Please report any level of incident, no matter how small. The Information Security office will evaluate the report and provide a full investigation if appropriate.
Substantive Change: Security of Connected Devices Standard
The Security of Connected Devices Standard was extensively changed.
Reviewing carefully the revised standard is highly recommended.
CHANGED
Under 2 b) Additional Security Requirements For Any Device Accessing, Collecting, Displaying, Generating, Processing, Storing, Or Transmitting University Data
Existing item:
The Health System
changed to:
The Medical Center
Existing item:
Computers owned by the Academic Division of the University, an employee of the Academic Division or sponsored account of the University
changed to:
Computers owned by the Academic Division of the University, an employee of the Academic Division, sponsored account of the University, or student worker
Existing item:
student owned computers are excluded
changed to:
student owned computers not accessing University Academic data are excluded
ADDED
Under 2 b) Security Requirements For Any Device Accessing, Collecting, Displaying, Generating, Processing, Storing, Or Transmitting University Data
- Antimalware and Microsoft Defender
- All electronic devices capable of installing and running Endpoint Detection and Response (EDR) real-time antimalware protection must do so.
- All servers utilizing a Microsoft Windows Operating System must install and run Microsoft Defender for Cloud Plan 1 or Plan 2 by January 1, 2025. See Microsoft Defender for Servers.
- All servers utilizing a Linux Operating System must install and run Microsoft Defender for Cloud Plan 1 or Plan 2 by July 1, 2025. See Microsoft Defender for Servers.
- Non-server electronic devices utilizing an operating system supported by Microsoft Defender for Endpoint should install Microsoft Defender for Endpoint Plan 2. See Microsoft Defender for Endpoints (MDE).
- All electronic devices capable of installing and running Endpoint Detection and Response (EDR) real-time antimalware protection must do so.
- Organizations not employing the ITS Academic M365 tenant’s MDC or MDE must:
- Forward logs MDS and MDE logs to the Enterprise Logging Service (Splunk)
- Implement security configuration settings at the same or higher level than the ITS tenant
- Provide ITS Information Security personnel full access to the tenant security portal
- Forward logs MDS and MDE logs to the Enterprise Logging Service (Splunk)
Under 2 c) Additional Security Requirements for Email Services
- All email service providers sending or receiving email with a virginia.edu domain or sub-domain must:
- request Domain-based Message Authentication, Reporting and Conformance (DMARC) keys via the ITS Service Catalog request
- AND have EITHER
- a DMARC p=reject policy
- OR
- a Sender Policy Framework (SPF) record configured to hard fail
- a DMARC p=reject policy
- request Domain-based Message Authentication, Reporting and Conformance (DMARC) keys via the ITS Service Catalog request