Applicable to: Duke University
Previously: Minimum Security Standards: Endpoints
Legend: ✓ = yes; – = no
|
Standard |
What to do |
Public Data |
Restricted Data |
Sensitive Data |
|---|---|---|---|---|
|
Patching and Vulnerability Management |
Mitigate operating system and application vulnerabilities following the timelines established in Vulnerability Management Procedure. Use automated patching tools to apply operating system patches and, when possible, application patches. |
✓ |
✓ |
✓ |
|
Whole Disk Encryption |
Enable whole-disk encryption (FileVault2 for Mac, BitLocker for Windows) for laptops and desktops. Require key escrow. |
✓ |
✓ |
✓ |
|
Malware Protection |
Install CrowdStrike Falcon for malware and threat protection and ensure the CrowdStrike Falcon software maintains communication with the management console. |
✓ |
✓ |
✓ |
|
Secure Storage |
Select an appropriate Duke service for storing Duke-data depending on the data classification; see Duke Services and Data Classification. |
– |
✓ |
✓ |
| Endpoint Management | Enroll devices in one of Duke's endpoint management services (https://sites.duke.edu/endpoints/). | ✓ | ✓ | ✓ |
|
Inventory |
Designate in Planisphere a support group that is responsible for the machine's security configuration and complete and maintain the asset inventory information. |
✓ |
✓ |
✓ |
|
Software Security |
Install and use only operating systems, applications, browsers, and email clients supported by the vendor (i.e. where security updates and patches are still available). Uninstall or disable unnecessary operating systems, applications, browsers, email clients, and extensions. |
✓ |
✓ |
✓ |
|
Regulated Data Security Controls |
– |
– |
✓ | |
|
Physical Security |
Locate desktops in an access-controlled environment. Keep laptops with you at all times or stored in a secured location. |
✓ |
✓ |
✓ |
|
Equipment Disposal |
Overwrite data from hard drives before disposal of old equipment. See the Media Control and Disposal Policy. |
✓ |
✓ |
✓ |
|
Administrative Account Access |
Follow the principle of least privilege for use and assignment of privileges. |
✓ |
✓ |
✓ |
| Multi-Factor Authentication | Use multi-factor authentication for administrator logons and access to Sensitive systems. Multi-factor authentication is recommended for Public and Restricted systems and wherever practical. | ✓ | ✓ | ✓ |
|
Credentials and Access Control |
Configure laptops and desktops to prohibit anonymous access. Set an account lockout policy (recommended: after five unsuccessful attempts followed by a five-minute lockout). Require password-protected screen savers, with a recommended 15-minute timer for inactivity. |
✓ |
✓ |
✓ |