Applicable to: Duke University

Previously: Minimum Security Standards: Endpoints

Legend: ✓ = yes; – = no


What to do

Public Data

Restricted Data

Sensitive Data

Patching and Vulnerability Management

Mitigate operating system and application vulnerabilities following the timelines established in Vulnerability Management Procedure. Use automated patching tools to apply operating system patches and, when possible, application patches.

Whole Disk Encryption

Enable whole-disk encryption (FileVault2 for Mac, BitLocker for Windows) for laptops and desktops. Require key escrow.

Malware Protection

Install CrowdStrike Falcon for malware and threat protection and ensure the CrowdStrike Falcon software maintains communication with the management console.

Secure Storage

Select an appropriate Duke service for storing Duke-data depending on the data classification; see Duke Services and Data Classification.

Endpoint ManagementEnroll devices in one of Duke's endpoint management services (


Designate in Planisphere a support group that is responsible for the machine's security configuration and complete and maintain the asset inventory information.

Software Security

Install and use only operating systems, applications, browsers, and email clients supported by the vendor (i.e. where security updates and patches are still available). Uninstall or disable unnecessary operating systems, applications, browsers, email clients, and extensions.

Regulated Data Security Controls

Implement PCI DSSHIPAA, or export controls as applicable.

Physical Security

Locate desktops in an access-controlled environment. Keep laptops with you at all times or stored in a secured location.

Equipment Disposal

Overwrite data from hard drives before disposal of old equipment. See the Media Control and Disposal Policy.

Administrative Account Access

Follow the principle of least privilege for use and assignment of privileges.

Multi-Factor AuthenticationUse multi-factor authentication for administrator logons and access to Sensitive systems. Multi-factor authentication is recommended for Public and Restricted systems and wherever practical. 

Credentials and Access Control

Configure laptops and desktops to prohibit anonymous access. Set an account lockout policy (recommended: after five unsuccessful attempts followed by a five-minute lockout). Require password-protected screen savers, with a recommended 15-minute timer for inactivity.