This site requires JavaScript to be enabled
An updated version of this article is available. You can only edit the latest version of the article
8062 views

11.0 - Updated on 2023-08-02 by Cassie McCan

10.0 - Updated on 2022-08-26 by Cassie McCan

9.0 - Updated on 2022-08-26 by Cassie McCan

8.0 - Updated on 2022-08-26 by Cassie McCan

7.0 - Updated on 2022-08-26 by Cassie McCan

6.0 - Updated on 2022-08-26 by Cassie McCan

5.0 - Updated on 2022-08-26 by Cassie McCan

4.0 - Updated on 2022-08-15 by Cassie McCan

3.0 - Updated on 2022-08-12 by Cassie McCan

2.0 - Updated on 2022-06-08 by Paul Drake

1.0 - Authored on 2020-04-14 by Paul Drake

Endpoint Security Standard 

Last Revised July 2022: Ian Washburn

I. Purpose

The Responsible Use of Data and Information Technology Resources policy states that users of Notre Dame computer networks and services are responsible for the security of their devices. This standard provides guidance for secure endpoint computing with Notre Dame networks and services. 

II. Scope

This standard applies to all endpoints connecting to Notre Dame networks and/or IT managed services including but not limited to: workstations, laptops, mobile phones, tablets, smart devices, and personal computing devices used to carry out university business.

The Information Security division of the Office of Information Technology provides interpretation of this standard. Authorization for exceptions to this standard may be issued by the Chief Information Security Officer or their designee.

This standard is intended to reflect the minimum level of care necessary to protect Notre Dame. It does not relieve any user of further obligations that may be imposed by law, regulation, or contract.

III. Reason

Information technology has become vital in supporting all of Notre Dame’s operations. The diverse and ever expanding complex technology environment at Notre Dame comes with a diverse and ever expanding threat surface.  As this threat surface grows so does the risk of cyber attack.

Our increased use of technology also increases our risk of exposure as nearly all of the university’s critical systems and Highly Sensitive Information are digital. For this reason we must take the defense-in-depth approach to reduce the possibility of a data incident. Defense-in-depth uses a series of security measures to make access more difficult for attackers to bypass. All pieces are important for the protection of the system.

Automated attack tools like scanners and break-in scripts allow cyberattackers to scan entire networks for vulnerable systems. Systems that are not properly secured are likely to be discovered and can then be subject to intrusion. Data on vulnerable/exploited systems is at risk of compromise, alteration, or destruction. Such systems may also be used to compromise or initiate denial of service (DOS) or ransomware attacks against other university systems or systems at external sites.

IV. Procedure

Functional unit management, IT professionals, and users (as applicable) are required to apply appropriate safeguards to their respective IT resources as indicated in the standards listed below using the following high-level process:

Identify the security categorization of the IT resource (high, moderate, or low) following the Security Categorization Procedure.

Apply the appropriate safeguards from the information security standards below as applicable to the IT resource based on its security category. The security category defines the minimum requirements for that level.

Document technology-appropriate required safeguards in place and note gaps in required safeguards. For existing IT resources, units have up to one year from the last review/update date of this standard policy to close gaps in newly required applicable safeguards.

Request an exception if applicable and relevant safeguards cannot practicably be applied to a particular IT resource. [request process coming soon]

IV.Minimum Security Controls for University Owned Endpoint

*See linked Google Sheet. Unable to display all relevant rows and columns.

https://docs.google.com/spreadsheets/d/1gWOmAPe3v2zImAntaQPQEj5P_uDcb_NRRuHlpX6Yewk/edit?usp=sharing 

 

The OIT Help Desk is available to assist with guidance on meeting the endpoint security standard.  In the situation where a University-owned endpoint does not meet the minimum security standard (typically due to age of device), it must be delivered to the OIT Help Desk to be decommissioned. 

IV. Resources

1. Notre Dame Information Security Policy: https://policy.nd.edu/assets/185243/information_security_2018.pdf

2. Notre Dame Responsible Use of Data and IT Resources Policy: https://policy.nd.edu/assets/185268/responsible_use_it_resources_2015.pdf

 

Revised by Cassie McCan
Last modified 2022-08-12 10:44:51 AM