UB Minimum Security Standards for Desktops, Laptops, Mobile, and Other Endpoint Devices

Category: Information Technology

Responsible Office: Information Security Office

Responsible Executive: Vice President and Chief Information Officer (VPCIO)

Date Established: July 1, 2017

Date Last Updated: July 27, 2023

On this page:

1. Summary

University at Buffalo (UB, university) maintains data assets in the form of confidential data and critical systems. All data assets require a minimum level of protection and controls. Information Technology has established the following minimum-security standards for desktops, laptops, mobile, and other endpoint devices. These standards are necessary to ensure the availability, confidentiality, and integrity of critical data assets maintained by the university. This document is intended to provide a minimum-security standard and guidelines for the deployment and support of desktops, laptops, mobile, and other endpoint devices that are assets of the university or are used to access university data assets.

2. Standards

Standards for Low Risk Data

1.0  Device Procurement and Setup
All university owned devices, regardless of funding source (ex: State, UBF, RF, grants, etc.), must be procured and setup by departmental/node IT staff.

2.0 Minimum Desktop and Laptop Security Standards
This applies to State and University-owned desktop, laptop, and notebook computers, including all endpoints and storage devices (ex. NAS, Raspberry Pi, routers, etc.), regardless of the funding source. All devices purchased with university funds must go through the local node admin for purchase and setup.

2.1 Device Management
Devices must be managed by IT staff. This includes device enrollment to the university endpoint detection and response (EDR) system.

2.2 Security Patching
Automatic Updates must be enabled. Ensure third-party software is maintained and patched. Third-party applications, like Java and Adobe Acrobat, often have critical vulnerabilities. It is recommended that third-party applications are updated and patched when patches become available.

2.3 Password Authentication
All systems must require password authentication. All systems must be restricted to authorized users of the device.

2.4 Malware Protection
Install university approved antivirus/anti-malware tools and enable automatic updates (daily) and scanning (weekly). Defender for Endpoint is recommended.

2.5 Supported Operating Systems
Use operating systems for which updates are available when security vulnerabilities are discovered.

2.6 Supported Software
Use software for which updates are available when security vulnerabilities are discovered.

2.7 Firewall
Enable host-based firewall in default deny mode and permit the minimum necessary services.  

2.8 Limit Administrative Account Privileges
Restrict administrative privileges to device administrators only.

2.8.1 Administrative Account Privileges for End Users
End users with a legitimate university purpose may be granted customized administrative privileges on their device. Each request for administrative access must follow the UBIT Guidance: Requesting Administrative Access and will be provisioned based on individual needs and use cases to align with the principal of least amount of privilege.

2.9 Whole Disk Encryption
Recommended encryption of local hard drives, storage devices, external hard drives, and portable devices storing or processing data. 

3.0 Standards for Moderate Risk Data

Note: Applies to devices whose primary user has access to data that falls within the Category 2 Data Standards. Incorporates all above standards, plus the following.

3.1 Scan for Personally Identifiable Information (PII)
Scan for and remove or relocate PII stored on device at least monthly for Moderate Risk Data and weekly for High-Risk Data.

3.2 Inventory
Maintain and review inventory of desktops, laptops, mobile devices, and other endpoint devices.

3.3 Inactivity Timeout
Enable inactivity timeout of no more than fifteen (15) minutes to prevent unauthorized access to an unattended device. A password, passcode, biometric, etc. must be required to unlock the device.

3.4 Hard Drive and Printer Sharing
Disable local hard drive and printer sharing. This prevents another user from accessing your files or printer from their machine. Disabling hard drive and printer sharing decreases the vulnerability risk to a user’s account information.

3.5 Login Banner
Login banners must be implemented on all university owned systems where that feature exists. The login banner must inform users that the system is for university business, or other approved use consistent with university policy, that user activities may be monitored, and the user should have no expectation of privacy. The recommended banner text is:

This workstation is the property of the [insert department, unit, school], University at Buffalo, The State University of New York. Use of this equipment constitutes consent to the University and [insert department, unit, school]’s computer use, and security policies. Unauthorized use of this workstation may result in disciplinary or legal action.

3.6 Dispose/Re-use

3.6.1 Disposal
Prior to disposal, device hard drives, and storage must be removed by IT staff and be certified destroyed. Schools and units are permitted to handle the disposal of hard drives and storage.

3.6.2 Re-use
Prior to re-use, device hard drives, and storage must be securely erased by IT staff using NIST-certified method and reimaged (See Related Information section).

3.7 Remote Desktop Access
Remote Desktop Access is disabled by default and only enabled if there is a business requirement. RDP Access must be restricted by firewall to VPN address space. VPN is required in order to RDP.

4.0 Standards for High Risk Data

Note: Applies to devices whose primary user has access to data that falls within the Category 1 Data Standards. Incorporates all above standards, plus the following.

4.1 Application Allow Listing
Application allow listing is a tool that allows only approved software applications to run on the device.

4.2 Account Lockout
After thirty (30) failed login attempts within two minutes, accounts will be locked on the local system where the failed login attempts were detected, for a period of one (1) minute. This will help to deter password grinding attacks.

4.3 Vulnerability Scanning
Computers will be scanned monthly using UB’s Vulnerability Scanning System (Nexpose) to identify any exposed security risk.

4.4 Physical Security
Attention must be given to the physical security of devices, especially computer systems used to access Category 1- Restricted Data. Portable devices such as laptops and mobile devices are particularly vulnerable to theft and loss and must be in a locked secure location when not in use.

4.5 Security Benchmarking
Verify security configuration using security benchmarking tool, such as CIS-CAT.

4.6 Appropriate Network Placement
When bringing up a new server or service, the network placement of the endpoint must be considered. It is crucial to choose a network that offers a higher degree of security to ensure the safety of sensitive information.

5.0 Other End-User Device Standards

This standard applies to university-owned mobile computing devices such as smart phones, tablets, and other devices that have access to, store, and/or process university data.

5.1 PIN or Passcode
Cellular devices must be secured with, at minimum, a four-digit PIN to prevent unauthorized access when the device is left unattended.

5.2 Inactivity Timeout
Cellular devices must be configured to lock after a period of not more than fifteen (15) minutes of inactivity.

5.3 Encryption
Cellular devices must be configured to encrypt local data to protect data stored on the device if lost or stolen.

5.4 Remote Location and Erase
Cellular devices must be configured with a remote location/erase application such as Find my iPhone so the device can be located and recovered if lost. Configure cellular devices to be remotely erasable if it is not recoverable or if it is stolen.

5.5 Disposal/Re-use
IT staff must erase/wipe local storage on mobile device prior to disposal or re-use, Including any information device (desktops, laptops, phones, tablets, printers etc.)

3. Applicability

This standard applies to:

  • University at Buffalo computer users: All employees, faculty, staff and third parties including vendors, contractors, visitors, and all others who utilize the electronic information resources of the University at Buffalo.
  • University at Buffalo computing resources: All desktops, laptops, notebooks, and mobile devices, software that are owned by University at Buffalo.

4. Complaince

Any device that does not meet the minimum-security requirements outlined in this standard may be removed from the University at Buffalo’s network or disabled as appropriate until the device can comply with this standard.

An employee or student who has breached the confidentiality of restricted data will be subject to disciplinary action and/or sanctions, up to and including, discharge and dismissal in accordance with university policy and procedures.

5. Exceptions

Under appropriate circumstances, a user may be granted an exception to adherence to the “Minimum Desktop and Laptop Security Standards” and the “Mobile Device Standards” defined in this document.

Academic and clinical units are responsible for identifying and implementing their exceptions process and for documenting their exceptions.

The exception form is available here: UB Minimum Security Standards for Desktops, Laptops, Mobile, and Other Endpoint Devices Exception Form Download pdf(186 KB)

6. Responsibility

Data Trustee

  • Responsible for ensuring that data stewards, data managers, and data users in their respective area(s) are compliant with data governance principles.
  • Classify university data in accordance with the Data Risk Classification Policy.
  • Control university data by granting access, renewing access, and revoking access to Data Stewards, Data Managers, and/or Data Users. Data Trustees may delegate this responsibility to Data Stewards or Data Managers.
  • Ensure that Data Stewards in their area are compliant with data governance principles.
  • Adhere to the principles of least privilege and minimum-necessary.
  • Report concerns and possible incidents to management for proper institutional evaluation and response.

Data Steward

  • Responsible for planning and policy-level responsibilities for data in their functional areas.
  • Have supervisory responsibilities for defined elements of institutional data.
  • May grant, renew, and revoke access to Data Managers and/or Data Users (as delegated by Data Trustees).
  • Develop and maintain clear and consistent procedures for data access and use in keeping with university policies.
  • Adhere to the principles of least privilege and minimum-necessary.
  • Reporting concerns and possible incidents to management for proper institutional evaluation and response.

Data User

  • Follow appropriate safeguards to protect data based on its classification.
  • Adhere to the principles of least privilege and minimum-necessary.
  • Reporting concerns and possible incidents to management for proper institutional evaluation and response

Device Standards Committee/Device Security Standards Subcommittee

  • Responsible for identifying and proposing device security standards.
  • Responsible for performing annual review of defined standards.
  • Meet annually or more frequently as needed.

Information Security Officer

  • Review and approve departmental collection, storage, and transmission of data when necessary, according to its classification.
  • Serve on the Cloud Services Review Committee.
  • Conduct periodic security reviews of systems approved for storing and handling protected data.

Vice President and Chief Information Officer

  • The VPCIO provides leadership for development and delivery of information technology (IT) services to the university.  The VPCIO oversees an enterprise IT services organization, Computing and Information Technology (CIT), and works in partnership with UB’s schools, colleges, and administrative IT units to enable a unified and productive IT experience for students, faculty, and staff.

7. Definitions

Endpoint device: Desktop computer, laptop computer, or other mobile device used to access University at Buffalo data or information.

Restricted data: UB defines restricted data as (1) Social Security Number, (2) state-issued driver's license number or non-driver identification number, (3) credit or debit card number or other financial account number (4) computer access protection data such as passwords, and (5) protected health information.

Whole disk encryption: Whole disk encryption, or full disk encryption, automatically converts information stored or processed on a local hard drive, external hard drive, or other storage device into an unreadable format by anyone who does not have a key to undo the conversion. Encryption protects the stored information against malicious and/or unauthorized attempts to access it. Encryption functions automatically once installed.

8. Contact Information

Information Security Officer
201 Computing Center
Buffalo, NY 14260
Phone: 716-645-6997
Email: sec-office@buffalo.edu        
Website: http://security.buffalo.edu

Vice President and Chief Information Officer
517 Capen Hall          
Buffalo, NY 14260
Phone: 716-645-7979
Email: vpcio@buffalo.edu
Website: http://www.buffalo.edu/ubit.html

9. Related Information

University Documents

Related Links