IT Security Standard: Computing Devices

Brief Description:

This standard describes the planning, installation, maintenance, change control, incident response and recovery elements required for computing devices. This standard applies to any university or auxiliary-owned computing device.

CSU Information Security Policy

Cal Poly Information Security Program (ISP)


Computing devices provide the means to access, process and store information.  Compromised access to any computing device threatens the university’s information security, including individuals and entities outside of the university.  This standard describes the minimum requirements the campus has identified in order to secure the devices at acceptable risk levels. 


This standard applies to computing devices:

  • intended for connection to the Cal Poly data network, or
  • containing information as described by the Cal Poly Information Classification and Handling Standard (separate login required), or
  • residing on Cal Poly property or
  • managed by personnel in their capacity as a Cal Poly employee or Cal Poly auxiliary organization employee.  

This standard exists to ensure that appropriate access, configuration, security and information technology controls are implemented and reviewed on a regular basis.


Intended Use Type

In general, computing devices are intended for:

  • a single user (e.g. computer, laptop, smartphone, tablet, etc.)
  • multiple users (e.g. computer labs, shared office computers, check-out laptops/tablets, copiers, printers, etc.)
  • enterprise services (e.g. web servers, application servers, database servers, file servers)

Associated Risk

The risk of a breach of data confidentiality, integrity or availability associated with a device depends on the purpose of the device and the information it processes or contains.  Risk levels are defined as High, Medium and Low as described by the Information Security Asset Risk Level Definition.

The requirements of this standard are applied based on the intended use and associated risk. 

Requirements must be applied to all devices unless noted for a specific use type or risk level.

Detailed Standards:

Requirements and recommendation are detailed in the following linked pages under each heading:


Configuration, Maintenance, Access and Change Control:

Incident Response



Non-Compliance and Exceptions

Systems found in non-compliance with this standard may be removed from the network until they do comply.  If it is technically infeasible for an information resource to meet this standard, departments must submit a request for exception to the AVP Information Technology Services/CIO and ISO for review and approval.


Effective Date: 9/30/2010
Review Frequency: Annual
Responsible Officer: Vice Provost/Chief Information Officer

Revision History

Date Action Pages

Made minor revisions to content, updated links and reformatted as HTML pages

9/30/2010 Release of new document by ITS All


Related Content

Best Practices

10 Best Pactices

Our 10 Best Pactices

Contact Us

Contact Information Security at 756-7000


Did you know?

Stay Safe Online Tips