IT Security Standard: Computing Devices - Access, Transport Security, Change Control, and Incident Response

Access - Required

Unnecessary (default) system accounts are removed and system and administrator accounts changed from default settings
All account passwords adhere to campus password standards.
User access is defined using the principle of “least privilege”.
Access to services and/or data is granted via groups/roles.
In the event of compromise, all affected accounts (administrator and user) must be revoked and/or passwords changed.
When using elevated privileges:
- Elevate only when needed to accomplish a task
- Reduce privileges to “least privilege” once the task is accomplished

The number of consecutive invalid login attempts is limited based on the campus password standard.
Sessions are locked or disconnected after a defined period of inactivity, e.g., 15 minutes.

Websites must be secured with inCommon certificate (e.g., HTTPS)
Transport Layer Security (TLS) must be properly configured, to include upgrading to newest versions as soon as practicable or protocol has reached end of life

Granting, changing and removing access must follow the defined process for the computing device.
Configuration changes must follow the defined process for the computing device.

Configuration changes must be made on a test computing device and a documented test plan implemented prior to deployment on a production computing device.

Logs must be reviewed based on the risk assessment for the computing device and system administrators must respond to discovered events following the university incident response standard procedure
System administrators follow campus incident response procedures
System administrator(s) log response activities
A device may be removed from the campus network by the Office of the CIO if deemed necessary until the risk posed by the device has been removed.