Search Information Security site

 

Security of Network-Connected Devices Standard

Table of Contents

1.  Purpose and Background
2.  Standards
     a) Security Requirements for Networked Devices
     b) Minimum Security Requirements for UVA Devices
     c) Additional Security Requirements for UVA Devices
     d) Minimum Security Requirements for Personally Owned Devices
     e) Devices Not Meeting Security Requirements
3.  Definitions
4.  Related Links
5.  Exceptions

[Return to Library]

1. Purpose and Background

Those responsible for devices connected to the University of Virginia network must take appropriate steps to secure those devices to prevent the introduction of threats to the University’s other information technology resources. The Information Security of University Technology Resources policy states that owners and overseers of the University’s information technology (IT) resources must take reasonable care to eliminate security vulnerabilities from those resources. (see Information Security of University Technology Resources). This standard highlights user, owner, and overseer responsibilities for maintaining the security of network-connected devices and applies to all devices that connect to the University network.

[Table of Contents]

2. Standards

Security Requirements for Networked Devices

Requirements for securing network-connected devices depend upon device type, ownership, and the classification level of any University or other regulated data stored on the device. Network-connected devices include all systems, whether personally or University-owned or managed, with the ability to connect to a wired or wireless network. This includes, but is not limited to, computers, laptops, desktops, servers (virtual or physical), smart phones, tablets, digital assistants, printers, copiers, network-aware devices with embedded electronic systems (i.e., “Internet of things”), and supervisory control and data acquisition (SCADA) and industrial control systems.

Minimum Security Requirements for UVA Devices

All owners and overseers of UVA owned, leased, managed, controlled, or contracted network-connected devices must meet the following minimum-security requirements, as relevant to the device type:

  • Devices must be running supported operating systems and firmware.
  • Operating systems and firmware must be kept current with the latest viable patches.
  • Devices capable of running anti-virus must have it installed and configured to run scheduled scans and to obtain the latest definitions as they become available.
  • Devices running network-aware applications must ensure applications are supported and licensed for use and are kept updated with the latest viable security updates.

Additional Security Requirements for UVA Devices

Centrally or Departmentally Managed University Devices

In addition to the minimum-security requirements above, all owners and overseers of centrally and departmentally managed University devices must ensure the following, as appropriate to the device:

  • Where applicable to the device, vendor security patches to operating systems, firmware, and network-aware applications are expediently tested and, if viable, applied.
  • All unnecessary applications are removed or disabled.
  • Default passwords are changed.
  • Administrator level access to servers is configured such that this activity is logged and tied to a specific user and that such logs cannot be altered.
  • Servers and other critical devices trigger alerts for suspicious activities or access.
  • Devices are configured to disallow the disabling of security features.

Note: In some cases, it is not possible to immediately apply a patch to University-managed devices, such as production servers that are critical to University business processes. In these cases, a patch will require testing prior to installation, and a formal downtime may need to be scheduled with all interested parties.

Individually Managed University Devices

All users of individually managed UVA devices are required to ensure that all devices under their care are patched and updated to match security levels of managed University devices. Users managing their own device(s) should consult the appropriate technical support personnel for guidance in meeting security requirements appropriate for the device(s) in question. 

Devices Accessing University Data

In addition to the minimum-security requirements above, network-connected devices storing, transmitting, or processing University data must follow the requirements for the most sensitive data on the device as outlined in the University Data Protection Standards.

Devices Accessing Regulated Information

In addition to the minimum security requirements, owners and overseers of devices connecting to the UVA network that process, store, or transmit information that is covered by law, regulation, or contractual agreement, including, but not limited to, International Traffic in Arms Regulations (ITAR), Payment Card Industry Data Security Standard (PCI-DSS), Health Insurance Portability and Accountability Act (HIPAA), Family Educational Rights and Privacy Act (FERPA), Gramm-Leach-Bliley Act (GLBA), and/or Classified data must consult the applicable entity-provided resources that outline requirements for securing those devices.

Minimum Security Requirements for Personally-Owned Devices

It is recommended that all users follow the minimum-security requirements above. However, all users connecting to the University network must do the following, as appropriate to the device:

  • If storing University data, follow the requirements for the most sensitive data on the device as outlined in the University Data Protection Standards.
  • Take reasonable care to install anti-virus, regularly update operating systems, firmware, and applications.
  • Ensure that devices and operating systems that have reached vendor support end of life do not connect to the UVA network.

Devices Not Meeting Security Requirements

When University IT resources or privileges are impacted or could be impacted by an issue caused by a network-connected device or account, Information Technology Services (ITS), Information Security office (IS), or Health Information and Technology (Health IT) representatives acting on behalf of the University will make a risk-based decision whether or not to disconnect the offending device or account from the network. See Revocation Information Technology Resource Privileges Standard.

[Table of Contents]

3. Definitions

For a comprehensive list of the definitions found in the Acceptable Use, Data Protection, Information Security, and Privacy & Confidentiality policies, please click here.

[Table of Contents]

4. Related Links

[Table of Contents]

5. Exceptions

If you think you need to request an exception to these requirements, please refer to the Exceptions Process.

[Table of Contents]

APPROVER: Chief Information Officer

Report an Information
Security Incident

Please report any level of incident, no matter how small. The Information
Security Office will evaluate the report and provide a full investigation.

Complete Report Form