Category: Information Technology
Responsible Office: Information Security Office
Responsible Executive: Vice President and Chief Information Officer (VPCIO)
Date Established: July 1, 2017
Date Last Updated: April 6, 2021
University at Buffalo (UB, university) maintains data assets in the form of confidential data and critical systems. All data assets require a minimum level of protection and controls. Information Technology has established the following minimum security standards for desktops, laptops, mobile, and other endpoint devices. These standards are necessary to ensure the availability, confidentiality, and integrity of critical data assets maintained by the university. This document is intended to provide a minimum security standard and guidelines for the deployment and support of desktops, laptops, mobile, and other endpoint devices that are assets of the university, or, are used to access university data assets.
This section applies to university-owned desktop, laptop, and notebook computers that have access to, store, and/or process university data. Refer to Section 5 for minimum security standard expectations for personally owned devices.
2.1 Security Patching
Automatic Updates should be enabled. Ensure third-party software is maintained and patched. Third-party applications, like Java and Adobe Acrobat, often have critical vulnerabilities. It is recommended that third-party applications are updated and patched when patches become available.
2.2 Password Authentication
All systems must require password authentication. All systems must be restricted to authorized users of the device.
2.3 Malware Protection
Install university approved antivirus/anti-malware tools and enable automatic updates (daily) and scanning (weekly). Defender for Endpoint is recommended.
2.4 Supported Operating Systems
Use operating systems for which updates are available when security vulnerabilities are discovered.
2.5 Supported Software
Use software for which updates are available when security vulnerabilities are discovered.
Enable host-based firewall in default deny mode and permit the minimum necessary services.
2.7 Limit Administrative Account Privileges
Restrict administrative privileges to device administrators only.
2.7.1 Administrative Account Privileges for End Users
End users with a legitimate university purpose may be granted device administrative privileges on a local machine. The privileged administrative account should be separate and unique from the end user’s UBIT account. This privileged administrative account does not have access to any network shares or servers. Refer to the Exceptions section for more information.
2.8 Whole Disk Encryption
Recommended encryption of local hard drives, storage devices, external hard drives, and portable devices storing or processing data. BitLocker (Windows) and FileVault (MacOS) are recommended.
Note: Incorporates all standards listed for Low Risk Data
2.9 Scan for Personally Identifiable Information (PII)
Scan for and remove or relocate PII stored on device at least monthly for Moderate Risk Data and weekly for High Risk Data. Identity Finder or Spirion is recommended.
Maintain and review inventory of desktops, laptops, mobile devices, and other endpoint devices. LANSweeper is recommended.
2.11 Inactivity Timeout
Enable inactivity timeout of no more than fifteen (15) minutes to prevent unauthorized access to an unattended device. A password, passcode, biometric, etc. must be required to unlock the device.
2.12 Hard Drive and Printer Sharing
Disable local hard drive and printer sharing. This prevents another user from accessing your files or printer from their machine. Disabling hard drive and printer sharing decreases the vulnerability risk to a user’s account information.
2.13 Login Banner
Login banners must be implemented on all university owned systems where that feature exists. The login banner must inform users that the system is for university business, or other approved use consistent with university policy, that user activities may be monitored, and the user should have no expectation of privacy. The recommended banner text is:
This workstation is the property of the [insert department, unit, school], University at Buffalo, The State University of New York. Use of this equipment constitutes consent to the University and [insert department, unit, school]’s computer use and security policies. Unauthorized use of this workstation may result in disciplinary or legal action.
Prior to disposal, device hard drives and storage must be removed and be certified destroyed. Schools and units are permitted to handle the disposal of hard drives and storage.
Prior to re-use, device hard drives and storage must be securely erased using NIST-certified method and reimaged (See Related Information section).
2.15 Remote Desktop Access
Remote Desktop Access should be disabled by default and only enabled if there is a business requirement. RDP Access should be restricted by firewall to VPN address space. VPN is required in order to RDP.
Note: Incorporates all standards listed for Low Risk Data and Moderate Risk Data
2.16 Application Allow Listing
Application allow listing is a tool that allows only approved software applications to run on the device. This is a very effective tool that protects against malware and phishing attacks. AppLocker is recommended.
2.17 Account Lockout
After thirty (30) failed login attempts within two minutes, accounts will be locked, on the local system where the failed login attempts were detected, for a period of one (1) minute. This will help to deter password grinding attacks.
2.18 Vulnerability Scanning
Computers should be scanned at least monthly using UB’s Vulnerability Scanning System (Nexpose) to identify any exposed security risk.
2.19 Physical Security
Attention should be given to the physical security of devices, especially computer systems used to access Category 1- Restricted Data. Portable devices such as laptops and mobile devices are particularly vulnerable to theft and loss and should be in a locked secure location when not in use.
2.20 Security Benchmarking
Verify security configuration using security benchmarking tool, such as CIS-CAT.
2.21 Appropriate Network Placement
Considerations should be made as to what network an endpoint is placed on. A network with a higher degree of security should be leveraged.
This standard applies to university-owned mobile computing devices such as smart phones, tablets, and other mobile devices that have access to, store, and/or process university data.
3.1 PIN or Passcode
Mobile device should be secured with, at minimum, a four digit PIN to prevent unauthorized access when the device is left unattended.
3.2 Inactivity Timeout
Mobile device should be configured to lock after a period of not more than fifteen (15) minutes of inactivity.
Mobile device should be configured to encrypt local data in order to protect data stored on the device if lost or stolen.
3.4 Remote Location and Erase
Mobile device should be configured with a remote location/erase application like Find my iPhone so that the device can be located and recovered if lost. Configure mobile device so that it can be erased if it is not recoverable or if it is stolen.
Erase/wipe local storage on mobile device prior to disposal or re-use.
3.6 DO NOT Store Category 1-Restricted Data
Category 1- Restricted Data must not be stored or accessed from mobile devices.
This standard applies to:
5.1 Standards for Low Risk Data
The minimum standards for desktop, laptop, mobile devices, and other endpoint devices identified in this document apply to personally owned devices, commonly referred to as Bring Your Own Device (BYOD), that (1) can access university data, (2) contain locally stored university data, (3) process university data, and/or (4) access the university network.
5.2 Standards for Moderate Risk Data and High Risk Data
In order to access moderate risk data and/or high risk data (including Category 1- Restricted Data) on a personally owned desktop, laptop, or other mobile device, additional standards apply. Users are required to contact a system administrator for details.
Endpoint device: Desktop computer, laptop computer, or other mobile device used to access University at Buffalo data or information.
Restricted data: UB defines restricted data as (1) Social Security Number, (2) state-issued driver's license number or non-driver identification number, (3) credit or debit card number or other financial account number (4) computer access protection data such as passwords, and (5) protected health information.
Whole disk encryption: Whole disk encryption, or full disk encryption, automatically converts information stored or processed on a local hard drive, external hard drive, or other storage device into an unreadable format by anyone who does not have a key to undo the conversion. Encryption protects the stored information against malicious and/or unauthorized attempts to access it. Encryption functions automatically once installed.
Any device that does not meet the minimum security requirements outlined in this standard may be removed from the University at Buffalo’s network or disabled as appropriate until the device can comply with this standard.
An employee or student who has substantially breached the confidentiality of restricted data will be subject to disciplinary action and/or sanctions, up to and including, discharge and dismissal in accordance with university policy and procedures.
Under appropriate circumstances, a user may be granted an exception to adherence to the “Minimum Desktop and Laptop Security Standards” and the “Mobile Device Standards” defined in this document.
Academic and clinical units are responsible for identifying and implementing their exceptions process and for documenting their exceptions.
The exception form is available here: UB Minimum Security Standards for Desktops, Laptops, Mobile, and Other Endpoint Devices Exception Form
Device Standards Committee/Device Security Standards Subcommittee