Please report any level of incident, no matter how small. The Information
Security office will evaluate the report and provide a full investigation if appropriate.
Substantive Change: Security of Network-Connected Devices Standard
Last modified
August 29, 2023 - 2:15pm
Post date
March 30, 2023 - 11:32am
The standard, Security of Network-Connected Devices Standard, was extensively changed and renamed to Security of Connected Devices Standard.
Reviewing carefully the revised standard and is highly recommended.
CHANGED
Title of the standard to “Security of Connected Devices”
First subtitle dropped ‘Network-“and added “All” so title is: “Security Requirements for All Connected Devices”
Second subtitle dropped “managed” from subtitle, making the title: “Additional Security Requirements For Any Devices Accessing, Collecting, Generating, Processing, Storing, Or Transmitting University Data”
Moved “Remove or disable unnecessary applications and services.” to the SECURITY REQUIREMENTS FOR ALL CONNECTED DEVICES section from the ADDITIONAL SECURITY REQUIREMENTS FOR ANY DEVICE ACCESSING, COLLECTING, GENERATING, PROCESSING, STORING, OR TRANSMITTING UNIVERSITY DATA
Existing item: Vulnerability detection solution (such as Qualys Cloud Agent) must be used on devices meeting the following criteria: changed to: Qualys Cloud Agent, the UVA licensed Vulnerability Management solution, must be installed, configured, and running.
Item: Logs are configured in such a way to prevent alteration or deletion. Re-worded to Device should be configured in such a way to prevent alteration or deletion of logs.
Item: Keep an inventory of devices up-to-date with all required information. Re-worded to: Schools and departments must keep an up-to-date inventory of all devices with all required information.
Under Additional Security Requirements For Email Services
- Item: Should use a centralized authentication resource (e.g. Shibboleth, Active Directory) for account login. Re-worded to: Must use a centralized authentication resource (e.g., Shibboleth, Active Directory) or authentication resource approved by University Information Security for account login.
ADDED
Under SECURITY REQUIREMENTS FOR ALL CONNECTED DEVICES
- “from Information Security” to the existing item: Devices with operating systems or firmware that have exceeded the end-of-life support from the vendor must have an approved exception.
- “(such as Microsoft Defender for Endpoints)” to the existing item: Antimalware software must be installed, kept up to date, and running.
- “Any suspected or actual security incident is reported to Information Security within one hour.”
Under Additional Security Requirements For Any Device Accessing, Collecting, Displaying, Generating, Processing, Storing, Or Transmitting University Data
- Computers owned by the Academic Division of the University, an employee of the Academic Division or sponsored account of the University that access, collect, generate, process, or transmits University data must comply with the requirements described in this section. The UVA College at Wise, the Health System, University-Associated Organizations and student owned computers are excluded from the requirements described in this section.
- “of patch release” to end of within N calendar days
Under Additional Security Requirements For Email Services
- Must automatically send email and authentication logs to University Information Security’s Security Information and Event Management (SIEM) tool daily.
- Must request Domain-based Message Authentication, Reporting and Conformance (DMARC) keys via the ITS Service Catalog request in order send email as virginia.edu
Definitions
- Device Inventory: is an up-to-date list of devices owned and/or managed by a department. The list must include: Business Unit, Device Owner, Device Owner’s Last Name, Device Owner’s First Name, Device Owner’s Computing ID, Device/Endpoint Manager, Device Name, Highest Data Sensitivity Accessed by Device, Shared or Single User Device, User Admin Level, Device Serial Number, Primary MAC/EHA address, Other MAC/EHA address, OS Version (Mac, PC, Linux), Other/Comments. If this list cannot be automatically by JAMF, KACE or similar software, then a spreadsheet similar in format to this example is acceptable. Click here for example spreadsheet.
- Electronic device: is electronic equipment, whether owned by the University or an individual, that has a storage device or persistent memory, including, but not limited to: desktop computers, laptops, tablets, servers, smart phones, and other mobile devices. For purposes of this definition, the term does not include IOT, networking, or medical devices.
REMOVED
Under ADDITIONAL SECURITY REQUIREMENTS FOR ANY DEVICE ACCESSING, COLLECTING, GENERATING, PROCESSING, STORING, OR TRANSMITTING UNIVERSITY DATA.
- All sub-items under Vulnerability Detection solution must be used . . .