ABCDEFGHIJKLMNOPQRSTUVWXYZ
1
Approved 06-2018
Effective Date: January 1, 2019 / January 1, 2020 (New / Existing)
R=required, P=preferred
2
ControlDescriptionLowModerateHigh
3
PatchingPatches will be deployed at regular intervals following standard industry practices, but at least every month. Depending upon patch severity and the current threat, patches should be deployed more frequently or out of the published schedule.RRR
4
Malware ProtectionAntivirus software must be installed, running and automatically updated.RRR
5
Administrative AccessUsers of the device do not login and do their daily work with an account that has administrative access.RRR
6
Host-based FirewallsA host firewall, such as Windows Firewall or IPTables, must be turned on and configured to prevent unsolicted and unauthorized connections.RRR
7
Regulated Data Security ControlsImplement appropriate controls as mandated by relevant compliance standards or contractural obligations (e.g. PCI DSS, HIPAA, FISMA, Export Control, NIST).RRR
8
Supported Hardware/SoftwareHardware and software must be within a supported lifecycle by the associated vendor and eligible to receive security patches and updates.RRR
9
Equipment DisposalDevices are wiped prior to being discarded or given to someone else for reuse. If being discarded, it is given to Surplus or the Campus' approved e-waste vendor.RRR
10
PasswordsPassphrases (16+ characters & complexity) are required for all accounts.RRR
11
CredentialsA unique username and password is issued and centrally managed (e.g. NetID) and used to login to the device.PRR
12
Remote AccessDisabled, or limited to known users and IP addresses (e.g. RDP Gateway, Campus VPN).PRR
13
Assigned IT PartnerThe device is reviewed and supported by Central IT or an departmental IT Partner.PRR
14
Security ReviewRequest a security review prior to implementation.PRR
15
Inventory / RegistrationCentral IT or your IT partner is informed that a particular device exists with a brief description as to how it will be used.PRR
16
Configuration ManagementThe device is centrally configured using a tool that allows security settings to be applied (e.g. KACE, Munki).PRR
17
Vulnerability CheckingThe device is scanned for vulnerabilities and missing patches on a monthly basis. Found vulnerabilities are verified and resolved, or mitigated within 30 days.PRR
18
Mobile Device ManagementTablets, smartphones and other mobile devices are registered with the campus mobile device management solution.PPR
19
Managed Malware ProtectionManaged antivirus software must be installed.PPR
20
HardeningCenter for Internet Security (CIS) benchmarks will be reviewed and approriate recommendations accepted and implemented.PPR
21
Joined to DomainWindows computers are joined to the campus domain.PPR
22
Two-step LoginLogging in requires a second factor, such as an app installed on your phone (DUO Security).PPP
23
Whole Disk EncryptionDevices are encrypted using built-in encryption technology, such as bitlocker or filevault.PPP
24
Centralized LoggingLogs are sent to a central location for safe keeping.PPP
25
Application WhitelistingAllowed applications are explicitly defined and enforced. Other applications can not run without the device being reconfigured.PPP
26
Dedicated Admin WorkstationAccess administrative accounts only through hardened and dedicated management computers.PPP
27
28
29
30
31
An endpoint is defined as any laptop, desktop, or mobile device.
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100