Guideline for Security of Endpoints

Reference University Policy 311 Information Security. Standards and guidelines support Policy 311.

I. PURPOSE

The purpose of this guideline is to establish baseline security controls for University endpoints that access the University network.

II. SCOPE

The scope of this guideline includes all University owned desktops and laptops that require access to University network resources. Each department and college is expected to implement the security controls listed in this document.

III. CONTACTS

Direct any general questions about this guideline to your unit’s Information Security Liaison. If you have specific questions, please contact OneIT Information Security Compliance at ISCompliance-group@uncc.edu.

IV. GUIDELINES

For this guideline, an endpoint is defined as a desktop or laptop running a Windows or Mac operating system. Endpoints should follow the University's standard naming convention. See this FAQ for detailed information. The following security controls should be implemented for University-owned endpoint devices. 

A. Patching

Ensure all technology on the endpoint device is up to date and meets current security standards. Based on the National Vulnerability Database (NVD) ratings, apply critical severity security patches within 30 days of publishing and all other security patches within 90 days. Ensure use of a University-supported operating system version. See this FAQ for detailed Information.

B. Whole Disk Encryption

Enable University-supported whole disk encryption for endpoint devices. Labs and shared use devices should be encrypted if feasible. See this FAQ for detailed information regarding encryption options.

C. Vulnerability Management

Utilize University-supported tools for authenticated vulnerability scans or agents to identify and remediate vulnerabilities. See this FAQ for detailed information regarding the University’s vulnerability management tools.

D. Malware Protection

Install University-supported advanced malware protection with antivirus software. See this FAQ for more details.

E. Configuration Management

Utilize Active Directory and the University-supported configuration management framework.  All endpoints should comply with CIS level 1 system hardening benchmarks. See this FAQ for detailed information regarding the University’s configuration management tools.

F. Secure DNS

Utilize University secure DNS.

G. Centralized Authentication

Ensure the endpoint uses Active Directory for authentication.

H. Emergency Notification System

Utilize the University-supported emergency notification alert software.

I. Regulated Data Security Controls

Implement applicable regulatory controls (e.g., HIPAA, PCI-DSS, FERPA).  Consult with OneIT prior to deployment.

V. EXCEPTIONS

Requests for exceptions may be submitted using the UNC Charlotte Security Exception Request form. See this FAQ for more information regarding the exception process.

RELATED RESOURCES

ISO/IEC 27002 was adopted by The University of North Carolina at Charlotte in 2012. All standards and guidelines are based on this code of practice for Information Security Management.

This guideline was approved in June 2019. Individuals are expected to be in compliance with this guideline within one year from the approval date.

Revision History

Initial Draft   6/06/19
Information Assurance Committee Approval   6/06/19