Certified Desktop Security Policy
This article applies to: Certified Desktop
Units agreeing to the terms of the Certified Desktop Memorandum of Understanding (MOU) will need to document a plan to implement effective data security technical measures. These measures are derived from CIT’s Operational Procedures for Information Security (“9 Points”).
To help ensure the success of these security measures, units must make configuration information available via Remedy’s Asset Management system. Units that have chosen to use CIT’s Endpoint Management Tools will find an easier path forward, as their configuration information will be delivered automatically to CIT through Remedy AMS.
While units are free to use their choice of local desktop management tools, to be eligible for the Certified Desktop program they must supply up-to-date configuration information to Remedy AMS. CIT will facilitate this process by working with units to enable Remedy AMS to gather system information from local management tools.
For reference, the desktop-related security measures include:
- All university-owned systems must employ a whole-disk encryption product that protects all local storage (that is, all drives in a system) and implements, centrally or locally, encryption key escrow.
- All devices must employ software that is patched up to date within 14 business days, including all vendor-described “critical” security patches.
- All devices must employ a locking screensaver that requires a strong password to unlock, with a timeout (inactivity period after which locking occurs) not longer than 30 minutes.
- Systems must be scanned with IdentityFinder / Spirion or approved equivalent as agreed upon with ITSG, and any personal identifiers (SSN, credit card, bank account, driver license, or personal health information) no longer necessary should be removed.
- Systems must be protected with a contemporary endpoint anti-malware product.
- Systems must be protected with the cloud backup and recovery service Code42 (formerly CrashPlan).
Additionally, we recommend the following practices:
- Remote access to the system must be through a technology (VPN, RDP, or SSH) that employs two-factor authentication. Systems that use Wi-Fi must use eduroam when on campus.
- Learn to protect yourself and the university. Information about phishing and online scams is available at this list of Security and Policy articles.