Search This Site


Main menu

Security of Network-Connected Devices Standard

Table of Contents

1.  Purpose and Background
2.  Standards
     a) Security Requirements for All Network Connected Devices
     b) Additional Security Additional Security Requirements For Managed Devices Accessing, Collecting, Displaying, Generating, Processing, Storing, Or Transmitting University Data
     c) Additional Security Requirements for Email Services
     d) Additional Security Requirements for Devices Accessing, Collecting, Displaying, Generating, Processing, Storing, Or Transmitting Regulated Data
     e) Devices Not Meeting Security Requirements
     f) Required Reporting 
3.  Definitions
4.  Related Links
5.  Exceptions

REVISION HISTORY: April 20, 2022; November 29, 2021June 16, 2021December 14, 2020November 5, 2020October 23, 2020 

[Return to Library]


1. Purpose and Background

Those responsible for devices connected to the University of Virginia network and/or accessing University data must secure those devices to help prevent threats to the University’s information technology resources. The Information Security of University Technology Resources (IRM-004) policy states that owners and overseers of the University’s information technology (IT) resources must take reasonable care to eliminate security vulnerabilities from those resources.

This standard highlights user, owner, and overseer responsibilities for maintaining the security of network-connected devices and applies to all devices that connect to the University network.

[Table of Contents]

2. Standards

Security Requirements for Network Connected Devices

All devices connecting to the University’s network and/or accessing University data must meet the following security requirements:

  • Supported operating systems and firmware

  • Operating systems and firmware are kept up to date with the latest security patches.

  • Devices with operating systems or firmware that have exceeded the end-of-life support from the vendor must have an approved exception.

  • Devices are not modified to remove vendor provided security protections (e.g., jailbreak).

  • Default passwords are changed and meet the University’s authentication requirements.

  • Antimalware software must be installed, kept up to date, and running.

  • Installed applications are properly licensed, kept up to date, with vendor supplied security patches applied.

  • Host-based firewalls, where available, must be turned on and block unnecessary inbound network traffic.

Additional Security Requirements for Managed Devices Accessing, Collecting, Displaying, Generating, Processing, Storing, or Transmitting University Data

  • Keep an inventory of devices up-to-date with all required information.

  • Remove or disable unnecessary applications and services.

  • Vulnerability detection solution (such as Qualys Cloud Agent) must be used on devices meeting the following criteria:

    • Until September 28, 2022 - See Exception 268 for change to the vulnerability scanning requirement.

    • Device accessing, processing, storing, or transmitting highly sensitive data;

    • Device is an elevated network zone (High Security Network, High Security VPN);

    • Devices operated with elevated administrative privileges;

    • Device provides a University mission critical application; or

    • Devices running publicly facing service(s) (e.g. web server, email server).

  • Security patches must be applied based on the severity of the patch:

    • Qualys Urgent (5) within 21 calendar days
    • Qualys Critical (4) within 45 calendar days

    • Qualys Serious/Medium/Low -  No specific remediation timetable

    • Note: University Information Security may raise or lower the severity of a patch based on other factors.

  • An automated patching solution should be implemented

  • Vendor patches should be tested before applying to a production environment.

  • Administrator level access to servers is logged and tied to a specific user.

  • Logs are configured in such a way to prevent alteration or deletion.

  • Alerts are set up to identify suspicious activities or access and alerts are reviewed promptly and appropriate action taken.

  • Any suspected or actual security incident is reported to Information Security within one hour.

  • Hardening procedures, such as the Center for Internet Security (CIS) server hardening, should be applied.

  • All controls for the most sensitive data accessed by the device are implemented.

Additional Security Requirements for Email Services

It is highly recommended that the central IT email services be used for any University related email.  Email services providers must follow the requirements above when providing email services for University faculty, staff, and/or students.  In addition, email services providers (e.g., servers):

  • Should use a centralized authentication resource (e.g. Shibboleth, Active Directory) for account login.

  • Must meet or exceed the University’s authentication requirements

  • Must be running up-to-date antimalware and anti-spam service.

  • Must run Data Loss Prevention (DLP) tools that have been approved by University Information Security prior to deployment.

    • The DLP tools must check for and alert the sender of the transmission of Social Security Numbers (SSN) and/or credit card numbers, and must inform the sender that such transmissions are not allowed per University policy.

    • Email providers must report DLP violations (e.g., sending HSD to anyone or receiving HSD in email from anyone) and how they were remediated to University Information Security

Additional Security Requirements For Devices Accessing, Collecting, Generating, Processing, Storing, Or Transmitting Regulated Data

In addition to the security requirements described above, additional requirements may need to be applied to a device based on law, regulation, or contractual agreement.  Additional requirements may be required while traveling in other countries. 

Examples of regulations that may impose additional requirements on a device are:

Consult the applicable grant, award, regulation, and/or the UVA Vice-President for Research best practices webpage for guidance on additional security requirements.

Devices Not Meeting Security Requirements

In cases where University IT resources and privileges are threatened by other IT resources, Information Technology Services (ITS) and Health Information and Technology (Health IT) may act on behalf of the University to eliminate the threat by working with the relevant owners or overseers. In circumstances where these collaborative efforts fail or there is an urgent situation requiring immediate action, the IT resource may be disabled or disconnected from the network by ITS or Health IT (depending upon the location of the IT resource). This policy applies to all users of the University’s information technology resources, regardless of location or affiliation. See Revoking Information Technology Resource Privileges Standard.

Required Reporting

If you think a security incident has occurred, you must report it to University Information Security within one (1) hour from the time the incident is identified. Report the incident at the "Reporting a Security Incident” webpage (preferred) or by telephoning (434) 924-4165.  

[Table of Contents]

3. Definitions

See the list of definitions for the Acceptable Use, Data Protection, Information Security, and Privacy & Confidentiality policies, standards, and procedures.

[Table of Contents]

4. Related Links

[Table of Contents]

5. Exceptions

If you cannot meet this standard’s requirements, you must use the policy exception request process.


[Table of Contents]

APPROVER: Chief Information Officer

Report an Information
Security Incident

Please report any level of incident, no matter how small. The Information
Security office will evaluate the report and provide a full investigation if appropriate.

Complete Report Form