Guideline for Security of Endpoints

I. PURPOSE

The purpose of this guideline is to establish baseline security controls for University endpoints that access the University network.

II. SCOPE

The scope of this guideline includes all University owned desktops and laptops that require access to University network resources. Each department and college is expected to implement the security controls listed in this document.

III. CONTACTS

Direct any general questions about this guideline to your unit’s Information Security Liaison. If you have specific questions, please contact OneIT Information Security Compliance at ISCompliance-group@uncc.edu.

IV. GUIDELINES

For this guideline, an endpoint is defined as a desktop or laptop running a Windows or Mac operating system. Endpoints should follow the University’s standard naming convention. See this FAQ for detailed information. The following security controls should be implemented for University-owned endpoint devices.

A. Configuration Management

Enroll endpoints in the University’s Active Directory (Windows) or JAMF (Macs). All endpoints should comply with CIS level 1 system hardening benchmarks. See this FAQ for detailed information regarding the University’s configuration management tools.

B. Patching

Ensure all technology on the endpoint device is up to date and meets current security standards. Based on the National Vulnerability Database (NVD) ratings, apply critical severity security patches within 30 days of publishing and all other security patches within 90 days. Ensure use of a University-supported operating system version. See this FAQ for detailed Information.

C. Whole Disk Encryption

Enable University-supported whole disk encryption for endpoint devices. Labs and shared use devices should be encrypted if feasible.

D. Vulnerability Management

Utilize University-supported tools for authenticated vulnerability scans or agents to identify and remediate vulnerabilities. See this FAQ for detailed information regarding the University’s vulnerability management tools.

E. Malware Protection

Install University-supported advanced malware protection with antivirus software. See this FAQ for more details.

F. Secure DNS

Utilize University secure DNS.

G. Centralized Authentication

Ensure the endpoint uses Active Directory for authentication.

H. Emergency Notification System

Utilize the University-supported emergency notification alert software.

I. Regulated Data Security Controls

Implement applicable regulatory controls (e.g., HIPAA, PCI-DSS, FERPA). Consult with OneIT prior to deployment.

V. EXCEPTIONS

Requests for exceptions to this guideline may be submitted to the Office of OneIT. See this FAQ for more information regarding the exception process.

RELATED RESOURCES

ISO/IEC 27002 was adopted by The University of North Carolina at Charlotte in 2012. All standards and guidelines are based on this code of practice for Information Security Management.

Revision History

Initially approved by the Information Assurance Committee 6/06/19
Updated 3/03/22