Minimum Security Standards for Sensitive Devices
The UGA Policies on Use of Computers policy outlines acceptable use of computing and network resources at UGA. The policy states that no one shall store confidential information on computers or transmit confidential information over University networks without protecting the information appropriately.
2.0 Objective / Purpose
This document outlines the minimum security standards that are required for devices that store or process sensitive or restricted University data. The purpose of these requirements is to reduce risks to the confidentiality and integrity of sensitive or restricted University data and to protect the privacy of members of the University community.
This standard applies to all University computers that store or process sensitive or restricted data. Requirements established within this document do not supersede any specific requirements imposed on UGA by Board of Regents policies, State and Federal laws, or contractual agreements.
4.1 All Devices
All devices that store or process sensitive data shall meet the following minimum security requirements:
4.1.1 Physical security — Devices shall be protected from unauthorized physical access and theft.
4.1.2 Login and authentication — Login or authentication procedures shall be used to prevent unauthorized logical access to devices. Password management and construction shall comply with the UGA Password Standard.
4.1.3 Protection against malicious code and malware — Reasonable controls shall be implemented to protect against malware and malicious code.
4.1.4 Security updates — Devices shall be kept up-to-date with current security patches and updates.
4.1.5 Responsibility for security — Responsibility for the security of a sensitive device and its data shall be assigned to an individual.
In addition to the requirements outlined above in section 4.1, all service class devices that store or process sensitive data shall meet the following minimum security requirements:
4.2.1 Physical security — Server class devices shall be placed within a protected and monitored area with a secure perimeter (e.g. walls, lockable doors and windows) that protects the system from unauthorized physical access.
4.2.2 Limit network access — Network access to sensitive systems shall be restricted to the least access necessary for the device to perform its function/mission.
4.2.3 Access control — User accounts and users shall have a unique identifier (user ID/login name) that is assigned for their personal use only and not shared in accordance with the UGA Password Policy. Privileges shall be restricted and controlled in accordance with the principle of least privilege to reduce opportunities for unauthorized access or misuse of the system.
Access and privileges shall be authorized by an appropriate authority and reviewed at regular intervals in accordance with UGA Data Access Policy.
4.2.4 Secure login and authentication — Access shall be controlled with secure/encrypted log-on procedures in accordance with the UGA Password Policy.
4.2.5 Protection against brute force login attacks — Controls shall be put in place to limit failed login attempts.
4.2.6 Session controls — Controls shall be put in place to ensure that inactive sessions shall expire after a defined period of inactivity.
4.2.7 Logging and monitoring — System administrator and user activities and system events shall be logged. Logs shall be retained for a period of at least one year or a period deemed practicable by the University department/unit responsible for the security of the device.
4.2.8 Identification and management of vulnerabilities — Devices shall be hardened prior to implementation. Security updates shall be applied and unnecessary services disabled in order to minimize potential technical vulnerabilities.
Vulnerabilities shall be identified and evaluated using a routine process, and appropriate measures shall be taken to remediate significant vulnerabilities.
4.2.9 Change management — A formal process shall be adopted to review, approve, and test configuration changes before the changes are implemented to ensure that the changes do not adversely impact the operation or security of the device.
4.2.10 Encrypted transmission of data — Encrypted protocols or secure channels shall be used to transmit sensitive and restricted data to and from the device.
In addition to the requirements outlined above in section 4.1, all desktop class devices that store or process sensitive data shall meet the following minimum security requirements:
4.3.1 Physical security — Desktop devices shall be placed in reasonably secure areas such as lockable offices and not in publically assessable areas.
4.3.2 Anti-malware software — Anti-malware software shall be used and kept up-to-date.
4.3.3 Software firewall — Firewall software shall be used and kept up-to-date.
4.3.4 Automatic security updates — Desktop devices shall be configured to automatically download and install security updates for operating systems and third-party applications whenever possible.
4.3.5 Auto-lock screens — Desktop devices shall be configured to automatically lock and require a logon after being unattended or inactive for a predefined period of time.
4.3.6 Least privilege for user accounts — User accounts shall be configured with the least privileges necessary for the users to perform their job/role.
4.3.7 Protection from drive-by malware — Reasonable methods shall be used to prevent or disable web-browsing capabilities on devices that store or process sensitive data. In cases where it is not possible to disable or prevent web browsing, alternative methods--such as application layer firewalls, proxy servers and web content filters, or application safe-listing --shall be implemented to protect against drive-by attacks and malware.
4.3.8 Remove sensitive data when no longer needed — Devices shall be configured to automatically delete temporary files, temporary internet files, clear web browser caches, etc.
A process shall be adopted to regularly review archived files and delete files containing sensitive or restricted data when the files are no longer needed.
4.3.9 Encrypt sensitive data — Sensitive or restricted data stored on the device shall be stored in encrypted files or within encrypted volumes.
4.4 Laptops, tablets, and mobile devices
In addition to the requirements outlined above in section 4.1, all laptop and mobile class devices that store or process sensitive data shall meet the following minimum security requirements:
4.4.1 Anti-malware software — Anti-malware software shall be used and kept up-to-date if such software is available for the device.
4.4.2 Software firewall — Firewall software shall be used and kept up-to-date if such software is available for the device.
4.4.3 Auto-lock — Devices shall be configured to automatically lock and require a logon, pin, or other means of authentication after being unattended or inactive for a predefined period of time.
4.4.4 Protection from theft — Whenever possible, the device should be protected from theft by storing the device in a secure location, anchoring with a security cable, etc.
Tracking/location software shall be installed or enabled on the device if practicable.
4.4.5 Automatic security updates — Desktop devices shall be configured to automatically download and install security updates for operating systems and third-party applications whenever possible.
4.4.6 Least privilege for user accounts — User accounts shall be configured with the least privileges necessary for the users to perform their job/role.
4.4.7 Encrypt sensitive data — Sensitive or restricted data stored on the device shall be stored in encrypted files or within encrypted volumes.
5.0 Enforcement and Implementation
5.1 Roles and Responsibilities
Each University department/unit is responsible for implementing, reviewing and monitoring internal policies, practices, etc. to assure compliance with this standard.
The Office of Chief Information Officer is responsible for enforcing this standard.
5.2 Consequences and Sanctions
Non-compliance with these standards may incur the same types of disciplinary measures and consequences as violations of other University policies, including progressive discipline up to and including termination of employment, or, in the cases where students are involved, reporting of a Student Code of Conduct violation.
Any device that does not meet the minimum security requirements outlined in this standard may be removed from the UGA network, disabled, etc. as appropriate until the device can comply with this standard.
Exceptions may be granted in cases where security risks are mitigated by alternative methods, or in cases where security risks are at a low, acceptable level and compliance with minimum security requirements would interfere with legitimate academic or business needs. To request a security exception, contact the Office of Information Security at firstname.lastname@example.org.