Date: 12/6/2024
Last Revised: 11/15/2024
Governing Policy: Information Security of University Technology Resources (IRM-004)
Applies To: Academic Division, the Medical Center, the College at Wise, and University-Associated Organizations.
Table of Contents
1. Purpose and Background
2. Standards
a) Security Requirements for All Connected Devices
b) Additional Security Additional Security Requirements For Managed Devices Accessing, Collecting, Displaying, Generating, Processing, Storing, Or Transmitting University Data
- i) Vulnerability Management
- ii) Antimalware and Microsoft Defender
- iii) Organizations not employing the ITS Academic M365 tenant’s MDC or MDE
- iv) Administrator Access
- v) Logging
- vi) Device Inventory
- vii) Alerts
- viii) Hardening Procedures
- ix) Data Sensitivity Controls
c) Additional Security Requirements for Email Services
d) Additional Security Requirements for Devices Accessing, Collecting, Displaying, Generating, Processing, Storing, Or Transmitting Regulated Data
e) Devices Not Meeting Security Requirements
f) Required Reporting
3. Definitions
4. Related Links
5. Exceptions
1. Purpose and Background
Those responsible for devices connected to the University of Virginia network and/or accessing University data must secure those devices to help prevent threats to the University’s information technology resources. The Information Security of University Technology Resources (IRM-004) policy states that owners and overseers of the University’s information technology (IT) resources must take reasonable care to eliminate security vulnerabilities from those resources. This policy (IRM-004) and its associated standards and procedures apply to the Academic Division of the University, the Medical Center, the College at Wise, and University-Associated Organizations unless otherwise stated.
This standard highlights the responsibilities for maintaining the security of any device connecting to the University network.
2. Standards
a) SECURITY REQUIREMENTS FOR ALL CONNECTED DEVICES
All electronic devices connecting to the University's network must meet the following security requirements:
- Running supported operating systems and firmware
- Operating systems and firmware are kept up to date with the latest security patches.
- Remove or disable unnecessary applications and services.
- Devices with operating systems or firmware that have exceeded the end-of-life support from the vendor must have an approved exception from Information Security.
- Devices are not modified to remove vendor provided security protections (e.g., jailbreak).
- Default passwords are changed and meet the University’s authentication requirements.
- Antimalware software (such as Microsoft Defender for Endpoint) must be installed, kept up to date, and running.
- Installed applications are properly licensed, kept up to date, with vendor supplied security patches applied.
- Host-based firewalls, where available, must be turned on and block unnecessary inbound network traffic.
- Any suspected or actual security incident is reported to Information Security within one hour.
b) Additional Security Requirements for Any Device Accessing, Collecting, Displaying, Generating, Processing, Storing, Or Transmitting University Data
Computers owned by the Academic Division of the University, an employee of the Academic Division, sponsored account of the University, or student worker that access, collect, generate, process, or transmits University data must comply with the requirements described in this section. The Medical Center, University-Associated Organizations, and student owned computers not accessing University Academic data are excluded from the requirements described in this section.
- Qualys Cloud Agent, the UVA licensed Vulnerability Management solution, must be installed, configured, and running.
- Security patches must be applied based on the severity of the patch:
- Qualys Urgent (5) within 21 calendar days of patch release
- Qualys Critical (4) within 45 calendar days of patch release
- Qualys Serious/Medium/Low - No specific remediation timetable
- Note: University Information Security may raise or lower the severity of a patch based on other factors.
- An automated patching solution should be implemented
- Vendor patches should be tested before applying to a production environment.
ii) Antimalware and Microsoft Defender
- All electronic devices capable of installing and running Endpoint Detection and Response (EDR) real-time antimalware protection must do so.
- All servers utilizing a Microsoft Windows Operating System must install and run Microsoft Defender for Servers (MDS) Plan 1 or Plan 2 by January 1, 2025. See Microsoft Defender for Servers.
- All servers utilizing a Linux Operating System must install and run Microsoft Defender for Servers Plan 1 or Plan 2 by July 1, 2025. See Microsoft Defender for Servers.
- Non-server electronic devices utilizing an operating system supported by Microsoft Defender for Endpoint should install Microsoft Defender for Endpoint Plan 2. See Microsoft Defender for Endpoints (MDE).
iii) Organizations not employing the ITS Academic M365 tenant’s MDS or MDE must:
- Forward MDS and MDE logs to the Enterprise Logging Service (Splunk).
- Implement security configuration settings at the same or higher level than the ITS tenant
- Provide ITS Information Security personnel full access to the tenant security portal
- Administrator level access to servers is logged and tied to a specific user.
- Devices should be configured in such a way to prevent alteration or deletion of logs.
- Schools and departments must keep an up-to-date inventory of all devices with all required information.
- Alerts are set up to identify suspicious activities or access and alerts are reviewed promptly and appropriate action taken.
- Hardening procedures, such as the Center for Internet Security (CIS) server hardening, should be applied.
- All controls for the most sensitive data accessed by the device are implemented.
c) Additional Security Requirements for Email Services
It is highly recommended that the central IT email services be used for any University related email. Email services providers must follow the requirements above when providing email services for University faculty, staff, and/or students. In addition, email services providers (e.g., servers):
- Must use a centralized authentication resource (e.g., Shibboleth, Active Directory) or authentication resource approved by University Information Security for account login.
- Must meet or exceed the University’s authentication requirements.
- Must be running up-to-date antimalware and anti-spam service.
- Must automatically send email and authentication logs to the Enterprise Logging Service (Splunk) daily.
- Must run Data Loss Prevention (DLP) tools that have been approved by University Information Security prior to deployment.
- The DLP tools must check for and alert the sender of the transmission of Social Security Numbers (SSN) and/or credit card numbers and must inform the sender that such transmissions are not allowed per University policy.
- Email providers must report DLP violations (e.g., sending HSD to anyone or receiving HSD in email from anyone) and how they were remediated to University Information Security
- All email service providers sending or receiving email with a virginia.edu domain or sub-domain must:
- request Domain-based Message Authentication, Reporting and Conformance (DMARC) keys via the ITS Service Catalog request
- AND have EITHER
- a DMARC p=reject policy
- OR
- a Sender Policy Framework (SPF) record configured to hard fail
- Must be configured to ensure users abide by the University’s Mass Digital Communications policy (IRM-006)
- Must report to University Information Security any account compromise or suspected compromise of either an email server user, administrative, or service account within one hour.
d) Additional Security Requirements for Devices Accessing, Collecting, Generating, Processing, Storing, Or Transmitting Regulated Data
In addition to the security requirements described above, additional requirements may need to be applied to a device based on law, regulation, or contractual agreement. Additional requirements may be required while traveling in other countries.
Examples of regulations that may impose additional requirements on a device are:
- Controlled Unclassified Information (CUI),
- Family Educational Rights and Privacy Act (FERPA)
- International Traffic in Arms Regulations (ITAR),
- Health Insurance Portability and Accountability Act (HIPAA)
- Export Administration Regulations (EAR)
- Payment Card Industry Data Security Standard (PCI-DSS)
Consult the applicable grant, award, regulation, and/or the UVA Vice-President Research Security webpage for guidance on additional security requirements.
e) Devices Not Meeting Security Requirements
In cases where University IT resources and privileges are threatened by other IT resources, Information Technology Services (ITS) and Health Information and Technology (Health IT) may act on behalf of the University to eliminate the threat by working with the relevant owners or overseers. In circumstances where these collaborative efforts fail or there is an urgent situation requiring immediate action, the IT resource may be disabled or disconnected from the network by ITS or Health IT (depending upon the location of the IT resource). This policy applies to all users of the University’s information technology resources, regardless of location or affiliation. See Revoking Information Technology Resource Privileges Standard.
f) Required Reporting
If you think a security incident has occurred, you must report it to University Information Security within one (1) hour from the time the incident is identified. Report the incident at the "Reporting a Security Incident ” webpage (preferred) or by telephoning (434) 924-4165.
3. Definitions
See the list of definitions for the Acceptable Use, Data Protection, Information Security, and Privacy & Confidentiality policies, standards, and procedures.
Device Inventory: is an up-to-date list of devices owned and/or managed by a department. The list must include: Business Unit, Device Owner, Device Owner’s Last Name, Device Owner’s First Name, Device Owner’s Computing ID, Device/Endpoint Manager, Device Name, Highest Data Sensitivity Accessed by Device, Shared or Single User Device, User Admin Level, Device Serial Number, Primary MAC/EHA address, Other MAC/EHA address, OS Version (Mac, PC, Linux), Other/Comments. If this list cannot be automatically created by JAMF, KACE or similar software, then a spreadsheet similar in format to this example is acceptable. Click here for example spreadsheet.
Electronic device: is electronic equipment, whether owned by the University or an individual, that has a storage device or persistent memory, including, but not limited to: desktop computers, laptops, tablets, servers, smart phones, and other mobile devices. For purposes of this definition, the term does not include IOT, networking, or medical devices.
4. Related Links
- Authentication Standard
- Acceptable Use of the University’s Information Technology Resources (IRM-002)
- Center for Internet Security (CIS) configuration benchmarks
- Electronic Access Requirements
- Information Security of University Technology Resources (IRM-004)
- Revoking Information Technology Resource Privileges Standard
- University Data Protection Standards
5. Exceptions
If you cannot meet this standard’s requirements, you must use the policy exception request process.
Approved by, Date: Chief Information Officer, 11/15/2024
Next Scheduled Review: 3/14/2026
Revision History: November 15, 2024, March 14, 2023; April 20, 2022; November 29, 2021; June 16, 2021; December 14, 2020; November 5, 2020; October 23, 2020
Source URL: https://security.virginia.edu/security-network-connected-devices-standa…