· This standard defines the minimum required security controls for endpoint devices (e.g., desktop computers, laptops, tablets, or similar) owned by the University for access to University of Oregon ("University") computing and information resources, as required by the Information Asset Classification and Management Policy (IV.06.02)
· Requirements identified herein reduce risks to the confidentiality, integrity and availability of University data and systems (“information assets”).
Applies To
This Standard applies to University owned endpoint devices.
Definitions
See ISO Standards - Glossary and Iconography for details.
Standard
· University owned endpoints SHALL be inventoried and managed by the IT unit or individual providing support, using processes and systems approved by the Information Security Office.
· University owned endpoints SHALL apply controls associated with the appropriate risk level for the data the endpoints will process, store or access, as specified on Table1.
ASSOCIATED CONTROLS
Endpoint Standard – Classification Designations | |||
| Information System Classification M – Mandatory; R – Recommended; NR – Not Required | ||
UO Controls | High Risk (Red) | Moderate Risk (Amber) | Low Risk (Green) |
M | M | M | |
M | M | M | |
M | M | R | |
M | M | M | |
UO.8 Resources are prioritized based on their classification | M | M | M |
M | M | R | |
M | M | R | |
M | M | R | |
M | M | R | |
M | M | M | |
M | M | R | |
R | R | R | |
M | R | NR | |
M | R | NR | |
M | M | R | |
M | M | R | |
M | M | R | |
M | M | R | |
M | M | M | |
M | M | M | |
M | M | M | |
M | R | R | |
M | M | R | |
M | M | R | |
Table 1
Approved Processes and Systems
· Microsoft System Center Configuration Management (SCCM)
· Microsoft Endpoint Configuration Management (MECM)
· Microsoft Intune
· Jamf Apple Device Management
· Puppet Enterprise
REQUESTING EXCEPTIONS
In the event the standard cannot be achieved by reasonable means, you can request an exception by completing the Information Security Standard Exception Request form. Be ready to provide details as to why the standard can't be followed, the duration of the exception request and mitigating controls being put in place to meet the requirement.
REPORTING INAPPROPRIATE USE OF ACCESS
Any user who suspects a violation of the policy should report the suspected violation to University Audit using the EthicsPoint System. EthicsPoint is available here.
Violations of this standard could include failing to register the system with the vulnerability scanning service, not allowing root or administrator access to system from the vulnerability scanning service, or misuse of any of the information in the vulnerability scanning service.
Implementation Guidelines
Guidelines related to the implementation of this standard can be found on the Information Security Office website.
Additional Information
If you have any questions or comments related to this Standard, please send an email to the University Information Security Office at infosec@uoregon.edu .
Additional information can also be found visiting the following resources:
· University Information Security Program Policy
· University Acceptable Use Policy
https://service.uoregon.edu/TDClient/KB/ArticleDet?ID=30997
https://service.uoregon.edu/TDClient/KB/ArticleDet?ID=30999
· University Information Asset Classification & Management Policy
· Data Security Classification Table
https://infosec.uoregon.edu/data-security-classification-table
https://www.nist.gov/privacy-framework/nist-sp-800-53
Revision History
Version | Published | Author | Description |
1.0 | 08/09/2022 | Information Security Office (ISO) | Original publication |
Status: | Standard |
Published: | 08/09/2022 |
Last Reviewed: | 08/09/2022 |
Last Updated: | 08/09/2022 |
Approval Block: | ||
| Date Discussed | Date Approved |
Information Security and Privacy – Governance sub-Committee (ISP-GC) | 09/21/2022 |
|
Chief Information Security Officer: |
|
|