Endpoint Management Standard

Purpose

·      This standard defines the minimum required security controls for endpoint devices (e.g., desktop computers, laptops, tablets, or similar) owned by the University for access to University of Oregon ("University") computing and information resources, as required by the Information Asset Classification and Management Policy (IV.06.02)

·      Requirements identified herein reduce risks to the confidentiality, integrity and availability of University data and systems (“information assets”).

Applies To

This Standard applies to University owned endpoint devices.

 

Definitions

See ISO Standards - Glossary and Iconography for details.

 

Standard

·      University owned endpoints SHALL be inventoried and managed by the IT unit or individual providing support, using processes and systems approved by the Information Security Office.

·      University owned endpoints SHALL apply controls associated with the appropriate risk level for the data the endpoints will process, store or access, as specified on Table1.

ASSOCIATED CONTROLS

Endpoint Standard – Classification Designations

  

Information System Classification  

M – Mandatory; R – Recommended; NR – Not Required  

UO Controls

High Risk (Red)  

Moderate Risk  

(Amber)  

Low Risk (Green)  

UO.1 CMS: Registration

M

M

M

UO.2 CMS, Management (OS)

M

M

M

UO.3 CMS, Management (Apps)

M

UO.4 Vulnerability Scanning

M

M

UO.8 Resources are prioritized based on their classification

M

M

M

UO.15 Physical Security

M

M

UO.17 System Hardening

M

M

R

UO.19 Security Updates

M

M

R

UO.20 Application Block listing

M

M

R

UO.21 Anti-Malware

M

M

M

UO.22 Auto-lock screens or consoles

M

M

R

UO.23 Firewall: Host-based

R

R

R

UO.25 Encryption: Data-at-Rest

M

R

NR

UO.26 Encryption: Data-in-Transit

M

R

NR

UO.27 Encryption: Full Disk

M

M

R

UO.32 User Access Control: Limit Failed Login Attempts

M

M

R

UO.33 User Access Control: Inactive Session Timeout 

M

M

R

UO.34 User Access Control: Two-Factor Authentication

M

M

R

UO.41 Data is destroyed according to policy

M

M

M

UO.45 Logging and Retention

M

M

M

UO.46 Log Monitoring

M

M

M

UO.48 Incident Recovery: Backup & Recovery 

M

R

R

UO.49 Incident Recovery: Restoration Testing  

M

M

R

UO.56 Separation of system and user functionality

M

M

R

Table 1

Approved Processes and Systems

·      Microsoft System Center Configuration Management (SCCM)

·      Microsoft Endpoint Configuration Management (MECM)

·      Microsoft Intune

·      Jamf Apple Device Management

·      Puppet Enterprise

 

REQUESTING EXCEPTIONS

In the event the standard cannot be achieved by reasonable means, you can request an exception by completing the Information Security Standard Exception Request form. Be ready to provide details as to why the standard can't be followed, the duration of the exception request and mitigating controls being put in place to meet the requirement.

REPORTING INAPPROPRIATE USE OF ACCESS

Any user who suspects a violation of the policy should report the suspected violation to University Audit using the EthicsPoint System.  EthicsPoint is available here.

Violations of this standard could include failing to register the system with the vulnerability scanning service, not allowing root or administrator access to system from the vulnerability scanning service, or misuse of any of the information in the vulnerability scanning service.

 

Implementation Guidelines

Guidelines related to the implementation of this standard can be found on the Information Security Office website.

 

Additional Information

If you have any questions or comments related to this Standard, please send an email to the University Information Security Office at infosec@uoregon.edu .

Additional information can also be found visiting the following resources:

 

·       University Information Security Program Policy

https://policies.uoregon.edu/vol-4-finance-administration-infrastructure/ch-6-information-technology/information-security-program

·       University Acceptable Use Policy

https://service.uoregon.edu/TDClient/KB/ArticleDet?ID=30997

https://service.uoregon.edu/TDClient/KB/ArticleDet?ID=30999

·       University Information Asset Classification & Management Policy

https://policies.uoregon.edu/vol-4-finance-administration-infrastructure/ch-6-information-technology/information-asset

·       Data Security Classification Table

https://infosec.uoregon.edu/data-security-classification-table

·       NIST 800-53

https://www.nist.gov/privacy-framework/nist-sp-800-53

 

 

Revision History

Version

Published

Author

Description

1.0

08/09/2022

Information Security Office (ISO)

Original publication

 

Status:

Standard

Published:

08/09/2022

Last Reviewed:

08/09/2022

Last Updated:

08/09/2022

 

Approval Block:

 

Date

Discussed

Date

Approved

Information Security and Privacy – Governance sub-Committee (ISP-GC)

09/21/2022

 

Chief Information Security Officer: