Security of Connected Devices Standard

Date: 12/6/2024                             
Last Revised: 11/15/2024                             
Governing Policy: Information Security of University Technology Resources (IRM-004)                             
Applies To: Academic Division, the Medical Center, the College at Wise, and University-Associated Organizations.                             
 

Table of Contents

1.  Purpose and Background                                 
2.  Standards                                 
     a) Security Requirements for All Connected Devices                                 
     b) Additional Security Additional Security Requirements For Managed Devices Accessing, Collecting, Displaying, Generating, Processing, Storing, Or Transmitting University Data     

     c) Additional Security Requirements for Email Services                                 
     d) Additional Security Requirements for Devices Accessing, Collecting, Displaying, Generating, Processing, Storing, Or Transmitting Regulated Data                                 
     e) Devices Not Meeting Security Requirements                                 
     f) Required Reporting                                  
3.  Definitions                                 
4.  Related Links                                 
5.  Exceptions

[Return to Library]

 

1. Purpose and Background

Those responsible for devices connected to the University of Virginia network and/or accessing University data must secure those devices to help prevent threats to the University’s information technology resources. The Information Security of University Technology Resources (IRM-004) policy states that owners and overseers of the University’s information technology (IT) resources must take reasonable care to eliminate security vulnerabilities from those resources. This policy (IRM-004) and its associated standards and procedures apply to the Academic Division of the University, the Medical Center, the College at Wise, and University-Associated Organizations unless otherwise stated.

This standard highlights the responsibilities for maintaining the security of any device connecting to the University network.

[Table of Contents]

 

2. Standards

 

a)  SECURITY REQUIREMENTS FOR ALL CONNECTED DEVICES

All electronic devices connecting to the University's network must meet the following security requirements:

  • Running supported operating systems and firmware
  • Operating systems and firmware are kept up to date with the latest security patches.
  • Remove or disable unnecessary applications and services.
  • Devices with operating systems or firmware that have exceeded the end-of-life support from the vendor must have an approved exception from Information Security.
  • Devices are not modified to remove vendor provided security protections (e.g., jailbreak).
  • Default passwords are changed and meet the University’s authentication requirements.
  • Antimalware software (such as Microsoft Defender for Endpoint) must be installed, kept up to date, and running.
  • Installed applications are properly licensed, kept up to date, with vendor supplied security patches applied.
  • Host-based firewalls, where available, must be turned on and block unnecessary inbound network traffic.
  • Any suspected or actual security incident is reported to Information Security within one hour.

 

b)  Additional Security Requirements for Any Device Accessing, Collecting, Displaying, Generating, Processing, Storing, Or Transmitting University Data

Computers owned by the Academic Division of the University, an employee of the Academic Division, sponsored account of the University, or student worker that access, collect, generate, process, or transmits University data must comply with the requirements described in this section. The Medical Center, University-Associated Organizations, and student owned computers not accessing University Academic data are excluded from the requirements described in this section.

i) Vulnerability Management

  • Qualys Cloud Agent, the UVA licensed Vulnerability Management solution, must be installed, configured, and running.
  • Security patches must be applied based on the severity of the patch:
    • Qualys Urgent (5) within 21 calendar days of patch release
    • Qualys Critical (4) within 45 calendar days of patch release
    • Qualys Serious/Medium/Low - No specific remediation timetable
      • Note: University Information Security may raise or lower the severity of a patch based on other factors.
    • An automated patching solution should be implemented
    • Vendor patches should be tested before applying to a production environment.

ii) Antimalware and Microsoft Defender

  • All electronic devices capable of installing and running Endpoint Detection and Response (EDR) real-time antimalware protection must do so.
  • All servers utilizing a Microsoft Windows Operating System must install and run Microsoft Defender for Servers (MDS) Plan 1 or Plan 2 by January 1, 2025. See Microsoft Defender for Servers.
  • All servers utilizing a Linux Operating System must install and run Microsoft Defender for Servers Plan 1 or Plan 2 by July 1, 2025. See Microsoft Defender for Servers.
  • Non-server electronic devices utilizing an operating system supported by Microsoft Defender for Endpoint should install Microsoft Defender for Endpoint Plan 2. See Microsoft Defender for Endpoints (MDE).

iii) Organizations not employing the ITS Academic M365 tenant’s MDS or MDE must:

  • Forward MDS and MDE logs to the Enterprise Logging Service (Splunk)
  • Implement security configuration settings at the same or higher level than the ITS tenant
  • Provide ITS Information Security personnel full access to the tenant security portal

iv) Administrator Access

  • Administrator level access to servers is logged and tied to a specific user.

v) Logging

  • Devices should be configured in such a way to prevent alteration or deletion of logs.

vi) Device Inventory

vii) Alerts

  • Alerts are set up to identify suspicious activities or access and alerts are reviewed promptly and appropriate action taken.

viii) Hardening Procedures

ix) Data Sensitivity Controls

 

c)  Additional Security Requirements for Email Services

It is highly recommended that the central IT email services be used for any University related email.  Email services providers must follow the requirements above when providing email services for University faculty, staff, and/or students.  In addition, email services providers (e.g., servers):

  • Must use a centralized authentication resource (e.g., Shibboleth, Active Directory) or authentication resource approved by University Information Security for account login.
  • Must meet or exceed the University’s authentication requirements
  • Must be running up-to-date antimalware and anti-spam service.
  • Must automatically send email and authentication logs to the Enterprise Logging Service (Splunk) daily.
  • Must run Data Loss Prevention (DLP) tools that have been approved by University Information Security prior to deployment.
    • The DLP tools must check for and alert the sender of the transmission of Social Security Numbers (SSN) and/or credit card numbers and must inform the sender that such transmissions are not allowed per University policy.
    • Email providers must report DLP violations (e.g., sending HSD to anyone or receiving HSD in email from anyone) and how they were remediated to University Information Security
  • All email service providers sending or receiving email with a virginia.edu domain or sub-domain must:

 

d)  Additional Security Requirements for Devices Accessing, Collecting, Generating, Processing, Storing, Or Transmitting Regulated Data

In addition to the security requirements described above, additional requirements may need to be applied to a device based on law, regulation, or contractual agreement.  Additional requirements may be required while traveling in other countries. 

Examples of regulations that may impose additional requirements on a device are:

Consult the applicable grant, award, regulation, and/or the UVA Vice-President Research Security webpage for guidance on additional security requirements.

 

e)  Devices Not Meeting Security Requirements

In cases where University IT resources and privileges are threatened by other IT resources, Information Technology Services (ITS) and Health Information and Technology (Health IT) may act on behalf of the University to eliminate the threat by working with the relevant owners or overseers. In circumstances where these collaborative efforts fail or there is an urgent situation requiring immediate action, the IT resource may be disabled or disconnected from the network by ITS or Health IT (depending upon the location of the IT resource). This policy applies to all users of the University’s information technology resources, regardless of location or affiliation. See Revoking Information Technology Resource Privileges Standard.

 

f)  Required Reporting

If you think a security incident has occurred, you must report it to University Information Security within one (1) hour from the time the incident is identified. Report the incident at the "Reporting a Security Incident ” webpage (preferred) or by telephoning (434) 924-4165.  

[Table of Contents]

 

3. Definitions

See the list of definitions for the Acceptable Use, Data Protection, Information Security, and Privacy & Confidentiality policies, standards, and procedures.

Device Inventory: is an up-to-date list of devices owned and/or managed by a department. The list must include: Business Unit, Device Owner, Device Owner’s Last Name, Device Owner’s First Name, Device Owner’s Computing ID, Device/Endpoint Manager, Device Name, Highest Data Sensitivity Accessed by Device, Shared or Single User Device, User Admin Level, Device Serial Number, Primary MAC/EHA address, Other MAC/EHA address, OS Version (Mac, PC, Linux), Other/Comments. If this list cannot be automatically created by JAMF, KACE or similar software, then a spreadsheet similar in format to this example is acceptable. Click here for example spreadsheet.

Electronic device: is electronic equipment, whether owned by the University or an individual, that has a storage device or persistent memory, including, but not limited to: desktop computers, laptops, tablets, servers, smart phones, and other mobile devices. For purposes of this definition, the term does not include IOT, networking, or medical devices.

 

[Table of Contents]

 

4. Related Links

[Table of Contents]

 

5. Exceptions

If you cannot meet this standard’s requirements, you must use the policy exception request process.

 

[Table of Contents]

Approved by, Date: Chief Information Officer, 11/15/2024       
Next Scheduled Review: 3/14/2026       
Revision History: November 15, 2024, March 14, 2023April 20, 2022; November 29, 2021June 16, 2021December 14, 2020November 5, 2020October 23, 2020  
Source URL: https://security.virginia.edu/security-network-connected-devices-standa…