Endpoint Management Standard

Purpose

This standard defines the minimum required security controls for endpoint devices (e.g., desktop computers, laptops, tablets, or similar) owned by the University for access to University of Oregon ("University") computing and information resources, as required by the Information Asset Classification and Management Policy ( IV.06.02 )

Applies To

Requirements identified herein reduce risks to the confidentiality, integrity and availability of University data and systems (“information assets”).

Definitions

See ISO Standards - Glossary and Iconography for details.

Standard

University owned endpoints SHALL be inventoried and managed by the IT unit or individual providing support, using processes and systems approved by the Information Security Office.
University owned endpoints SHALL apply controls associated with the appropriate risk level for the data the endpoints will process, store or access, as specified on Table 1: Endpoint Standard - Classification Designation.

Associated Controls

Table 1: Endpoint Standard - Classification Designations
	Information System Classification M - Mandatory; R - Recommended; NR - Not Required;
UO Controls	High Risk (Red)	Moderate Risk (Amber)	Low Risk (Green)
UO.1 CMS: Registration	M	M	M
UO.2 CMS: Management (OS)	M	M	M
UO.3 CMS: Management (Apps)	M	M	R
UO.4 Vulnerability Scanning	M	M	M
UO.8 Resources are Prioritized Based on their Classification	M	M	M
UO.15 Physical Security	M	M	M
UO.1 CMS: Registration	M	M	R
UO.17 System Hardening	M	M	R
UO.19 Security Updates	M	M	M
UO.20 Application Block Listing	M	M	R
UO.21 Anti-Malware	M	M	M
UO.22 Auto-Lock Screen or Consoles	M	M	M
UO.23 Firewall: Hosting	R	R	R
UO.25 Encryption: Data-at-Rest	M	R	NR
UO.26 Encryption: Data-in-Transit	M	R	NR
UO.27 Encryption: Full Disk	M	M	R
UO.29 User Access Control: Least Privilege Access	M	M	M
UO.32 User Access Control: Limit Failed Login Attempts	M	M	R
UO.33 User Access Control: Inactive Session Time	M	M	R
UO.34 User Access Control: Two-Factor Authentication	M	M	R
UO.41 Data is Destroyed According to Policy	M	M	M
UO.45 Logging and Retention	M	M	M
UO.46 Log Monitoring	M	M	M
UO.48 Incident Recovery: Backup & Recovery	M	R	R
UO.49 Incident Recovery: Restoration Testing	M	M	R
UO.56 Separation of System and User Functionality	M	M	R

Approved Processes and Systems

Microsoft System Center Configuration Management (SCCM)
Microsoft Endpoint Configuration Management (MECM)
Microsoft Intune
Jamf Apple Device Management
Puppet Enterprise

Requesting Exceptions

In the event the standard cannot be achieved by reasonable means, you can request an exception by completing the Information Security Standard Exception Request form. Be ready to provide details as to why the standard can't be followed, the duration of the exception request and mitigating controls being put in place to meet the requirement.

Reporting Inappropriate Use of Access

Any user who suspects a violation of the policy should report the suspected violation to University Audit using the EthicsPoint System. EthicsPoint is available here.

Violations of this standard could include failing to register the system with the vulnerability scanning service, not allowing root or administrator access to system from the vulnerability scanning service, or misuse of any of the information in the vulnerability scanning service.

Implementation Guidelines

Guidelines related to the implementation of this standard can be found on the Information Security Office website .

Additional Information

If you have any questions or comments related to this Standard, please send an email to the University Information Security Office at infosec@uoregon.edu .

Additional information can also be found visiting the following resources:

University Information Security Program Policy
- https://policies.uoregon.edu/vol-4-finance-administration-infrastructure/ch-6-information-technology/information-security-program
University Acceptable Use Policy
- https://service.uoregon.edu/TDClient/KB/ArticleDet?ID=30997
- https://service.uoregon.edu/TDClient/KB/ArticleDet?ID=30999
University Information Asset Classification & Management Policy
- https://policies.uoregon.edu/vol-4-finance-administration-infrastructure/ch-6-information-technology/information-asset
Data Security Classification Table
- https://infosec.uoregon.edu/data-security-classification-table
NIST 800-53
- https://www.nist.gov/privacy-framework/nist-sp-800-53

Revision History

Revision History
Version	Published	Author	Description
1.0	08/09/2022	Information Security Office (ISO)	Original publication
1.1	09/09/2024	Information Security Office (ISO)	Added UO.29

Publication
Status:	Standard
Published:	08/09/2022
Last Reviewed:	09/09/2024
Last Updated:	09/09/2024

Approvals
	Date Discussed	Date Approved
Information Security and Privacy - Governance Sub-Committee (ISP-GC)	09/21/2022
Chief Information Security Officer

Search form

Information Security Office Menu