not support encryption must be protected with compensating security controls (e.g., used off-network) and replaced as soon as possible with devices that do support encryption.
- “Administrative Privileges” means access that bypasses access controls, so errors made by a privileged user may have catastrophic consequences, resulting in data loss or significant downtime. Many types of malware infect systems by changing system configurations and installing new services, activities generally limited to privileged users. Any malware encountered by a privileged user will also run as a privileged user. Network services that run as privileged accounts also present a significant risk if a vulnerability is exploited by an attacker.
- “Authenticate” means the requirements that individuals enter their WVU Login credentials in order to access a University Device or the University Campus Network.
- “Computer Lab” means a space or location, such as a room or dedicated section of a University building, solely designed to provide shared computer services to WVU students, faculty, employees, or other Authorized Individuals. Computer Labs provide the tools and technologies to edit papers, complete class assignments, communicate via email, conduct data analysis, and access library resources.
- "Critical Patches” mean Critical Vulnerabilities also identified as ‘Exploit Available’ within Netvuln.
- “Enterprise Directory Services” means the shared information gathered from authoritative sources on campus that provides the comprehensive picture of an individual’s relationship with the University by merging identification and role information. The technical components that work in whole, or in part, to verify the authenticity of a personal identity or a resource include Active Directory (AD), Azure Active Directory, Active Directory Federation Services (ADFS), Shibboleth, and Central Authentication Service (CAS).
- "Firewall" means a system designed to prevent unauthorized access to or from the University Campus Network. Insufficient restrictions on system access over the network increases exposure to attacks from viruses, worms, spyware, and may also facilitate undesired access to resources. Not having a rule that denies incoming traffic by default unnecessarily exposes a system to compromise. Firewalls include host-based, which run on an individual computer or device connected to the network to protect the individual hosts from spreading viruses and malware, and network-based that are built into the infrastructure of the cloud or a virtual firewall service that filters data as it travels from the Internet to the devices on the University Campus Network.
- “High-Risk” means a device that has vulnerabilities or weaknesses within an application, process, or design that can be leveraged to compromise or use it maliciously. The risk level can be further escalated based on the sensitivity of the data associated with the device.
- “Internet of Things (IoT)” means objects or devices not traditionally connected to the network that contain electronics, software, sensors, and actuators which allows them to connect, interact, and exchange data with the University Campus Network such as appliances, automobiles, smart TVs, and smart speakers.
- “Intune” means Microsoft’s modern mobile device management (MDM) framework. WVU is moving Windows devices to Azure Active Directory and Intune Management for laptops and remote work scenarios. This will be the preferred Windows management platform in the future.
- “IT Asset” means a University-owned information system, hardware, software, or services used in the course of University business activity.
- “IT Asset Inventory” means a detailed record of the University-owned IT Assets and classify assets in accordance with business criticality. It is the decision of the individual IT directors as to how they maintain an adequate IT Asset Inventory provided it offers the ability to add, assign, locate, and remove all IT Assets within their responsibility. ITS manages its IT Asset Inventory and warranty information using Lansweeper.
- “Jamf Pro” means a product that enables ITS to manage the deployment and security of Mac devices across the WVU enterprise.
- "Kiosk” means a standalone computer terminal with specialized hardware and software that provides access to a specific application or data ONLY. Controls must be in place to prevent usage of the Kiosk in any other way.
- “Lansweeper” means an IT asset management and network inventory software tool for Windows OS.
- “Malware” means malicious software that is designed to provide unauthorized access or perform unauthorized actions on a system.
- “NoMAD” means a product that allows Macs to be moved off Enterprise Directory Services while still allowing users to sign in with their Login credentials.
- “Presentation Station” means a space within a classroom, auditorium, or other location used by WVU students, faculty, employees and/or other Authorized Individual to give presentations and/or lectures. Presentation Stations are usually connected to a projector, camera, microphone, or other audio/visual component required to give presentations.
- “Real-Time Scanning” means anti-malware software that analyzes files and programs as they are accessed to prevent the user from unknowingly becoming infected.
- “SCCM” means the Microsoft System Center Configuration Manager, which is a product that enables ITS to manage the deployment and security of Windows devices and applications across the University enterprise.
- “SecureDoc” means a WinMagic product that provides full-disk encryption for Windows machines.
- “Software Patch Updates” means a solution for fixing vulnerabilities in an OS or software that are provided by the entity supporting the OS or software.
- “Supported Operating System” means that the entity providing the OS, be it a vendor, open source, or an individual, is actively and routinely providing and deploying patches and security updates for the OS.
- "Teaching Lab” means a space or location, such as a classroom, primarily designed and equipped to provide students first-hand experience to reinforce course concepts introduced in lectures. Teaching Labs are designed to provide students the opportunity to explore methods used within their discipline through the use of shared equipment.
- “Unauthorized Access” means when someone gains access to University Data or Technology Resources using someone else’s credentials or other methods such as accessing University Data for reasons unrelated to intended access.
- “University Data” means data created, received, maintained, or transmitted by or on behalf of the University through the course of its academic, administrative, research, or outreach activities.
- “University Devices” means laptops, computers, notebooks, tablets, and smartphones owned by the University that are used to collect, store, access, transmit, carry, use, or hold any University Data whether during or outside of normal working hours and whether it is used at a normal place of work or not.
- “University Campus Network” means both wired and wireless components, devices, or networks that are connected to the campus network.