Standard and Process

See the specific requirements in the Systems and Device Management Standard in the University Policy Library. The following supplements the requirements in University policy.

Management of System and Devices

Systems and devices must be managed to help protect the University’s data and network. Management of these systems and devices includes, but is not limited to:

  • installing the operating system and application patches;
  • utilizing vendor or open-source supported operating systems and applications;
  • using a host-based firewall;
  • managing the configuration of the system;
  • managing user accounts: enabling, disabling, adding, and removing; and
  • maintaining up-to-date anti-virus protection.


System configurations must be managed. This includes applying and reviewing security configuration settings. The configuration should use industry-accepted hardening standards (e.g., CIS, NIST).

Configure the device to operate with user-level privileges. Use the configuration setting to prompt the user if administrative-level privilege is needed.

Device Encryption

Encrypt data stored on the hard drive, removable media (e.g., USB, flash drive, DVD), or shared through storage device (e.g., external drive).

Configure the device to:

  • encrypt the data at the file or full disk-level;
  • use industry-standard strong encryption (a minimum of 128-bit AES or other NIST (SP 800-111) approved algorithm);
  • use a FIPS 140-2 certified application to encrypt HIPAA or ePHI data.

Device Firewall

Configure the firewall to deny all network traffic and applications by default. Use the appropriate configuration management tools to allow specific network traffic or applications on a case-by-case basis. See the Log Management Standard for firewall log requirements.

Desktops, laptops, servers, and mobile devices should use the operating systems built-in or other software firewalls. Device firewalls can be and are often used jointly with network firewalls.

Maintain a general document that classifies applications and traffic and explains the need and use for access to the device or network.

Where documentation is required, maintain detailed documentation for the requirements and business justification for each rule. Periodically review the documentation and firewall ruleset to ensure that they are still needed and are correctly implemented. Document all reviews and changes to the firewall ruleset. Follow the appropriate change control process for firewall rule changes.

Backup & Recovery of Software, System Configuration

Software and system configurations must be backed up and backup copies retained and tested so that systems are recoverable in accordance with the backup and recovery plan for the system. If the system or software can be reconstructed using other methods, backups may not be needed.

Virus/Malware Protection

University IT resources must have a current version of an anti-virus/malware software (or virus filtering software). Configure the software to meet the requirements described below.

To protect against the spread of viruses on University computers and reduce institutional risk, the University recommends a "two-tier" virus/malware protection standard. Two-tier protection means that software is used on both the desktop and server.

The unit or individual directly responsible for the data or system must ensure that the system has the appropriate anti-virus/malware software, configuration and audit logs.

Configure the anti-virus/malware software or application for:

  • live or real-time updates (at least daily);
  • file system real-time protection;
  • full scan (at least weekly);
  • on-demand scans by a user (on device disk, individual files or removable media);
  • alert on deactivation or activation; and
  • retention of anti-virus audit logs.

Device Physical Security

The physical security of devices must be maintained and periodically reviewed to meet compliance or regulatory requirements. For servers, see the Data Center Security standard.

Units should designate who is responsible for periodically reviewing and assessing the physical security controls that should be in place for their environment.

User Education

Users should know:

  • encryption does not protect the data if someone else uses your password associated with the encryption;
  • encryption should be used on all devices and storage media (e.g - CD, DVD, flash drive, memory stick, mobile phone);
  • encryption may not be allowed in some foreign countries, be aware of this when traveling;
  • periodically check that the device firewall is turned on;
  • anti-virus/malware software needs to be run on devices capable of running the software;
  • immediately take action to alerts from anti-virus/malware software;
  • viruses/malware can infect systems through various day to day activities including but not limited to:
  • email and email attachments
  • disk, CD, or other portable media
  • software downloaded from the internet
  • web browsing;
  • once infected, virus/malware software may or may not be able to quarantine or remove the infection and re-installation may be required and files stored on the device may not be recoverable;
  • suspicious virus/malware activity should be reported to the Help Desk/Service Desk ([email protected]).

Technical staff is responsible for working with users:

  • configure and harden the system configuration;
  • to use industry-standard strong encryption;
  • use host-based firewall;
  • use virus/malware protection;
  • to develop software and system configuration backup and recovery plans for University IT resources;
  • on options to provide physical security for devices.

Users, data owners, and data custodians are responsible for working with Technical staff to:

  • maintain the security of their devices;
  • understand the backup plan and recovery options for the devices or applications they have been assigned ownership of;
  • follow the practices to maintain the physical security of their devices.

See the Information Security policy appendices for additional information security standards that also apply.

More Information

Document Management

Document Responsibility and History
Document Owner Document Approvers Effective Date Last Reviewed Date
University Information Security

Brian Dahlin,
Chief Information Security Officer

Bernard Gulachek,
VP of Information Technology and Chief Information Officer

August 2010 May 2019