End User Device Minimum Security Standards

End user devices that are used to access, store, or transmit Internal, Confidential or Restricted data must meeting the following minimum security standards:

  • Software patches. The device must be current within 30 days on operating system and application software patches. Critical patches within 30 days must be applied if available.
  • Anti-malware and anti-virus software. Must be running with up to date definitions. Preferably, real-time scanning should be enabled; if not, regular (no less than weekly) scheduled scans must be run.
  • Firewall software. Host-based firewalls must be utilized if available and configured to block non-required inbound traffic.
  • Authentication. Accounts must require a sufficiently complex password – 8+ characters, mix of upper and lower case and/or numbers or other characters.
  • Encryption. Must use encryption for authentication and file transfers.
  • Account type. Privileged (administrator/root/superuser) accounts shall not be used for general use. Do all work possible as a non-privileged (standard) user.
  • Minimal services. Don’t run unnecessary services on the device while connected to the CCS network or when processing College data.
  • Email relays and proxies. Devices shall not operate as either a relay or a proxy.
  • Handling of College data:
    • Confidential and Restricted data shall not be transmitted via unencrypted email. Provide a link or shared storage instead.
    • College data shall not be store on unapproved external (cloud) services, particularly personal services.

EFFECTIVE DATE
June 22, 2019

LAST UPDATED DATE
June 1, 2020

APPROVING OFFICE
Administration and Finance