IT Security Standard: Computing Devices - Documentation


The following information, decisions and processes must be documented by the designated computing device administrator and available for review by the designated management authority.

All Devices

All Devices with Operating System Configuration Access

In addition to the above:

  • Network services required
  • Network configuration requirements
  • Method used to authenticate users
  • Method used to secure data when traversing the network based on applications and information residing on the device
  • Operating system / application patch method and schedule.  The method must include verification of successful patch installation and remediation process if patch installation is unsuccessful
  • Operating system and application log scope, review and retention schedules
  • Device and data recovery expectations  and procedures
  • Backup schedule and scope
  • Backup retention schedule
  • Recovery test schedule
  • Method and schedule for detecting malicious software
  • Method and schedule for vulnerability testing in accordance with the Vulnerability Assessment and Management Standard
  • Computing device decommission date and data disposition date for associated storage media

Multi-user and Enterprise Computing Devices

In addition to the above:

  • Process for monitoring activity and responding to information security events
  • Process for making changes (e.g. separation of duties, change approvals, communication plans, change logs, etc.)
  • Process to confirm security configurations prior to deployment and on a documented schedule after deployment
  • Changes to the system (e.g. server administrator’s change log)
  • Process used to grant/change/remove user access in accordance with the Computer Account Standard
  • Process used to grant/change/remove administrator access in accordance with the Computer Account Standard
  • Process used to define and approve users/groups/roles and related access to files/programs that ensure the principle of “least user privileges”
  • Incident response expectations in accordance with the Incident Response Program

Continue to Physical Placement  | Return to Table of Contents

Related Content

Best Practices

10 Best Pactices

Our 10 Best Pactices

Contact Us

Contact Information Security at 756-7000


Did you know?

Stay Safe Online Tips