Endpoint Security Standard
I. Purpose
The Responsible Use of Data and Information Technology Resources policy states that users of Notre Dame computer networks and services are responsible for the security of their devices. This standard provides guidance for secure endpoint computing with Notre Dame networks and services.
II. Scope
This standard applies to all endpoints connecting to Notre Dame networks and/or IT managed services including but not limited to: workstations, laptops, mobile phones, tablets, smart devices, and personal computing devices used to carry out university business.
The OIT Security Office provides interpretation of this standard. Authorization for exceptions to this standard may be issued by the Chief Information Security Officer or their designee.
This standard is intended to reflect the minimum level of care necessary to protect Notre Dame. It does not relieve any user of further obligations that may be imposed by law, regulation, or contract.
III. Reason
Information technology has become vital in supporting all of Notre Dame’s operations. The diverse and ever expanding complex technology environment at Notre Dame comes with a diverse and ever expanding threat surface. As this threat surface grows so does the risk of cyber attack.
IV. Procedure
Apply the appropriate safeguards from the information security standards below as applicable to the IT resource based on its security category. The security category defines the minimum requirements for that level.
Request an exception if applicable and relevant safeguards cannot practicably be applied to a particular IT resource. [request process coming soon]
IV.Minimum Security Controls for University Owned Endpoint
|
Security Control |
Recommended Procedure |
Applies to: | |
|
All endpoints |
Endpoints accessing or storing HSI | ||
|
Vendor Supported OS (Current) |
Use a vendor supported operating system that provides updates and customer support |
x |
x |
|
OS Patching |
Apply operating system updates within 30 days of published date |
x |
x |
|
Critical Security Patching |
Apply critical security patches for both operating system or software within 7 days |
x |
x |
|
Malware/Antivirus Protection |
Install and run antivirus and malware detection software on all supported university owned devices |
x |
x |
|
Meet ND account and password standard |
Password must meet ND minimum requirements |
x |
x |
|
Whole Disk Encryption |
Enable encryption for the entire disk of your university owned device |
x |
x |
|
OS Firewall Enabled |
Enable (Leave enabled) the operating system's native software firewall |
x |
x |
|
Third-Party Patching |
Apply security patches within 7 days of published date |
x |
x |
|
Device Backup |
Backup user data regularly to protect against theft or ransomware |
x |
x |
|
Inventory/LifeCycle |
Maintain inventory of ND owned devices. Retire devices according to ND hardware lifecycle standard |
x |
x |
|
Managed Administrative Access |
Ensure local administrative account passwords are managed securely |
x |
x |
|
HSI Additional Security Controls | |||
|
Centrally Managed |
Work areas that require handling of HSI or regulated data require workstations to be centrally managed |
x | |
|
STOP Tag |
x | ||
|
Restricted Admin Accounts |
Centrally managed administrator accounts |
x | |
|
Regulated Data Security Controls |
Implement HIPAA, FERPA, PCI-DSS controls as applicable. |
x | |
IV. Resources
1. Notre Dame Information Security Policy: https://policy.nd.edu/assets/185243/information_security_2018.pdf
2. Notre Dame Responsible Use of Data and IT Resources Policy: https://policy.nd.edu/assets/185268/responsible_use_it_resources_2015.pdf