Category: Information Technology
Responsible Office: Information Security Office
Responsible Executive: Vice President and Chief Information Officer (VPCIO)
Date Established: July 1, 2017
Date Last Updated: July 27, 2023
University at Buffalo (UB, university) maintains data assets in the form of confidential data and critical systems. All data assets require a minimum level of protection and controls. Information Technology has established the following minimum-security standards for desktops, laptops, mobile, and other endpoint devices. These standards are necessary to ensure the availability, confidentiality, and integrity of critical data assets maintained by the university. This document is intended to provide a minimum-security standard and guidelines for the deployment and support of desktops, laptops, mobile, and other endpoint devices that are assets of the university or are used to access university data assets.
1.0 Device Procurement and Setup
All university owned devices, regardless of funding source (ex: State, UBF, RF, grants, etc.), must be procured and setup by departmental/node IT staff.
2.0 Minimum Desktop and Laptop Security Standards
This applies to State and University-owned desktop, laptop, and notebook computers, including all endpoints and storage devices (ex. NAS, Raspberry Pi, routers, etc.), regardless of the funding source. All devices purchased with university funds must go through the local node admin for purchase and setup.
2.1 Device Management
Devices must be managed by IT staff. This includes device enrollment to the university endpoint detection and response (EDR) system.
2.2 Security Patching
Automatic Updates must be enabled. Ensure third-party software is maintained and patched. Third-party applications, like Java and Adobe Acrobat, often have critical vulnerabilities. It is recommended that third-party applications are updated and patched when patches become available.
2.3 Password Authentication
All systems must require password authentication. All systems must be restricted to authorized users of the device.
2.4 Malware Protection
Install university approved antivirus/anti-malware tools and enable automatic updates (daily) and scanning (weekly). Defender for Endpoint is recommended.
2.5 Supported Operating Systems
Use operating systems for which updates are available when security vulnerabilities are discovered.
2.6 Supported Software
Use software for which updates are available when security vulnerabilities are discovered.
Enable host-based firewall in default deny mode and permit the minimum necessary services.
2.8 Limit Administrative Account Privileges
Restrict administrative privileges to device administrators only.
2.8.1 Administrative Account Privileges for End Users
End users with a legitimate university purpose may be granted customized administrative privileges on their device. Each request for administrative access must follow the UBIT Guidance: Requesting Administrative Access and will be provisioned based on individual needs and use cases to align with the principal of least amount of privilege.
2.9 Whole Disk Encryption
Recommended encryption of local hard drives, storage devices, external hard drives, and portable devices storing or processing data.
Note: Applies to devices whose primary user has access to data that falls within the Category 2 Data Standards. Incorporates all above standards, plus the following.
3.1 Scan for Personally Identifiable Information (PII)
Scan for and remove or relocate PII stored on device at least monthly for Moderate Risk Data and weekly for High-Risk Data.
Maintain and review inventory of desktops, laptops, mobile devices, and other endpoint devices.
3.3 Inactivity Timeout
Enable inactivity timeout of no more than fifteen (15) minutes to prevent unauthorized access to an unattended device. A password, passcode, biometric, etc. must be required to unlock the device.
3.4 Hard Drive and Printer Sharing
Disable local hard drive and printer sharing. This prevents another user from accessing your files or printer from their machine. Disabling hard drive and printer sharing decreases the vulnerability risk to a user’s account information.
3.5 Login Banner
Login banners must be implemented on all university owned systems where that feature exists. The login banner must inform users that the system is for university business, or other approved use consistent with university policy, that user activities may be monitored, and the user should have no expectation of privacy. The recommended banner text is:
This workstation is the property of the [insert department, unit, school], University at Buffalo, The State University of New York. Use of this equipment constitutes consent to the University and [insert department, unit, school]’s computer use, and security policies. Unauthorized use of this workstation may result in disciplinary or legal action.
Prior to disposal, device hard drives, and storage must be removed by IT staff and be certified destroyed. Schools and units are permitted to handle the disposal of hard drives and storage.
Prior to re-use, device hard drives, and storage must be securely erased by IT staff using NIST-certified method and reimaged (See Related Information section).
3.7 Remote Desktop Access
Remote Desktop Access is disabled by default and only enabled if there is a business requirement. RDP Access must be restricted by firewall to VPN address space. VPN is required in order to RDP.
Note: Applies to devices whose primary user has access to data that falls within the Category 1 Data Standards. Incorporates all above standards, plus the following.
4.1 Application Allow Listing
Application allow listing is a tool that allows only approved software applications to run on the device.
4.2 Account Lockout
After thirty (30) failed login attempts within two minutes, accounts will be locked on the local system where the failed login attempts were detected, for a period of one (1) minute. This will help to deter password grinding attacks.
4.3 Vulnerability Scanning
Computers will be scanned monthly using UB’s Vulnerability Scanning System (Nexpose) to identify any exposed security risk.
4.4 Physical Security
Attention must be given to the physical security of devices, especially computer systems used to access Category 1- Restricted Data. Portable devices such as laptops and mobile devices are particularly vulnerable to theft and loss and must be in a locked secure location when not in use.
4.5 Security Benchmarking
Verify security configuration using security benchmarking tool, such as CIS-CAT.
4.6 Appropriate Network Placement
When bringing up a new server or service, the network placement of the endpoint must be considered. It is crucial to choose a network that offers a higher degree of security to ensure the safety of sensitive information.
This standard applies to university-owned mobile computing devices such as smart phones, tablets, and other devices that have access to, store, and/or process university data.
5.1 PIN or Passcode
Cellular devices must be secured with, at minimum, a four-digit PIN to prevent unauthorized access when the device is left unattended.
5.2 Inactivity Timeout
Cellular devices must be configured to lock after a period of not more than fifteen (15) minutes of inactivity.
Cellular devices must be configured to encrypt local data to protect data stored on the device if lost or stolen.
5.4 Remote Location and Erase
Cellular devices must be configured with a remote location/erase application such as Find my iPhone so the device can be located and recovered if lost. Configure cellular devices to be remotely erasable if it is not recoverable or if it is stolen.
IT staff must erase/wipe local storage on mobile device prior to disposal or re-use, Including any information device (desktops, laptops, phones, tablets, printers etc.)
This standard applies to:
Any device that does not meet the minimum-security requirements outlined in this standard may be removed from the University at Buffalo’s network or disabled as appropriate until the device can comply with this standard.
An employee or student who has breached the confidentiality of restricted data will be subject to disciplinary action and/or sanctions, up to and including, discharge and dismissal in accordance with university policy and procedures.
Under appropriate circumstances, a user may be granted an exception to adherence to the “Minimum Desktop and Laptop Security Standards” and the “Mobile Device Standards” defined in this document.
Academic and clinical units are responsible for identifying and implementing their exceptions process and for documenting their exceptions.
The exception form is available here: UB Minimum Security Standards for Desktops, Laptops, Mobile, and Other Endpoint Devices Exception Form Download pdf(186 KB)
Device Standards Committee/Device Security Standards Subcommittee
Information Security Officer
Vice President and Chief Information Officer
Endpoint device: Desktop computer, laptop computer, or other mobile device used to access University at Buffalo data or information.
Restricted data: UB defines restricted data as (1) Social Security Number, (2) state-issued driver's license number or non-driver identification number, (3) credit or debit card number or other financial account number (4) computer access protection data such as passwords, and (5) protected health information.
Whole disk encryption: Whole disk encryption, or full disk encryption, automatically converts information stored or processed on a local hard drive, external hard drive, or other storage device into an unreadable format by anyone who does not have a key to undo the conversion. Encryption protects the stored information against malicious and/or unauthorized attempts to access it. Encryption functions automatically once installed.