IT Security Standard: Computing Devices - System Configuration and Maintenance


All Devices

  • The computing device must be registered with ITS/Network Administration before attaching to the campus network in a trusted asset or critical asset zone.
  • A copy of the administrative password(s) must be retained in a secure location by the designated management authority for the computing device.
  • Computing devices must run operating system versions that are fully supported with pertinent security patches available from the vendor.
  • Appropriate encryption requirements must be applied for all storage media, (including but not limited to internal, external and portable storage), backup media and data transported across the network.

All Devices with Operating System Configuration Access

  • Computing devices must have controls in place to limit network connections to only authorized users or services (e.g. host-based firewall).
  • Computing devices must have controls in place to detect and remove malicious software.  The controls must be capable of detecting the presence of malicious software at the time of access and during regular system scans.  (e.g. anti-malware software capable of live and scheduled scans) .  Scans for malicious software must be performed and reported as defined by the method and schedule for the device. 
  • Vulnerability testing must be performed as defined for the device in accordance with the Vulnerability Assessment and Management Standard.
  • The baseline system image must be restricted to read only access except for personnel authorized to manage the image.
  • Network access during initial installation or upgrades is limited to that which is required to perform the install/upgrade.
  • Network access is restricted to protocols and/or services required to support the purpose of the computing device. 

High Risk Enterprise Computing Devices

  • Network access restrictions using host-based configurations only are not sufficient.  These devices must be placed in a Critical Asset Zone to ensure additional network based controls are in place.  
  • A copy of system backups are stored in a remote location, at a sufficient distance to escape any damage from a disaster at the computing device location.

Device, Computing Environments, and Software Hardening

  • Computing device operating systems, cloud/virtualized computing environments (e.g. AWS, VMWare), and applicable software must be hardened to applicable Center for Internet Security (CIS) Standards.
  • Applied CIS Standards must be reviewed annually and updated to the latest published CIS Standard. 
    • A grace period of 3 months is allowed for projects dedicated to transitioning endpoints or applications to the most current CIS Standard.
  • Exceptions to CIS Standard can be applied universally, or per individual endpoint or application.
    • Lack of hardening must address an operational concern.
    • Hardening should be tailored to the minimum set of applicable endpoints and applications.
    • Exceptions must be documented, reviewed, and approved by the Cal Poly Information Security Office.

All Devices

  • Use of a centralized authentication services
  • A copy of system backups are stored in a remote location, at a sufficient distance to escape any damage from a disaster or equipment failure.
  • Implement an automated notification system to send system administrator(s) information about key activities such as suspicious events, events that may cause service interruptions (e.g. full disk partitions), failed backups, etc.


Continue to Decomissioning and Data Disposition | Return to Table of Contents

Related Content

Best Practices

10 Best Pactices

Our 10 Best Pactices

Contact Us

Contact Information Security at 756-7000


Did you know?

Stay Safe Online Tips