IT Security Standard: Computing Devices
Brief Description:
This standard describes the planning, installation, maintenance, change control, incident response and recovery elements required for computing devices. This standard applies to any university or auxiliary-owned computing device.
Related Policy:
CSU Information Security Policy
- ISO Domain 12: Operations Security
- ISO Domain 9: Access Control Policy
- ISO Domain 11: Physical and Environmental Security Policy
Cal Poly Information Security Program (ISP)
Introduction:
Computing devices provide the means to access, process and store information. Compromised access to any computing device threatens the university’s information security, including individuals and entities outside of the university. This standard describes the minimum requirements the campus has identified in order to secure the devices at acceptable risk levels.
Scope:
This standard applies to computing devices:
- intended for connection to the Cal Poly data network, or
- containing information as described by the Cal Poly Information Classification and Handling Standard (separate login required), or
- residing on Cal Poly property or
- managed by personnel in their capacity as a Cal Poly employee or Cal Poly auxiliary organization employee.
This standard exists to ensure that appropriate access, configuration, security and information technology controls are implemented and reviewed on a regular basis.
Standard:
Intended Use Type
In general, computing devices are intended for:
-
a single user (e.g. computer, laptop, smartphone, tablet, etc.)
-
multiple users (e.g. computer labs, shared office computers, check-out laptops/tablets, copiers, printers, etc.)
-
enterprise services (e.g. web servers, application servers, database servers, file servers)
Associated Risk
The risk of a breach of data confidentiality, integrity or availability associated with a device depends on the purpose of the device and the information it processes or contains. Risk levels are defined as High, Medium and Low as described by the Information Security Asset Risk Level Definition.
The requirements of this standard are applied based on the intended use and associated risk.
Requirements must be applied to all devices unless noted for a specific use type or risk level.
Detailed Standards:
Requirements and recommendation are detailed in the following linked pages under each heading:
Documentation
Configuration, Maintenance, Access and Change Control:
-
Physical Placement
-
System Configuration and Maintenance
-
Decommissioning and Data Disposition
-
Patching
-
Logging
-
Encryption
-
Configuration Audits
-
Access
-
Transport Security
Incident Response
Definitions
Responsibilities
Non-Compliance and Exceptions
Systems found in non-compliance with this standard may be removed from the network until they do comply. If it is technically infeasible for an information resource to meet this standard, departments must submit a request for exception to the AVP Information Technology Services/CIO and ISO for review and approval.
Related Procedures and Resources
- Information Security Asset Risk Level Definition
- Computer Account Standard
- CSU TIP Standards
- IP Address Request Form
- Network Security Standard
- Procedure for Removing a Device from the Network
- Disposition of Protected Data
- University Property Control Procedures
- Cal Poly Password Standard
- Vulnerability Assessment and Management Standard
- Incident Response Program and Incident Response Practice
Implementation
| Effective Date: | 9/30/2010 |
|---|---|
| Review Frequency: | Annual |
| Responsible Officer: | Vice Provost/Chief Information Officer |
Revision History
| Date | Action | Pages |
|---|---|---|
| 8/5/2013 |
Made minor revisions to content, updated links and reformatted as HTML pages |
All |
| 9/30/2010 | Release of new document by ITS | All |
