Guideline for Security of Endpoints
I. PURPOSE
The purpose of this guideline is to establish baseline security controls for University endpoints that access the University network.
II. SCOPE
The scope of this guideline includes all University owned desktops and laptops that require access to University network resources. Each department and college is expected to implement the security controls listed in this document.
III. CONTACTS
Direct any general questions about this guideline to your unit’s Information Security Liaison. If you have specific questions, please contact OneIT Information Security Compliance at ISCompliance-group@charlotte.edu.
IV. GUIDELINES
For this guideline, an endpoint is defined as a desktop or laptop running a Windows or Mac operating system. Endpoints should follow the University’s standard naming convention. See this FAQ for detailed information. The following security controls should be implemented for University-owned endpoint devices.
A. Configuration Management
Enroll endpoints in the University’s Active Directory (Windows) or JAMF (Macs). All endpoints should comply with CIS level 1 system hardening benchmarks. See this FAQ for detailed information regarding the University’s configuration management tools.
B. Patching
Ensure all technology on the endpoint device is up to date and meets current security standards. Based on the National Vulnerability Database (NVD) ratings, apply critical severity security patches within 30 days of publishing and all other security patches within 90 days. Ensure use of a University-supported operating system version. See this FAQ for detailed Information.
C. Whole Disk Encryption
Enable University-supported whole disk encryption for endpoint devices. Labs and shared use devices should be encrypted if feasible.
D. Vulnerability Management
Utilize University-supported tools for authenticated vulnerability scans or agents to identify and remediate vulnerabilities. See this FAQ for detailed information regarding the University’s vulnerability management tools.
E. Malware Protection
Install University-supported advanced malware protection with antivirus software. See this FAQ for more details.
F. Secure DNS
Utilize University secure DNS.
G. Centralized Authentication
Ensure the endpoint uses Active Directory for authentication.
H. Emergency Notification System
Utilize the University-supported emergency notification alert software.
I. Regulated Data Security Controls
Implement applicable regulatory controls (e.g., HIPAA, PCI-DSS, FERPA). Consult with OneIT prior to deployment.
V. EXCEPTIONS
Requests for exceptions to this guideline may be submitted to the Office of OneIT. See this FAQ for more information regarding the exception process.
RELATED RESOURCES
- University Policy 311 Information Security
- Standard for Operations Security
- ISO/IEC 27002
ISO/IEC 27002 was adopted by The University of North Carolina at Charlotte in 2012. All standards and guidelines are based on this code of practice for Information Security Management.
Revision History
Initially approved by the Information Assurance Committee 6/06/19
Updated 3/03/22