My work involves sensitive data that can only be accessed by specific individuals.
Doesn’t requiring machines to be authenticated using Enterprise Directory Services
make devices less secure, since that would allow anyone with WVU Login credentials
to access the device?
Enterprise Directory Services authentication does allow users to use their WVU
Login credentials to access University technology resources; however, if required,
specific machines can be configured to allow only particular people to access them.
All machines that authenticate to Enterprise Directory Services can be scanned
by ITS to monitor and identify security vulnerabilities across the University network
as well as managed and updated remotely.
My device will only be used off-campus. Using Enterprise Directory Services authentication
would be unnecessary since the computer will rarely be on the University network
to scan or update remotely.
ITS has started to manage off-campus devices, such as travel machines, using Azure/InTune
which only requires an internet connection to scan and update. We will be working
with more colleges this upcoming year to implement Azure/InTune for their devices
that are used off-campus.
As part of our contract with it, a vendor provides a computer that runs the specific
technology system we purchased. Would this standard apply?
If a machine is owned and operated by a vendor but it is running a technology application
at WVU, the requirements within this standard would not apply because the device
is not owned by the University; however, should a device be identified as a security
vulnerability to the University network, ITS will request it be removed.
The warranty requirement in this document is unrealistic. Are you going to provide
funds for us to purchase new devices every three years?
ITS strongly recommends not using or repurposing devices that are out of warranty,
but this statement does not mean that the use of out of warranty devices is strictly
prohibited. ITS understands the budget constraints we are all under and that some
colleges follow their own upgrade cycles. With the closing of our Computer Repair
Assistance program last year, ITS made the decision to no longer work on machines
that are out of warranty or test deployments on machines older than five years.
Individual colleges have made similar determinations and started purchasing extended
warranties. Similarly, if there are college IT groups that do choose to repair
and troubleshoot older devices, that is up to the IT director. However, should
an out of warranty machine be identified as a security vulnerability to the University,
ITS will request that it be removed from the network.
My student workers use old, out-of-warranty devices that would not function if
we encrypted them. What should I do with these devices?
ITS understands that replacing old devices will be a continual process. The standard
requires that all newly-purchased desktops, laptops, and notebooks must support
encryption and be encrypted with whole disk encryption prior to use. Older devices
that do not support encryption must be protected with compensating controls (e.g.,
used off-network) and replaced as soon as possible with a device that does support
encryption. Contact
ITS if you need assistance identifying appropriate compensating security controls
for the device.
Is there a specific software that we need to use to maintain our IT asset inventory?
An internal audit completed in 2018, required that a full technology asset inventory
be compiled across campus. This standard now requires that an asset inventory be
maintained; however, it does not identify a specific software to use. Some colleges
have a full inventory maintained on a spreadsheet and that is acceptable. ITS has
chosen Lansweeper as our enterprise inventory tool. We are currently testing both
the installed agent and agentless scanning capabilities to determine the best enterprise
option. We hope to release it for use outside of ITS and providing support for
it by the end of 2019.
Requiring Macs to be registered in JamF is going to be an additional financial
burden on colleges since those licenses aren’t covered centrally, like SCCM.
Is ITS going to cover those costs?
ITS is notified when a new Mac machine is purchased through Mountaineer Marketplace
and then assigns the device to the appropriate management group within JamF Pro.
If the group is not using JamF, the device is not assigned. Currently, ITS has
been covering the costs for groups who have less than 20 devices within JamF; however,
we will begin covering all the costs for JamF Pro licensing, as we do for SCCM,
beginning FY2020.
My research involves using highly-specialized equipment that is operated by an
out-of-warranty machine that I cannot afford to replace. What should I do to
be in compliance with this standard?
ITS acknowledges that WVU is an R1 institution and has research labs across campus
running equipment that may not be able to meet the requirements outlined in this
standard which cannot easily be replaced/upgraded due to budget issues. If there
is a research facility or device that cannot meet the standards identified, please
notify ITS and
request an exception to the standard. We will work with you to ensure appropriate
security controls are in place to protect the device, your data, and the University
network.
I don’t understand how Apple School Manager works. Does this mean that I’ll now
have a personal Apple ID and a University-issued Apple ID?
Apple School Manager allows all University-owned mobile devices (iPhone, iPads)
to be managed in a central University account and not through the individual’s
Apple ID account. This way, central IT can install updates and upgrades to the
device without requiring it to be physically brought to IT. Additionally, devices
can be shared between employees while providing a personalized experience for each.
What do you mean when you say devices must run a supported operating system? Does
this also include open-source software?
University-owned devices must run an operating system that is supported by either
a vendor, open source community, or an individual. That means the entity that developed
OS must be actively and routinely providing and deploying patches and security
updates.
We are an academic institution that teaches operating systems. Does this standard
apply to our students?
ITS acknowledges that WVU is first and foremost an academic institution and that
students will learn to develop operating systems. Students that deploy operating
systems on virtual machines or within coding environments would not be subject
to compliance with this standard. Students that develop and deploy operating systems
on bare-metal machines that are owned by the University would be responsible for
maintaining the OS and ensuring it is adequately patched and secured while the
machine is being utilized at the University.
I have a monthly meeting that requires reviewing information using a computer in
a conference room. The computer locking every 15 minutes is annoying. Can I set
that computer never to lock?
ITS highly discourages this practice. To prevent screens locking during a long
meeting or presentation, set the computer to presentation mode or temporarily change
the settings just for the meeting. A computer that is set to never lock will be
left unsecured for the other 29 days of the month.
What do you mean when you say that devices must be “sanitized” prior to going to
surplus?
ITS is currently working to develop a new standard that outlines how data should
be cleaned off University-owned devices prior to sending them to surplus to ensure
that all University data is securely removed. We plan release more information
about this process as it is finalized.