Body
Overview
The standards defined in this document are intended to reflect the minimum requirements for computing devices to protect UAH data and assets. These standards are not intended to supersede specific security requirements set forth by the requirements obligated by law, regulation, or contract. Schools, departments, and other organizations may impose more restrictive requirements on computing devices.
All endpoints are subject to these standards, including but not limited to laptops, desktops, and servers. IT groups are recommended to prioritize systems that process higher classification level of data as defined by the UAH Protection of Data Policy. These standards are intended to support the UAH Security of IT Resources policy.
Minimum Security Standards for Computing Devices
Standard #1: All devices that are capable of running Crowdstrike should have it installed and configured to connect to the UAH instance. To aid in incident response, all IT staff should assist in appropriate labeling and identification within the Crowdstrike product.
Standard #2: All operating systems and applications should be patched in accordance with the Campus Vulnerability Management Plan.
Standard #3: Only the supported versions of operating systems and applications should be connected to UAH networks. Operating systems and applications should be configured to regularly check for patches and update to the latest supported version.
Standard #4: All IT organizations should use the OIT-supplied Trusted Identity Management System for authentication except where not technically possible.
Standard #5: All IT organizations shall follow standards, policies, and requirements published by OIT and approved by the UAH CIO or their designee.
Standard #6: Any system that provides services to individuals off campus must meet higher security standards. These systems shall be appropriately secured and protected against vulnerabilities as soon as technically feasible. They will be protected by both network and host firewalls and registered with OIT. In addition, these systems will have the minimum number of privileged accounts as operationally necessary and will not be manageable directly from systems on the Internet. Remote maintenance should be performed by connecting to the UAH VPN first.
Standard #7: Wherever technically feasible, all systems shall be configured to utilize the OIT-provided Multifactor Authentication solution.
Requests for exceptions to these standards should be submitted to the CISO and CIO via the exception process for consideration. Please see OIT's Support Exception Service Request for more information.
Still Need Help?
If you have additional questions about the information described in this article, please contact the OIT Help Desk.