Minimum Security Standards for Networked Devices
The UGA Policies on Use of Computers outlines acceptable use of computing and network resources at UGA. The Policy states that no one shall connect a computer to the University network unless it meets technical and security standards set by the University Administration.
2.0 Objective / Purpose
This document outlines the minimum security standards that are required for devices connected to the UGA Network, enforcement procedures, and procedures for requesting an exception to the standard. The purpose of these requirements is to reduce risk to the security of individual systems and data and to reduce risks to the operation of the UGA Network.
This standard applies to all devices connected to the UGA Network, including privately owned devices. Examples of these devices include laptop computers, tablets, smart phones, printers, etc.
4.1 Security updates
Networked devices shall have all applicable security updates installed as soon as practicable or, at a minimum, within 2 weeks of the security update release date.
4.2 Anti-malware software
Anti-malware software shall be used and kept up-to-date on devices where the use of such software is practical.
4.3 Software firewall
Firewall software shall be used and kept up-to-date on devices that have firewall software capabilities.
4.4 Access control
Devices shall require sign-on or login for users. Users shall be authenticated by means of passwords or by other authentication processes (e.g. biometrics or Smart Cards). In general, only encrypted authentication mechanisms or protocols shall be used. When passwords are used, password construction and management shall comply with the UGA Password Standard.
4.5 Un-authenticated email relays and proxy services
Devices shall not operate as an unauthenticated email relay or proxy service.
4.6 Unnecessary services
Services that are not necessary for the device to perform its function or mission shall be disabled.
5.0 Enforcement and Implementation
5.1 Roles and Responsibilities
Each University department/unit is responsible for implementing, reviewing and monitoring internal policies, practices, etc. to assure compliance with this standard.
The Office of Chief Information Officer is responsible for enforcing this standard.
5.2 Consequences and Sanctions
Non-compliance with these standards may incur the same types of disciplinary measures and consequences as violations of other University policies, including progressive discipline up to and including termination of employment, or, in the cases where students are involved, reporting of a Student Code of Conduct violation.
Any device that does not meet the minimum security requirements outlined in this standard may be removed from the UGA network, disabled, etc. as appropriate until the device can comply with this standard.
Exceptions may be granted in cases where security risks are mitigated by alternative methods, or in cases where security risks are at a low, acceptable level and compliance with minimum security requirements would interfere with legitimate academic or business needs. To request a security exception, contact the Office of Information Security at firstname.lastname@example.org.