Table of Contents
1. Purpose and Background
a) Security Requirements for Networked Devices
b) Minimum Security Requirements for UVA Devices
c) Additional Security Requirements for UVA Devices
d) Minimum Security Requirements for Personally Owned Devices
e) Devices Not Meeting Security Requirements
4. Related Links
1. Purpose and Background
Those responsible for devices connected to the University of Virginia network must take appropriate steps to secure those devices to prevent the introduction of threats to the University’s other information technology resources. The Information Security of University Technology Resources policy states that owners and overseers of the University’s information technology (IT) resources must take reasonable care to eliminate security vulnerabilities from those resources. (see Information Security of University Technology Resources). This standard highlights user, owner, and overseer responsibilities for maintaining the security of network-connected devices and applies to all devices that connect to the University network.
Security Requirements for Networked Devices
Requirements for securing network-connected devices depend upon device type, ownership, and the classification level of any University or other regulated data stored on the device. Network-connected devices include all systems, whether personally or University-owned or managed, with the ability to connect to a wired or wireless network. This includes, but is not limited to, computers, laptops, desktops, servers (virtual or physical), smart phones, tablets, digital assistants, printers, copiers, network-aware devices with embedded electronic systems (i.e., “Internet of things”), and supervisory control and data acquisition (SCADA) and industrial control systems. NOTE: Federal regulations (enacted in the 2018 NDAA, Sec. 1634) prohibit the use or purchase of any software or services from Kaspersky Labs, or any entity of which Kaspersky Lab has a majority ownership. This includes its antivirus, internet security, password management, endpoint security, and other cybersecurity products and services. Details are on the UVA Vice-President for Research Best Practices webpage.
Minimum Security Requirements for UVA Devices
- Devices must be running supported operating systems and firmware.
- Operating systems and firmware must be kept current with the latest viable patches.
- [UPDATED 07/19] Devices capable of running antivirus or antimalware must have at least one of these installed and configured to protect the device.
- For signature-based antivirus, it must be configured to run full scans of the device at least weekly and obtain the latest definitions as they become available from the vendor.
- For anomalous behavior-based antivirus (e.g. sometimes called "antimalware"), it must be configured to run realtime scans and obtain the latest updates as they become available from the vendor. [END OF UPDATE]
- Devices running network-aware applications must ensure applications are supported and licensed for use and are kept updated with the latest viable security updates.
Additional Security Requirements for UVA Devices
Jump to a section here:
- Where applicable to the device, vendor security patches to operating systems, firmware, and network-aware applications are expediently tested and, if viable, applied.
- All unnecessary applications are removed or disabled.
- Default passwords are changed.
- Administrator level access to servers is configured such that this activity is logged and tied to a specific user and that such logs cannot be altered.
- Servers and other critical devices trigger alerts for suspicious activities or access.
- Devices are configured to disallow the disabling of security features.
Note: In some cases, it is not possible to immediately apply a patch to University-managed devices, such as production servers that are critical to University business processes. In these cases, a patch will require testing prior to installation, and a formal downtime may need to be scheduled with all interested parties.
All users of individually managed UVA devices are required to ensure that all devices under their care are patched and updated to match security levels of managed University devices. Users managing their own device(s) should consult the appropriate technical support personnel for guidance in meeting security requirements appropriate for the device(s) in question.
In addition to the minimum-security requirements above, network-connected devices storing, transmitting, or processing University data must follow the requirements for the most sensitive data on the device as outlined in the University Data Protection Standards.
In addition to the minimum security requirements, owners and overseers of devices connecting to the UVA network that process, store, or transmit information that is covered by law, regulation, or contractual agreement, including, but not limited to, International Traffic in Arms Regulations (ITAR), Payment Card Industry Data Security Standard (PCI-DSS), Health Insurance Portability and Accountability Act (HIPAA), Family Educational Rights and Privacy Act (FERPA), Gramm-Leach-Bliley Act (GLBA), and/or Classified data must consult the applicable entity-provided resources that outline requirements for securing those devices.
Minimum Security Requirements for Personally-Owned Devices
- If storing University data, follow the requirements for the most sensitive data on the device as outlined in the University Data Protection Standards.
- Take reasonable care to install signature-based or anomalous behavior-based antivirus, regularly update operating systems, firmware, and applications.
- Ensure that devices and operating systems that have reached vendor support end of life do not connect to the UVA network.
Devices Not Meeting Security Requirements
When University IT resources or privileges are impacted or could be impacted by an issue caused by a network-connected device or account, Information Technology Services (ITS), Information Security office (IS), or Health Information and Technology (Health IT) representatives acting on behalf of the University will make a risk-based decision whether or not to disconnect the offending device or account from the network. See Revocation Information Technology Resource Privileges Standard.
See the list of definitions for the Acceptable Use, Data Protection, Information Security, and Privacy & Confidentiality policies.
4. Related Links
If you think you need to request an exception to these requirements, please refer to the Exceptions Process.