End user devices that are used to access, store, or transmit Internal, Confidential or Restricted data must meeting the following minimum security standards:
- Software patches. The device must be current within 30 days on operating system and application software patches. Critical patches within 30 days must be applied if available.
- Anti-malware and anti-virus software. Must be running with up to date definitions. Preferably, real-time scanning should be enabled; if not, regular (no less than weekly) scheduled scans must be run.
- Firewall software. Host-based firewalls must be utilized if available and configured to block non-required inbound traffic.
- Authentication. Accounts must require a sufficiently complex password – 8+ characters, mix of upper and lower case and/or numbers or other characters.
- Encryption. Must use encryption for authentication and file transfers.
- Account type. Privileged (administrator/root/superuser) accounts shall not be used for general use. Do all work possible as a non-privileged (standard) user.
- Minimal services. Don’t run unnecessary services on the device while connected to the CCS network or when processing College data.
- Email relays and proxies. Devices shall not operate as either a relay or a proxy.
- Handling of College data:
- Confidential and Restricted data shall not be transmitted via unencrypted email. Provide a link or shared storage instead.
- College data shall not be store on unapproved external (cloud) services, particularly personal services.