Table of Contents

1.  Purpose and Background
2.  Standards
     a) Security Requirements for All Network Connected Devices
     b) Additional Security Additional Security Requirements For Managed Devices Accessing, Collecting, Displaying, Generating, Processing, Storing, Or Transmitting University Data
     c) Additional Security Requirements for Email Services
     d) Additional Security Requirements for Devices Accessing, Collecting, Displaying, Generating, Processing, Storing, Or Transmitting Regulated Data
     e) Devices Not Meeting Security Requirements
     f) Required Reporting 
3.  Definitions
4.  Related Links
5.  Exceptions

REVISION HISTORY: April 20, 2022 [1]; November 29, 2021 [2]; June 16, 2021 [3]; December 14, 2020 [4]; November 5, 2020 [5]; October 23, 2020 [6] 

[Return to Library] [7]

 

1. Purpose and Background

Those responsible for devices [8] connected to the University of Virginia network and/or accessing University data must secure those devices [8] to help prevent threats to the University’s information technology resources. The Information Security of University Technology Resources (IRM-004) [9] policy states that owners and overseers of the University’s information technology (IT) resources must take reasonable care to eliminate security vulnerabilities from those resources.

This standard highlights user [10], owner, and overseer responsibilities for maintaining the security of network-connected devices [11] and applies to all devices [8] that connect to the University network.

[Table of Contents]

2. Standards

Security Requirements for Network Connected Devices [11]

All devices connecting to the University’s network and/or accessing University data must meet the following security requirements:

• Supported operating systems and firmware [12]

• Operating systems and firmware are kept up to date with the latest security patches.

• Devices with operating systems or firmware that have exceeded the end-of-life support from the vendor must have an approved exception [13].

• Devices are not modified to remove vendor provided security protections (e.g., jailbreak).

• Default passwords are changed and meet the University’s authentication requirements [14].

• Antimalware [15] software must be installed, kept up to date, and running.

• Installed applications are properly licensed, kept up to date, with vendor supplied security patches applied.

• Host-based firewalls, where available, must be turned on and block unnecessary inbound network traffic.

Additional Security Requirements for Managed Devices [16] Accessing, Collecting, Displaying, Generating, Processing, Storing, or Transmitting University Data

• Keep an inventory of devices up-to-date with all required information [17].

• Remove or disable unnecessary applications and services.

• Vulnerability detection [18] solution must be used on devices meeting the following criteria:

  • Until September 28, 2022 - See Exception 268 [1] for change to the vulnerability scanning requirement.

  • Device accessing, processing, storing, or transmitting highly sensitive data;

  • Device is an elevated network zone (High Security Network, High Security VPN);

  • Devices operated with elevated administrative privileges [19];

  • Device provides a University mission critical [20] application; or

  • Devices running publicly facing service(s) (e.g. web server, email server).

• Security patches must be applied based on the severity of the patch:

  • • Critical within 21 calendar days

    • High within 45 calendar days

    • Medium/Low -  No specific requirement

    • Note: University Information Security may raise or lower the severity of a patch based on other factors.

• An automated patching solution should be implemented

• Vendor patches should be tested before applying to a production environment.

• Administrator level access to servers is logged and tied to a specific user [10].

• Logs are configured in such a way to prevent alteration or deletion.

• Alerts are set up to identify suspicious activities or access and alerts are reviewed promptly and appropriate action taken.

• Any suspected or actual security incident is reported to Information Security [21] within one hour.

• Hardening procedures, such as the Center for Internet Security (CIS) server hardening [22], should be applied.

• All controls for the most sensitive data accessed [23] by the device are implemented.

Additional Security Requirements for Email Services

It is highly recommended that the central IT email services [24] be used for any University related email.  Email services providers must follow the requirements above when providing email services for University faculty, staff, and/or students.  In addition, email services providers (e.g., servers):

• Should use a centralized authentication resource (e.g. Shibboleth, Active Directory) for account login.

• Must meet or exceed the University’s authentication requirements [14]. 

• Must be running up-to-date antimalware [15] and anti-spam service.

• Must run Data Loss Prevention (DLP) [25] tools that have been approved by University Information Security prior to deployment.

  • The DLP [25] tools must check for and alert the sender of the transmission of Social Security Numbers (SSN) and/or credit card numbers, and must inform the sender that such transmissions are not allowed per University policy.

  • Email providers must report DLP [25] violations (e.g., sending HSD to anyone or receiving HSD in email from anyone) and how they were remediated to University Information Security [17]

• • Must be configured to ensure users abide by the University’s Mass Digital Communications policy (IRM-006) [26]

  • Must report to University Information Security [21] any account compromise or suspected compromise of either an email server user, administrative, or service account within one hour.

Additional Security Requirements For Devices Accessing, Collecting, Generating, Processing, Storing, Or Transmitting Regulated Data

In addition to the security requirements described above, additional requirements may need to be applied to a device based on law, regulation, or contractual agreement.  Additional requirements may be required while traveling in other countries. 

Examples of regulations that may impose additional requirements on a device are:

• Controlled Unclassified Information (CUI), [27]
• Family Educational Rights and Privacy Act (FERPA) [28]
• International Traffic in Arms Regulations (ITAR) [29],
• Health Insurance Portability and Accountability Act (HIPAA) [30]
• Export Administration Regulations (EAR) [29]
• Payment Card Industry Data Security Standard (PCI-DSS) [31]

Consult the applicable grant, award, regulation, and/or the UVA Vice-President for Research best practices webpage [32] for guidance on additional security requirements.

Devices Not Meeting Security Requirements

In cases where University IT resources and privileges are threatened by other IT resources, Information Technology Services (ITS) and Health Information and Technology (Health IT) may act on behalf of the University to eliminate the threat by working with the relevant owners or overseers. In circumstances where these collaborative efforts fail or there is an urgent situation requiring immediate action, the IT resource may be disabled or disconnected from the network by ITS or Health IT (depending upon the location of the IT resource). This policy applies to all users of the University’s information technology resources, regardless of location or affiliation. See Revoking Information Technology Resource Privileges Standard [33].

Required Reporting

If you think a security incident [34] has occurred, you must report it to University Information Security within one (1) hour from the time the incident [34] is identified. Report the incident at the "Reporting a Security Incident [21]” webpage (preferred) or by telephoning (434) 924-4165.  

[Table of Contents]

3. Definitions

See the list of definitions [35] for the Acceptable Use, Data Protection, Information Security, and Privacy & Confidentiality policies, standards, and procedures.

[Table of Contents]

4. Related Links

• Authentication Standard [14]
• Acceptable Use of the University’s Information Technology Resources [36] (IRM-002)
• Center for Internet Security (CIS) configuration benchmarks [22]
• Electronic Access Requirements [37]
• Information Security of University Technology Resources (IRM-004) [9]
• Revoking Information Technology Resource Privileges Standard [33]
• University Data Protection Standards [38]

[Table of Contents]

5. Exceptions

If you cannot meet this standard’s requirements, you must use the policy exception request process [13].

 

[Table of Contents]

APPROVER: Chief Information Officer