Security of Connected Devices Standard

Table of Contents

1.  Purpose and Background
2.  Standards
     a) Security Requirements for All Connected Devices
     b) Additional Security Additional Security Requirements For Managed Devices Accessing, Collecting, Displaying, Generating, Processing, Storing, Or Transmitting University Data
     c) Additional Security Requirements for Email Services
     d) Additional Security Requirements for Devices Accessing, Collecting, Displaying, Generating, Processing, Storing, Or Transmitting Regulated Data
     e) Devices Not Meeting Security Requirements
     f) Required Reporting 
3.  Definitions
4.  Related Links
5.  Exceptions

REVISION HISTORY: March 14, 2023April 20, 2022; November 29, 2021June 16, 2021December 14, 2020November 5, 2020October 23, 2020 

[Return to Library]

 

1. Purpose and Background

Those responsible for devices connected to the University of Virginia network and/or accessing University data must secure those devices to help prevent threats to the University’s information technology resources. The Information Security of University Technology Resources (IRM-004) policy states that owners and overseers of the University’s information technology (IT) resources must take reasonable care to eliminate security vulnerabilities from those resources. This policy (IRM-004) and its associated standards and procedures apply to the Academic Division of the University, the Medical Center, the College at Wise, and University-Associated Organizations unless otherwise stated.

This standard highlights the responsibilities for maintaining the security of any device connecting to the University network.

[Table of Contents]

2. Standards

SECURITY REQUIREMENTS FOR ALL CONNECTED DEVICES

All electronic devices connecting to the University's network must meet the following security requirements:

  • Running supported operating systems and firmware

  • Operating systems and firmware are kept up to date with the latest security patches.

  • Remove or disable unnecessary applications and services.

  • Devices with operating systems or firmware that have exceeded the end-of-life support from the vendor must have an approved exception from Information Security.

  • Devices are not modified to remove vendor provided security protections (e.g., jailbreak).

  • Default passwords are changed and meet the University’s authentication requirements.

  • Antimalware software (such as Microsoft Defender for Endpoint) must be installed, kept up to date, and running.

  • Installed applications are properly licensed, kept up to date, with vendor supplied security patches applied.

  • Host-based firewalls, where available, must be turned on and block unnecessary inbound network traffic.

  • Any suspected or actual security incident is reported to Information Security within one hour.

Additional Security Requirements For Any Device Accessing, Collecting, Displaying, Generating, Processing, Storing, Or Transmitting University Data

Computers owned by the Academic Division of the University, an employee of the Academic Division or sponsored account of the University that access, collect, generate, process, or transmits University data must comply with the requirements described in this section. The Health System, University-Associated Organizations, and student owned computers are excluded from the requirements described in this section.

  • Qualys Cloud Agent, the UVA licensed Vulnerability Management solution, must be installed, configured, and running.

  • Security patches must be applied based on the severity of the patch:

    • Qualys Urgent (5) within 21 calendar days of patch release
    • Qualys Critical (4) within 45 calendar days of patch release

    • Qualys Serious/Medium/Low - No specific remediation timetable

      • Note: University Information Security may raise or lower the severity of a patch based on other factors.
    • An automated patching solution should be implemented

    • Vendor patches should be tested before applying to a production environment.
  • Administrator level access to servers is logged and tied to a specific user.

  • Devices should be configured in such a way to prevent alteration or deletion of logs.

  • Schools and departments must keep an up-to-date inventory of all devices with all required information.

  • Alerts are set up to identify suspicious activities or access and alerts are reviewed promptly and appropriate action taken.

  • Hardening procedures, such as the Center for Internet Security (CIS) server hardening, should be applied.

  • All controls for the most sensitive data accessed by the device are implemented.

Additional Security Requirements for Email Services

It is highly recommended that the central IT email services be used for any University related email.  Email services providers must follow the requirements above when providing email services for University faculty, staff, and/or students.  In addition, email services providers (e.g., servers):

  • Must use a centralized authentication resource (e.g., Shibboleth, Active Directory) or authentication resource approved by University Information Security for account login.

  • Must meet or exceed the University’s authentication requirements

  • Must be running up-to-date antimalware and anti-spam service.

  • Must automatically send email and authentication logs to University Information Security’s Security Information and Event Management (SIEM) tool daily.

  • Must run Data Loss Prevention (DLP) tools that have been approved by University Information Security prior to deployment.

    • The DLP tools must check for and alert the sender of the transmission of Social Security Numbers (SSN) and/or credit card numbers, and must inform the sender that such transmissions are not allowed per University policy.
    • Email providers must report DLP violations (e.g., sending HSD to anyone or receiving HSD in email from anyone) and how they were remediated to University Information Security

Additional Security Requirements For Devices Accessing, Collecting, Generating, Processing, Storing, Or Transmitting Regulated Data

In addition to the security requirements described above, additional requirements may need to be applied to a device based on law, regulation, or contractual agreement.  Additional requirements may be required while traveling in other countries. 

Examples of regulations that may impose additional requirements on a device are:

Consult the applicable grant, award, regulation, and/or the UVA Vice-President for Research best practices webpage for guidance on additional security requirements.

Devices Not Meeting Security Requirements

In cases where University IT resources and privileges are threatened by other IT resources, Information Technology Services (ITS) and Health Information and Technology (Health IT) may act on behalf of the University to eliminate the threat by working with the relevant owners or overseers. In circumstances where these collaborative efforts fail or there is an urgent situation requiring immediate action, the IT resource may be disabled or disconnected from the network by ITS or Health IT (depending upon the location of the IT resource). This policy applies to all users of the University’s information technology resources, regardless of location or affiliation. See Revoking Information Technology Resource Privileges Standard.

Required Reporting

If you think a security incident has occurred, you must report it to University Information Security within one (1) hour from the time the incident is identified. Report the incident at the "Reporting a Security Incident” webpage (preferred) or by telephoning (434) 924-4165.  

[Table of Contents]

3. Definitions

See the list of definitions for the Acceptable Use, Data Protection, Information Security, and Privacy & Confidentiality policies, standards, and procedures.

Device Inventory: is an up-to-date list of devices owned and/or managed by a department. The list must include: Business Unit, Device Owner, Device Owner’s Last Name, Device Owner’s First Name, Device Owner’s Computing ID, Device/Endpoint Manager, Device Name, Highest Data Sensitivity Accessed by Device, Shared or Single User Device, User Admin Level, Device Serial Number, Primary MAC/EHA address, Other MAC/EHA address, OS Version (Mac, PC, Linux), Other/Comments. If this list cannot be automatically created by JAMF, KACE or similar software, then a spreadsheet similar in format to this example is acceptable. Click here for example spreadsheet.

Electronic device: is electronic equipment, whether owned by the University or an individual, that has a storage device or persistent memory, including, but not limited to: desktop computers, laptops, tablets, servers, smart phones, and other mobile devices. For purposes of this definition, the term does not include IOT, networking, or medical devices.

 

[Table of Contents]

4. Related Links

[Table of Contents]

5. Exceptions

If you cannot meet this standard’s requirements, you must use the policy exception request process.

 

[Table of Contents]

APPROVER: Chief Information Officer