Table of Contents
1. Purpose and Background
a) Security Requirements for Networked Devices
b) Minimum Security Requirements for UVA Devices
c) Additional Security Requirements for UVA Devices
d) Minimum Security Requirements for Personally Owned Devices
e) Devices Not Meeting Security Requirements
4. Related Links
1. Purpose and Background
Those responsible for devices connected to the University of Virginia network must take appropriate steps to secure those devices to prevent the introduction of threats to the University’s other information technology resources. The Information Security of University Technology Resources policy states that owners and overseers of the University’s information technology (IT) resources must take reasonable care to eliminate security vulnerabilities from those resources. (see Information Security of University Technology Resources). This standard highlights user, owner, and overseer responsibilities for maintaining the security of network-connected devices and applies to all devices that connect to the University network.
Security Requirements for Networked Devices
Requirements for securing network-connected devices depend upon device type, ownership, and the classification level of any University or other regulated data stored on the device. Network-connected devices include all systems, whether personally or University-owned or managed, with the ability to connect to a wired or wireless network. This includes, but is not limited to, computers, laptops, desktops, servers (virtual or physical), smart phones, tablets, digital assistants, printers, copiers, network-aware devices with embedded electronic systems (i.e., “Internet of things”), and supervisory control and data acquisition (SCADA) and industrial control systems.
Minimum Security Requirements for UVA Devices
- Devices must be running supported operating systems and firmware.
- Operating systems and firmware must be kept current with the latest viable patches.
- [UPDATED 07/19] Devices capable of running antivirus or antimalware must have at least one of these installed and configured to protect the device.
- For signature-based antivirus, it must be configured to run full scans of the device at least weekly and obtain the latest definitions as they become available from the vendor.
- For anomalous behavior-based antivirus (e.g. sometimes called "antimalware"), it must be configured to run realtime scans and obtain the latest updates as they become available from the vendor. [END OF UPDATE]
- Devices running network-aware applications must ensure applications are supported and licensed for use and are kept updated with the latest viable security updates.
Additional Security Requirements for UVA Devices
Centrally or Departmentally Managed University Devices
- Where applicable to the device, vendor security patches to operating systems, firmware, and network-aware applications are expediently tested and, if viable, applied.
- All unnecessary applications are removed or disabled.
- Default passwords are changed.
- Administrator level access to servers is configured such that this activity is logged and tied to a specific user and that such logs cannot be altered.
- Servers and other critical devices trigger alerts for suspicious activities or access.
- Devices are configured to disallow the disabling of security features.
Note: In some cases, it is not possible to immediately apply a patch to University-managed devices, such as production servers that are critical to University business processes. In these cases, a patch will require testing prior to installation, and a formal downtime may need to be scheduled with all interested parties.
Individually Managed University Devices
All users of individually managed UVA devices are required to ensure that all devices under their care are patched and updated to match security levels of managed University devices. Users managing their own device(s) should consult the appropriate technical support personnel for guidance in meeting security requirements appropriate for the device(s) in question.
Devices Accessing University Data
In addition to the minimum-security requirements above, network-connected devices storing, transmitting, or processing University data must follow the requirements for the most sensitive data on the device as outlined in the University Data Protection Standards.
Devices Accessing Regulated Information
In addition to the minimum security requirements, owners and overseers of devices connecting to the UVA network that process, store, or transmit information that is covered by law, regulation, or contractual agreement, including, but not limited to, International Traffic in Arms Regulations (ITAR), Payment Card Industry Data Security Standard (PCI-DSS), Health Insurance Portability and Accountability Act (HIPAA), Family Educational Rights and Privacy Act (FERPA), Gramm-Leach-Bliley Act (GLBA), and/or Classified data must consult the applicable entity-provided resources that outline requirements for securing those devices.
Minimum Security Requirements for Personally-Owned Devices
- If storing University data, follow the requirements for the most sensitive data on the device as outlined in the University Data Protection Standards.
- Take reasonable care to install signature-based or anomalous behavior-based antivirus, regularly update operating systems, firmware, and applications.
- Ensure that devices and operating systems that have reached vendor support end of life do not connect to the UVA network.
Devices Not Meeting Security Requirements
When University IT resources or privileges are impacted or could be impacted by an issue caused by a network-connected device or account, Information Technology Services (ITS), Information Security office (IS), or Health Information and Technology (Health IT) representatives acting on behalf of the University will make a risk-based decision whether or not to disconnect the offending device or account from the network. See Revocation Information Technology Resource Privileges Standard.
See the list of definitions for the Acceptable Use, Data Protection, Information Security, and Privacy & Confidentiality policies.
4. Related Links
If you think you need to request an exception to these requirements, please refer to the Exceptions Process.