蜜柚视频

Secure Computer Management Standard

Purpose

Computers are the tools generally used to process, transmit, and store University data. University data is often sensitive in nature. Therefore, University computers must adhere to the Information Security Computer Management Standard. 

Scope

 This standard shall apply to all computers which process, store, or transmit University data (e.g. laptop or desktop tower). Management of University computers includes, but is not limited to:

  • Installing and patching supported operating systems and applications.
  • Enabling host-based network protections such as a firewall.
  • Configuring the system settings such as enabling a screen lock.
  • Maintaining endpoint protections such as anti-virus.
  • Adding, removing, disabling, and enabling user accounts and permissions. 

Standard

Configuration: There are a wide variety of system configuration settings that can impact the security of a system. These settings must be managed. These computer configuration settings should conform to best-practice industry hardening guidelines (e.g. NIST, CIS, DISA, NSA) as follows: 

  • Deployed computers should have a defined
  • User permissions shall default to standard user permissions. 
  • Users shall be prompted to elevate to administrator-level permissions, if needed. 
  • Users shall not log in to computers with elevated permissions. 

Patching: Most system compromises can be directly linked to a specific vulnerability in an application or the operating system that had not been patched. If unpatched computers are compromised, they could be used to 鈥減ivot鈥 to other higher value targets within the institution.

Managed computers must be patched in accordance with the . All critical vulnerabilities must be patched within thirty days of the vendor release. All high severity vulnerabilities must be patched within sixty days of the vendor release.

A maintenance window must also be defined in order to restart the system. Many critical and high vulnerabilities have patches that require a system restart in order to provide effective protection. 

Encryption: Local storage shall be encrypted using the default operating system application (e.g. Bitlocker, FileVault). The entire disk, including unused or free space, shall be encrypted. Removable storage should also be encrypted. The recovery keys should be archived to a central store (e.g. active directory) and/or maintained in a secure alternate location. Additional guidance about encryption can be found on the Information Security website.

Firewall: The firewall shall be configured to deny all inbound traffic by default. Only those applications that require access inbound should specifically be allowed. Firewall logging should also be enabled.

Backup: Critical business files should not be stored locally. Those files should be stored on a university enterprise storage system. If critical business files cannot be stored locally, then computers should have an associated backup and recovery plan. 

Endpoint Protection: University computers must have a current version of anti-virus or anti-malware software installed. The configuration should allow the following functions:

  • Daily definition updates;
  • Real-time system protection;
  • Periodic full file system scans;
  • On-demand scans;
  • Alert on anti-virus deactivation and activation;
  • Audit logging. 

Data Loss Prevention: University computers have the potential to store, process, and transmit sensitive information. To protect the information appropriately, it must be classified according to its level of sensitivity. Therefore, university computers that store, process, and transmit sensitive information should utilize data loss prevention software to scan the local system to determine if and where the sensitive information exists. 

Physical Security and Device Inventory: University resources must be protected from theft or damage. Appropriate physical controls should be used in order to maintain regulatory or compliance needs. Business units should maintain a physical inventory of all university computing resources assigned to individuals within their respective units. The inventory should be periodically reviewed for accuracy. The inventory should include:

  • Device manufacturer and model
  • Unique serial number or identifier
  • Network MAC address (if applicable) 

Incident Reporting: All suspected or confirmed security incidents must be immediately reported to Information Security via email security@ohio.edu or via telephone at 740-566-SAFE.

Regulatory and Compliance Data Security Controls: Specific data at the university have additional controls and audit requirements based on their respective regulatory or compliance authorities (e.g. FERPA, GLBA, PCI-DSS, HIPAA). Such data must be properly classified as described above and protected according to the data type. For additional information relating to these additional security controls consult the Information Security Office. 

References

  2. NIST Special Publication 800-123, Guide to General Server Security
  3. NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices
  4. NIST Special Publication 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations
  5. Center for Internet Security, 20 CIS Critical Security Controls
  6. Policy 93.001鈥疍ata Classification鈥
  7. Policy 91.005鈥疘nformation Security鈥
  8. 蜜柚视频 Information Security Standard: Patch Management 

Exceptions

All exceptions to this standard must be formally documented with the ISO prior to approval by the Information Security Governance Committee (ISGC). Standard exceptions will be reviewed and renewed on a periodic basis by the ISO. 

Request an exception:

Complete the Exception Request Form.

Governance

This standard will be reviewed and approved by the university Information Security Governance Committee as deemed appropriate based on fluctuations in the technology landscape, and/or changes to established regulatory requirement mandates.鈥 

Reviewers

The reviewers of this standard are the members of the Information Security Governance Committee representing the following University stakeholder groups: 

  • Audit, Risk, & Compliance: Josh Gonzalez, Chief Privacy Officer
  • Audit, Risk, & Compliance: Larry Wines, Director of Enterprise Risk Management & Insurance
  • Faculty: Hans Kruse, Instructor; Emeritus (Scripps College)
  • Faculty: Brian McCarthy, Professor; Senior Associate Dean (College of Arts & Sciences)
  • Faculty: Shawn Ostermann, Associate Professor (College of Engineering)
  • Faculty: Bruce Tong, Assistant Professor of Instruction (Scripps College)
  • Finance: Julie Allison, Associate Vice President, Finance
  • Human Resources: Michael Courtney, Senior Associate General Counsel/Director of Employee & Labor Relations
  • Information Technology: Ed Carter (Chair), Chief Information Security Officer and Senior Director, Information Security & Digital Accessibility
  • Regional Higher Education: Larry Tumblin, Director of Information Technology for Regional Higher Education
  • Research: Kimberly Littlefield, Associate Vice President for Research Administration 

History

Draft versions of this policy were circulated for review and approved November 20, 2020.

Draft versions of this policy were circulated for review and approved August 7, 2025.