Desktop & Portable Computer
To protect the RIT community and the Institute network from computer-borne threats, RIT has created minimum security requirements for desktop and laptop computers.
Not Required For
The following devices should employ these controls to the extent possible commensurate with the risk of the information that is accessed or stored on them.
- Computers used only to access RIT web pages, Webmail, etc. from off campus. (RIT strongly recommends that users follow the requirements of the standard on all computers.)
- Mobile devices (tablets, cell phones), pagers, PDAs, copiers and other special purpose devices that connect to the Institute network solely through Web, portal, or application access.
Storage of Private information is prohibited on these devices.
What Do I Need To Do?
- The Desktop and Portable Computer Checklist: General User is the quickest way to check if you comply with the security requirements.
- The Desktop and Portable Computer Checklist ITS-Supported Users is designed for users whose department is supported by ITS.
- A Desktop and Portable Computer Checklist: Systems Support is available for systems support personnel to ensure supported users comply with the standard.
- Use our Securing your Computer page to find the required software and supporting documentation for the Desktop Standard.
Requirements
The following security controls are required as detailed in the table. See the notes following the table for more information about each requirement.
|
|
RIT-owned desktop/laptop, Grant-funded computers |
Lab computers |
Personally-owned computers (student, visitor, home) |
Other Computing Devices |
|
1. Endpoint Protection/Anti-malware |
Must be centrally managed |
Must be centrally managed |
Yes |
Yes |
|
2. Endpoint Firewall |
Yes |
Yes |
Yes |
Required if RIT-owned device when solution available from RIT. Recommended if personally-owned device. |
|
3. Host-based Intrusion Prevention System (HIPS) |
Yes |
Yes |
|
|
|
4. Supported Software/Apps with up-to-date security patches |
Yes |
Yes |
Yes |
Yes |
|
5. Log out/lock out |
Yes |
Yes |
Yes |
Yes |
|
6. PI management software |
Yes |
Storage of private information is prohibited |
Storage of private information is prohibited |
Storage of private information is prohibited |
|
7. Full-disk encryption |
Required, if accessing private information |
|
||
|
8. Centralized Desktop/Device Management |
Yes |
Yes |
|
Required if RIT-owned device when solution available from RIT. Recommended if personally-owned device. |
|
9. Administrative privileges |
Administrative privileges granted only at the discretion of VP/Dean |
|
|
Jail-broken or rooted devices are prohibited from accessing Confidential or Private Information. |
|
10. Backups (data) |
Required (centrally managed preferred) |
|
Recommended |
Recommended |
Details
All required security controls must be installed, up-to-date and enabled.
Should have anti-virus with malware signature, heuristic, anti-spyware, and reputation awareness capabilities. Anti-virus software is available for most computing devices.
Not needed with Android or iOS devices unless rooted or jail-broken.
Required on Windows operating systems. There are some recommended Host Intrusion Prevention Systems solutions
Operating system and application software must install up-to-date security patches.
- Users should either log out or lock the interactive session before leaving the session, computer, or device unattended.
- For RIT-owned computers, administrators should set a minimum automatic lockout commensurate with the use and risk of the information, e.g., a lockout after 15 minutes is recommended for typical office use.
- For personally-owned devices, we recommend an automatic lockout period of 2-15 minutes.
- The software should complete scans monthly.
- Users should not be storing private information on any endpoint and should immediately remediate any identified private information.
- The software should report results to a centralized management console controlled by ITS.
- The recommended Private Information management software can be found at Securing Your Computer
- PI software licensing may not extend to grant-funded computers
- If computers are used to access private information, then the computer should have full disk encryption. The encryption solution should validate that the product was installed and operating correctly.
- User-configurable settings should not be capable of interfering with the encryption software.
- Encryption software and policies should be controlled by centralized security personnel.
- The minimum recommended full disk encryption levels can be found at Encryption at RIT.
RIT-owned, lab computers, and grant-funded computing devices should be auditable from centralized configuration management software. This audit capability should include an inventory of applications and current patch level.
Use of limited vs. administrative privileges is determined by the divisional VP or dean.
RIT data and research data should be backed up. Backups shall enable computers/devices to be restored to a recent point in time before the incident requiring backup. Centrally-managed backups are preferred.
- For usage where data is stored on the network, a disk image is an acceptable backup.
- For situations where data is stored locally, the backup should be able to restore that data. (We recommend that data not be stored locally.)
Resources/Related Information
- Standards Lexicon (definitions of terms used in standards)
- Roles and Responsibilities in relation to specific standards
- Exceptions/Non-Compliance—use of non-compliant portable media requires an exception request approved by the information trustee and the RIT Information Security Office.
- Related RIT Policies
For additional information and product recommendations, please see Securing Your Computer.