IT Security Standard: Computing Devices
This standard describes the planning, installation, maintenance, change control, incident response and recovery elements required for computing devices. This standard applies to any university or auxiliary-owned computing device.
- ISO Domain 12: Operations Security
- ISO Domain 9: Access Control Policy
- ISO Domain 11: Physical and Environmental Security Policy
Computing devices provide the means to access, process and store information. Compromised access to any computing device threatens the university’s information security, including individuals and entities outside of the university. This standard describes the minimum requirements the campus has identified in order to secure the devices at acceptable risk levels.
This standard applies to computing devices:
- intended for connection to the Cal Poly data network, or
- containing information as described by the Cal Poly Information Classification and Handling Standard (separate login required), or
- residing on Cal Poly property or
- managed by personnel in their capacity as a Cal Poly employee or Cal Poly auxiliary organization employee.
This standard exists to ensure that appropriate access, configuration, security and information technology controls are implemented and reviewed on a regular basis.
Intended Use Type
In general, computing devices are intended for:
a single user (e.g. computer, laptop, smartphone, tablet, etc.)
multiple users (e.g. computer labs, shared office computers, check-out laptops/tablets, copiers, printers, etc.)
enterprise services (e.g. web servers, application servers, database servers, file servers)
The risk of a breach of data confidentiality, integrity or availability associated with a device depends on the purpose of the device and the information it processes or contains. Risk levels are defined as High, Medium and Low as described by the Information Security Asset Risk Level Definition.
The requirements of this standard are applied based on the intended use and associated risk.
Requirements must be applied to all devices unless noted for a specific use type or risk level.
Requirements and recommendation are detailed in the following linked pages under each heading:
Configuration, Maintenance, Access and Change Control:
Non-Compliance and Exceptions
Systems found in non-compliance with this standard may be removed from the network until they do comply. If it is technically infeasible for an information resource to meet this standard, departments must submit a request for exception to the AVP Information Technology Services/CIO and ISO for review and approval.
Related Procedures and Resources
- Information Security Asset Risk Level Definition
- Computer Account Standard
- CSU TIP Standards
- IP Address Request Form
- Network Security Standard
- Procedure for Removing a Device from the Network
- Disposition of Protected Data
- University Property Control Procedures
- Cal Poly Password Standard
- Vulnerability Assessment and Management Standard
- Incident Response Program and Incident Response Practice
|Responsible Officer:||Vice Provost/Chief Information Officer|
Made minor revisions to content, updated links and reformatted as HTML pages
|9/30/2010||Release of new document by ITS||All|