IT Security Standard: Computing Devices - Access, Transport Security, Change Control, and Incident Response

Access - Required

All Devices

  • Unnecessary (default) system accounts are removed and system and administrator accounts changed from default settings
  • All account passwords adhere to campus password standards.
  • User access is defined using the principle of “least privilege”.
  • Access to services and/or data is granted via groups/roles.
  • In the event of compromise, all affected accounts (administrator and user) must be revoked and/or passwords changed.
  • When using elevated privileges:
    • Elevate only when needed to accomplish a task
    • Reduce privileges to “least privilege” once the task is accomplished

Multi-user and Enterprise Computing Devices

  • The number of consecutive invalid login attempts is limited based on the campus password standard.
  • Sessions are locked or disconnected after a defined period of inactivity, e.g., 15 minutes.

All Devices

  • Use of a centralized account provisioning services

Transport Security

All Computing Devices

  • Websites must be secured with inCommon certificate (e.g., HTTPS)
  • Transport Layer Security (TLS) must be properly configured, to include upgrading to newest versions as soon as practicable or protocol has reached end of life

Change Control - Required

All Devices

  • Granting, changing and removing access must follow the defined process for the computing device.
  • Configuration changes must follow the defined process for the computing device.

High Risk Enterprise Computing Devices

  • Configuration changes must be made on a test computing device and a documented test plan implemented prior to deployment on a production computing device.

Incident Response - Required

All Devices

  • Logs must be reviewed based on the risk assessment for the computing device and system administrators must respond to discovered events following the university incident response standard procedure
  • System administrators follow campus incident response procedures
  • System administrator(s) log response activities
  • A device may be removed from the campus network by the Office of the CIO if deemed necessary until the risk posed by the device has been removed.


Continue to Definitions | Return to Table of Contents

Related Content

Best Practices

10 Best Pactices

Our 10 Best Pactices

Contact Us

Contact Information Security at 756-7000


Did you know?

Stay Safe Online Tips