Endpoint Security Standard
Last Revised 2020-03-02 JW
Endpoints connecting to Notre Dame networks and services must be configured securely. Notre Dame provides IT resources and Internet connectivity to a large population of users, including students, faculty, staff, affiliates, and many non-affiliated users. Protecting those users and resources from cyber threats is critical to the operation of the University. This standard provides rules and guidance for safe endpoint computing with Notre Dame networks and services.
This standard applies to all endpoints -workstations, laptops, mobile phones, tablets, and personal computing devices- connecting to Notre Dame networks and/or IT services. “Guests”, who connect to guest networks for the sole purpose of Internet access, are out of the scope of this standard. Additionally, enterprise systems, e.g. servers and network appliances, have their own security standards and are out of scope. All other exceptions to this standard must receive a variance from OIT/OCIO Information Security or they may not connect to Notre Dame networks and services.
This standard is intended to reflect the minimum level of care necessary to protect Notre Dame. It does not relieve staff, faculty, consultants, or vendors of further obligations that may be imposed by law, regulation or contract.
1. All endpoints connecting to Notre Dame networks and/or IT services:
a. Must run a supported operating system.
b. Must be patched to the latest release of their operating system version within 30 days of critical or high vulnerability patch releases.
c. Must have antivirus with up-to-date malware definitions for all devices where antivirus is widely available for the operating system.
2. All University owned endpoints:
a. Must use Notre Dame’s enterprise endpoint management services if it is provisioned for that endpoint’s platform, e.g. Windows systems must be enrolled in Microsoft’s System Center Configuration Manager.
b. For Windows endpoints, must be joined to Notre Dame’s Active Directory service.
c. Must use full disk encryption, including any external storage devices.
d. May only use University approved software.
e. Must be sent to NDSurplus at the end of their life cycle for disposal, or have their local drive wiped of all Notre Dame data and software before being repurposed.
3. All endpoints connecting to Notre Dame services that store or transmit University sensitive data:
a. Must use full disk encryption, including any external storage devices.
b. Must be secured with an authentication password or pin where applicable . Additionally, these endpoints must be configured with an automatic screen lock of no more than 10 minutes.
c. May never store highly sensitive data on the local endpoint, and it is strongly recommended that sensitive data is not stored on the local endpoint either.
1. Notre Dame Information Security Policy: https://policy.nd.edu/assets/185243/information_security_2018.pdf
2. Notre Dame Responsible Use of Data and IT Resources Policy: https://policy.nd.edu/assets/185268/responsible_use_it_resources_2015.pdf