Substantive Change: Security of Connected Devices Standard

Author
dkg3x
Last modified
December 6, 2024 - 4:52pm

The Security of Connected Devices Standard was extensively changed.

Reviewing carefully the revised standard is highly recommended.

CHANGED

Under 2 b) Additional Security Requirements For Any Device Accessing, Collecting, Displaying, Generating, Processing, Storing, Or Transmitting University Data

Existing item: 

The Health System 

changed to

The Medical Center

Existing item: 

Computers owned by the Academic Division of the University, an employee of the Academic Division or sponsored account of the University  

changed to

Computers owned by the Academic Division of the University, an employee of the Academic Division, sponsored account of the University, or student worker  

Existing item: 

student owned computers are excluded 

changed to

student owned computers not accessing University Academic data are excluded

ADDED 

Under 2 b)  Security Requirements For Any Device Accessing, Collecting, Displaying, Generating, Processing, Storing, Or Transmitting University Data

  • Antimalware and Microsoft Defender
    • All electronic devices capable of installing and running Endpoint Detection and Response (EDR) real-time antimalware protection must do so.
    • All servers utilizing a Microsoft Windows Operating System must install and run Microsoft Defender for Cloud Plan 1 or Plan 2 by January 1, 2025. See  Microsoft Defender for Servers.
    • All servers utilizing a Linux Operating System must install and run Microsoft Defender for Cloud Plan 1 or Plan 2 by July 1, 2025. See Microsoft Defender for Servers.
    • Non-server electronic devices utilizing an operating system supported by Microsoft Defender for Endpoint should install Microsoft Defender for Endpoint Plan 2. See Microsoft Defender for Endpoints (MDE).
  • Organizations not employing the ITS Academic M365 tenant’s MDC or MDE must:
    • Forward logs MDS and MDE logs to the Enterprise Logging Service (Splunk)
    • Implement security configuration settings at the same or higher level than the ITS tenant
    • Provide ITS Information Security personnel full access to the tenant security portal

 

Under 2 c) Additional Security Requirements for Email Services

  • All email service providers sending or receiving email with a virginia.edu domain or sub-domain must:
    • request Domain-based Message Authentication, Reporting and Conformance (DMARC) keys via the ITS Service Catalog request 
    • AND have EITHER 
      • a DMARC p=reject policy 
      • OR 
      • a Sender Policy Framework (SPF) record configured to hard fail