91ÉçÇø Computer Endpoint Security Standards

Policy Information
Policy Title91ÉçÇø Computer Endpoint Security Standards
Responsible OfficeOffice of the Chief Information Security Officer (ITS)
Policy TypeInformation Technology
Policy Number309
Last Revision Date11/6/2023

Philosophy

The incidence of cyber-attacks, including ransomware, has been on an exponential increase in the last several years. A large number of organizations and institutions have experienced cyber-attacks which resulted in some or significant disruption to their ability to conduct their function and business. Preparedness and protection against cyber-attacks has become one of the most critical and required steps in safeguarding business continuity and protection of institutional resources and data. Among the many different steps an institution can take one of them is establishing and ensuring computing endpoint standards. This policy list benefits, approaches, and specific action items regarding the computing endpoint standards.

Purpose

University computer endpoint security standard sets consistency across university-owned devices and recommendations for non-university-owned devices which connect to university network to protect institutional data and meet the cybersecurity requirements in higher education.  These standards extend greater protection to institutional data, individually stored files, and intellectual property.   These standards can cover hardware, software, security configurations, and other aspects. Here are several benefits of setting endpoint standards:

  • Security Enhancement: Establishing endpoint standards helps in enforcing consistent security measures across all devices. This can include encryption protocols, password policies, access controls, and antivirus requirements. Standardized security configurations reduce vulnerabilities and the risk of cyber-attacks.
  • Compliance and Regulation Adherence: Compliance with industry or regulatory requirements, such as GDPR, HIPAA, or PCI DSS, is critical for many organizations. Endpoint standards ensure that devices meet these compliance requirements, avoiding potential legal issues or penalties associated with non-compliance.
  • Streamlined IT Management: Standardizing endpoints makes it easier to manage and maintain a consistent IT environment. IT staff can easily troubleshoot, update, or upgrade devices since they adhere to predefined configurations and software versions.
  • Interoperability and Integration: Endpoint standards promote interoperability, ensuring that devices can seamlessly communicate and work together. This facilitates integration of new technologies and applications, enhancing overall productivity and efficiency.
  • Cost Reduction: Standardizing endpoints can reduce costs associated with device procurement, maintenance, and support. By limiting the variety of hardware and software, organizations can negotiate better deals with vendors, optimize licensing, and streamline support services.
  • Improved Performance and Reliability: Having consistent configurations and specifications for endpoints ensures predictable performance levels. It reduces the likelihood of unexpected issues, downtime, or system failures due to incompatible hardware or software.
  • Ease of Scalability: Standardized endpoints facilitate scalability and growth within an organization. When new devices need to be added to the network, they can be quickly integrated since they adhere to the established standards.
  • Risk Mitigation: Endpoint standards help mitigate risks associated with non-standard or insecure configurations. By enforcing known secure settings and practices, organizations minimize potential risks to their data, systems, and operations.
  • Enhanced User Experience: Standardized endpoints provide a consistent user experience across devices. Users are familiar with the setup and operation, reducing training needs and improving user satisfaction.
  • Data Protection and Privacy: Endpoint standards can define data handling and privacy measures, ensuring that sensitive information is handled appropriately and in compliance with privacy regulations. This helps protect organizational and user data.

Definitions

Endpoint – a computing device that connected to the university network either in a wired or wireless fashion.   Examples include Desktops, Laptops, Smartphones, Tablets, Servers, Workstations, Printers, and Internet-of-things (IoT) devices.

Policy Statement

Minimum Security Standards for Endpoints:

  1. Security Patching
    1. Automatic Updates should be enabled.
    2. Ensure third-party software is maintained and patched.
    3. It is recommended that Operating Systems and Applications are updated and patched when patches become available. 
  2. Password Authentication
    1. All systems must require password authentication.
    2. All systems must be restricted to authorized users of the device.
  3. Firewall
    1. Enable host-based firewall in a default deny mode and permit the minimum necessary services.
  4. Endpoint Security (Endpoint Detection and Response, Anti-Virus and Malware Protection)
    1. Install university-approved Endpoint Security, which includes antivirus/anti-malware tools with automatic updates and scanning enabled.
  5. Supported Operating Systems
    1. Use operating systems for which updates are available when security vulnerabilities are discovered. 

  6. Supported Software
    1. Use software for which updates are available when security vulnerabilities are discovered.
  7. Standard Account Login
    1. Account login should be with a standard account, not an administrator account.
  8. Administrative Account Privileges
    1. End users with a legitimate university purpose may be granted local device administrative account with elevated privileges on a local machine. The privileged administrative account should be separate and unique from the end user’s 91ÉçÇø account and should only be used for necessary administrative tasks. This privileged administrative account should have limited access to network shares or servers whenever possible.
  9. Whole Disk Encryption
    1. Recommend encryption of local hard drives, storage devices, external hard drives, and portable devices storing or processing data. BitLocker (Windows) and FileVault (MacOS) are recommended.

The above are the minimum standards. For a limited number of groups of endpoints stricter standards may become necessary due to federal and state laws and/or SUNY and local regulations.

This policy and standards will be reviewed at least once a year and revised as necessary or re-confirmed as is.

Scope

All endpoint devices that are owned by the university are subject to this policy. 

Additionally, the standards in this policy are recommended for the endpoint devices not owned by the university, but connect to the university network.

Procedure

ITS will automatically apply the standards in this policy to all endpoint devices it manages on a gradual basis until all are compliant. Some of the standards are established as guidelines. They will be applied as they are tested and are ready for full distribution.

Divisions and departments which are self-supported are required to follow the same process as above. ITS will provide information and consulting as necessary. 

In certain cases, it may be necessary to make exceptions to the standards specified in this policy. The Chief Information Security Officer of the university will make the final decision in those cases.

Revision and Approval History

Date Description of Change Reviewer
6 November 2023 Reformatted as Management Procedure Niyazi Bodur
29 August 2023 Approved SOG
22 November 20222 Presented to Faculty Senate Executive Committee
12 April 2022 Endorsed Information and Education Technology Committee
22 January 2021 Endorsed IT Task Force
19 January 2021 Drafted ITS