Standard Number: IT.1.1.1S
Category: Acceptable Use of Technology
Owner: Enterprise Support
Effective: December 31, 2019
Revision History: Originally effective February 1, 2019
Review Date: December 30, 2022
Purpose, Scope, and Responsibilities
- The purpose of this Standard is to identify the minimum requirements for all University-owned devices (“University Devices”) including desktops, laptops, notebooks, and mobile devices, to ensure the reliability and security of University Technology Resources and University Data.
- All University Devices used by faculty, staff, students, or other Authorized Individuals must meet this Standard, regardless of manufacturer, function of the system, or whether the device is primarily connected to the Campus Network or not. Personally owned devices that connect to the University Campus Network must meet the requirements of the Bring Your Own Device Standard.
- The Executive Director for Enterprise Support is responsible for the implementation of this Standard. Endpoint Management & Outbound Support is responsible for the deployment, management, and support of ITS-managed, University Devices as well as maintaining an inventory of all ITS-managed devices.
- College IT Directors are responsible for maintaining an inventory of all the devices for which they oversee to ensure that all departmentally-managed, University Devices meet or exceed this Standard, and for identifying any out-of-date or unsupported software on University Devices within their area of responsibility.
- Information Security Services (“ISS”) is responsible for conducting scans of the University Campus Network to identify security vulnerabilities and reviewing all exceptions to this Standard. All exception requests will be forwarded to Senior Management for approval.
- Senior Management is responsible for approving continued use of out-of-date or unsupported University Devices and/or software on University Devices.
Desktops, Laptops, and Notebooks
- To ensure consistency of University Device management across campus, all newly
purchased devices must:
- Be enrolled in SCCM and/or Intune (Windows machines);
- Be enrolled in Jamf Pro and NoMAD (Mac machines); and,
- Support encryption (e.g., TPM chip 1.2 or higher).
- The following University-provided security software must be installed and kept
up to date on all University Devices:
- Anti-Virus. Must run Real-Time Scanning and/or scan the device regularly to prevent, detect, and remove malware;
- Identity Finder ("IDF"). Scans all devices to identify and remove data classified as Sensitive Data pursuant to the Sensitive Data Protection Policy; and,
- Lansweeper. Gathers hardware and software information to facilitate tracking and inventorying of devices.
- All University Devices must:
- Be configured to lock and require a user to re-authenticate if left unattended for more than 15 minutes. Devices that do not support this capability must be secured alternatively, such as restricting physical access to it in a locked room;
- Run a Supported Operating System. Use of out-of-date operating systems that are not being actively updated to address new security concerns is prohibited;
- Be configured to allow ISS to scan them for potential vulnerabilities;
- Be encrypted with whole disk encryption using BitLocker or SecureDoc for Windows or FileVault for MacOS. Devices that do not support encryption must be protected with compensating security controls (e.g., used off-network) and replaced as soon as possible with devices that do support encryption;
- Enable a host-based Firewall (if available) and configure to block all inbound traffic that is not explicitly required for the intended use of the device. Use of a network-based Firewall does not remove the need for the host-based Firewalls;
- Restrict Administrative Privileges to faculty and staff on the devices assigned to them based on approval of their unit. University IT staff will maintain administrative access to all University Devices in their unit.
- Administrative access for other users or on multiple devices is granted by approval of college IT director;
- Be sanitized by the appropriate college IT staff prior to being reused within the department or college to prevent unauthorized access of University Data or University-licensed software; and,
- Be returned to the college IT staff when no longer being used. Discarding University Devices directly through the Surplus Redistribution Center is strictly prohibited.
- All Windows machines must be authenticated against Enterprise Directory Services.
- Software Patch Updates and security must be deployed to devices as soon as practically possible through SCCM/Jamf but not longer than ninety (90) calendar days after the patch becomes available. Patches should be tested on development systems prior to being rolled out to production, where possible. Out of date software or software that is no longer supported by the vendor is strongly discouraged.
- If the University Device will utilize Microsoft Office, a Microsoft-supported version of Office is required. Office 365 ProPlus client is preferred.
- All efforts must be made not to repurpose University Devices that are out of warranty.
- To ensure consistency of University Device management across campus, all newly purchased devices must:
- The following controls must be applied to all University-owned Mobile Devices
(e.g., smartphones, tablets) that store, have access to, and/or process University
Data. All University Mobile Devices must be:
- Secured with, at minimum, a four-digit PIN to prevent Unauthorized Access when the device is left unattended;
- Configured to lock after being inactive for 15 minutes;
- Configured to encrypt local data to protect data stored on the device in the event it is lost or stolen;
- Configured with a remote location/erase application (e.g., Find my iPhone) so that the device can be located and recovered if lost. It should also be configured so that it can be erased if it is not recoverable; and,
- Sanitized prior to disposal or reuse.
- All new Apple mobile devices purchased will be set up via Apple School Manager and managed by Jamf. All new Apple mobile devices must not be associated with an individual’s personal Apple ID account.
- The following controls must be applied to all University-owned Mobile Devices (e.g., smartphones, tablets) that store, have access to, and/or process University Data. All University Mobile Devices must be:
- Devices with the intended purpose of providing unauthenticated access (e.g., kiosks) will not be required to use Enterprise Directory Services.
- ISS must approve all devices that have a business requirement to opt out of locking after 15 minutes of inactivity.
- The use of out-of-date software or software no longer supported by the vendor must be approved for use by the appropriate college IT director in conjunction with ISS to ensure appropriate security controls are in place. When ISS identifies that an out-of-date software has security vulnerabilities, it will notify the appropriate IT director to remove the software.
- All efforts should be made to remove individual Apple IDs from University-owned Apple mobile devices purchased before the implementation of Apple School Manager; however, the timeline for this to be done is at the discretion of the individual IT director.
- This Standard does not include University-owned servers, Internet of Things (“IoT”) devices (e.g., smart TVs), or audio-visual equipment (e.g., monitors, projectors). Minimum security requirements for University servers can be found in the Secure Server Standard.
- University Devices used for research purposes may be subject to specific data protections (e.g., federal regulations, data use agreements, NDAs) that require exceeding the requirements identified within this Standard due to the sensitivity of the data associated with the device.
- University Devices used for research purposes may not have the ability to meet the requirements identified in this Standard because they are operating highly specialized equipment. Researchers and IT directors must work with ITS to determine the appropriate compensating security controls for such devices. Should a device be identified as High-Risk to the University Campus Network, it must be removed.
- “Administrative Privileges” means access that bypasses access controls, so errors made by a privileged user may have catastrophic consequences, resulting in data loss or significant downtime. Many types of malware infect systems by changing system configurations and installing new services, activities generally limited to privileged users. Any malware encountered by a privileged user will also run as a privileged user. Network services that run as privileged accounts also present a significant risk if a vulnerability is exploited by an attacker.
- “Authenticate” means the requirements that individuals enter their WVU Login credentials in order to access a University Device or the University Campus Network.
- “Enterprise Directory Services” means the shared information gathered from authoritative sources on campus that provides the comprehensive picture of an individual’s relationship with the University by merging identification and role information. The technical components that work in whole, or in part, to verify the authenticity of a personal identity or a resource include Active Directory (AD), Active Directory Federation Services (ADFS), Shibboleth, and Central Authentication Service (CAS).
- “Internet of Things (IoT)” means objects or devices not traditionally connected to the network that contain electronics, software, sensors, and actuators which allows them to connect, interact, and exchange data with the University Campus Network such as appliances, automobiles, smart TVs, and smart speakers.
- “IT Asset” means a University-owned information system, hardware, software, or services used in the course of University business activity.
- “IT Asset Inventory” means a detailed record of the University-owned IT Assets and classify assets in accordance with business criticality. It is the decision of the individual IT directors as to how they maintain an adequate IT Asset Inventory provided it offers the ability to add, assign, locate, and remove all IT Assets within their responsibility. ITS manages its IT Asset Inventory and warranty information using Lansweeper.
- "Firewall" means a system designed to prevent unauthorized access to or from the University Campus Network. Insufficient restrictions on system access over the network increases exposure to attacks from viruses, worms, spyware, and may also facilitate undesired access to resources. Not having a rule that denies incoming traffic by default unnecessarily exposes a system to compromise. Firewalls include host-based, which run on an individual computer or device connected to the network to protect the individual hosts from spreading viruses and malware, and network-based that are built into the infrastructure of the cloud or a virtual firewall service that filters data as it travels from the Internet to the devices on the University Campus Network.
- “High-Risk” means a device that has vulnerabilities or weaknesses within an application, process, or design that can be leveraged to compromise or use it maliciously. The risk level can be further escalated based on the sensitivity of the data associated with the device.
- “Intune” means software that enables ITS to manage Windows PCs running legacy operating systems (e.g., Windows 7) which cannot be managed as mobile devices.
- “Jamf Pro” means a product that enables ITS to manage the deployment and security of Mac devices across the WVU enterprise.
- “Lansweeper” means an IT asset management and network inventory software tool for Windows OS.
- “Malware” means malicious software that is designed to provide unauthorized access or perform unauthorized actions on a system.
- “NoMAD” means a product that allows Macs to be moved off Enterprise Directory Services while still allowing users to sign in with their Login credentials.
- “Real-Time Scanning” means anti-malware software that analyzes files and programs as they are copied to a system to prevent the user from unknowingly becoming infected.
- “SCCM” means the Microsoft System Center Configuration Manager, which is a product that enables ITS to manage the deployment and security of Windows devices and applications across the University enterprise.
- “SecureDoc” means a WinMagic product that provides full-disk encryption for Windows machines.
- “Software Patch Updates” means a solution for fixing vulnerabilities in an OS or software that are provided by the entity supporting the OS or software.
- “Supported Operating System” means that the entity providing the OS, be it a vendor, open source, or an individual, is actively and routinely providing and deploying patches and security updates for the OS.
- “Unauthorized Access” means when someone gains access to University Data or Technology Resources using someone else’s credentials or other methods such as accessing University Data for reasons unrelated to intended access.
- “University Data” means data created, received, maintained, or transmitted by or on behalf of the University through the course of its academic, administrative, research, or outreach activities.
- “University Devices” means laptops, computers, notebooks, tablets, and smartphones owned by the University that are used to collect, store, access, transmit, carry, use, or hold any University Data whether during or outside of normal working hours and whether it is used at a normal place of work or not.
- “University Campus Network” means both wired and wireless components, devices, or networks that are connected to the campus network.