Purpose

This standard defines the minimum required security controls for endpoint devices (e.g., desktop computers, laptops, tablets, or similar) owned by the University for access to University of Oregon ("University") computing and information resources, as required by the Information Asset Classification and Management Policy ( IV.06.02 )

Applies To

Requirements identified herein reduce risks to the confidentiality, integrity and availability of University data and systems (“information assets”).

Definitions

See ISO Standards - Glossary and Iconography for details.

Standard

  • University owned endpoints SHALL be inventoried and managed by the IT unit or individual providing support, using processes and systems approved by the Information Security Office.
  • University owned endpoints SHALL apply controls associated with the appropriate risk level for the data the endpoints will process, store or access, as specified on Table 1: Endpoint Standard - Classification Designation.

Associated Controls

Table 1: Endpoint Standard - Classification Designations
 

Information System Classification

M - Mandatory; R - Recommended; NR - Not Required; 

UO ControlsHigh Risk (Red)Moderate Risk (Amber)Low Risk (Green)
UO.1 CMS: RegistrationMMM
UO.2 CMS: Management (OS)MMM
UO.3 CMS: Management (Apps)MMR
UO.4 Vulnerability ScanningMMM
UO.8 Resources are Prioritized Based on their Classification MMM
UO.15 Physical SecurityMMM
UO.1 CMS: RegistrationMMR
UO.17 System HardeningMMR
UO.19 Security UpdatesMMM
UO.20 Application Block ListingMMR
UO.21 Anti-MalwareMMM
UO.22 Auto-Lock Screen or ConsolesMMM
UO.23 Firewall: HostingRRR
UO.25 Encryption: Data-at-RestMRNR
UO.26 Encryption: Data-in-TransitMRNR
UO.27 Encryption: Full DiskMMR
UO.32 User Access Control: Limit Failed Login Attempts MMR
UO.33 User Access Control: Inactive Session TimeMMR
UO.34 User Access Control: Two-Factor Authentication MMR
UO.41 Data is Destroyed According to PolicyMMM
UO.45 Logging and RetentionMMM
UO.46 Log MonitoringMMM
UO.48 Incident Recovery: Backup & RecoveryMRR
UO.49 Incident Recovery: Restoration TestingMMR
UO.56 Separation of System and User FunctionalityMMR

Approved Processes and Systems

  • Microsoft System Center Configuration Management (SCCM)
  • Microsoft Endpoint Configuration Management (MECM)
  • Microsoft Intune
  • Jamf Apple Device Management
  • Puppet Enterprise

Requesting Exceptions

In the event the standard cannot be achieved by reasonable means, you can request an exception by completing the Information Security Standard Exception Request form. Be ready to provide details as to why the standard can't be followed, the duration of the exception request and mitigating controls being put in place to meet the requirement.

Reporting Inappropriate Use of Access

Any user who suspects a violation of the policy should report the suspected violation to University Audit using the EthicsPoint System. EthicsPoint is available here.

Violations of this standard could include failing to register the system with the vulnerability scanning service, not allowing root or administrator access to system from the vulnerability scanning service, or misuse of any of the information in the vulnerability scanning service.

Implementation Guidelines

Guidelines related to the implementation of this standard can be found on the Information Security Office website .

Additional Information

If you have any questions or comments related to this Standard, please send an email to the University Information Security Office at infosec@uoregon.edu .

Additional information can also be found visiting the following resources:

Revision History

Revision History
VersionPublishedAuthorDescription
1.008/09/2022Information Security Office (ISO)Original publication
Publication
Status:Standard
Published:08/09/2022
Last Reviewed:08/09/2022
Last Updated:08/09/2022
Approvals
 Date DiscussedDate Approved
Information Security and Privacy - Governance Sub-Committee (ISP-GC)09/21/2022 
Chief Information Security Officer