Reference University Policy 311 Information Security. Standards and guidelines support Policy 311.
The purpose of this guideline is to establish baseline security controls for University endpoints that access the University network.
The scope of this guideline includes all University owned desktops and laptops that require access to University network resources. Each department and college is expected to implement the security controls listed in this document.
Direct any general questions about this guideline to your unit’s Information Security Liaison. If you have specific questions, please contact OneIT Information Security Compliance at ISCompliancefirstname.lastname@example.org.
For this guideline, an endpoint is defined as a desktop or laptop running a Windows or Mac operating system. Endpoints should follow the University's standard naming convention. See this FAQ for detailed information. The following security controls should be implemented for University-owned endpoint devices.
Ensure all technology on the endpoint device is up to date and meets current security standards. Based on the National Vulnerability Database (NVD) ratings, apply critical severity security patches within 30 days of publishing and all other security patches within 90 days. Ensure use of a University-supported operating system version. See this FAQ for detailed Information.
B. Whole Disk Encryption
Enable University-supported whole disk encryption for endpoint devices. Labs and shared use devices should be encrypted if feasible. See this FAQ for detailed information regarding encryption options.
C. Vulnerability Management
Utilize University-supported tools for authenticated vulnerability scans or agents to identify and remediate vulnerabilities. See this FAQ for detailed information regarding the University’s vulnerability management tools.
D. Malware Protection
Install University-supported advanced malware protection with antivirus software. See this FAQ for more details.
E. Configuration Management
Utilize Active Directory and the University-supported configuration management framework. All endpoints should comply with CIS level 1 system hardening benchmarks. See this FAQ for detailed information regarding the University’s configuration management tools.
F. Secure DNS
Utilize University secure DNS.
G. Centralized Authentication
Ensure the endpoint uses Active Directory for authentication.
H. Emergency Notification System
Utilize the University-supported emergency notification alert software.
I. Regulated Data Security Controls
Implement applicable regulatory controls (e.g., HIPAA, PCI-DSS, FERPA). Consult with OneIT prior to deployment.
ISO/IEC 27002 was adopted by The University of North Carolina at Charlotte in 2012. All standards and guidelines are based on this code of practice for Information Security Management.
This guideline was approved in June 2019. Individuals are expected to be in compliance with this guideline within one year from the approval date.
Initial Draft 6/06/19
Information Assurance Committee Approval 6/06/19