Baseline Protection of End User Devices
The University provides information technology to advance its educational, research, scholarship and health care missions. To preserve the integrity of this commons, end users are responsible for ensuring that the computers and devices they regularly use to access the University’s private network have basic security measures enabled. The following criteria pertain to end user devices that connect to the University’s private network regardless of their ownership.
The criteria below define specific steps end users take to appropriately secure from misuse or theft the computers and other electronic devices they regularly use for their own access to the network, as required by the University’s Acceptable Use Policy.
These criteria do not pertain to dedicated-function devices used in research, instruction, health care, telephony, building automation systems, or other activities.
Departments, Schools, Divisions, Institutes, administrative units, or other parts of the University may have policies regarding security measures for end user devices. Those policies cannot diminish the baseline level of protection of end user devices as set forth below.
The following criteria apply to all end user devices that access the University’s private network:
- On devices where available and practicable, the device is running a supported operating system that automatically receives security updates and up-to-date security patches are installed.
- On devices where available and practicable, anti-virus software is installed and automatic check for updates occurs at least daily.
- On devices where available and practicable, a firewall is enabled.
The following criteria provide further protection when an end user device is used in the conduct of administrative activities by an employee or contractor in an administrative unit, or when an end user device is used to handle health records of University of Chicago Medical Center patients. The head of each department or unit is responsible for identifying which end user devices are permitted to be used in this manner.
- Access to the device is protected with a password or PIN.
- Where practicable, the screen or device locks after an inactivity timeout and a password or PIN is required to unlock it.
- Full-disk encryption or device encryption is enabled.
- As may be requested by management or by IT Security in IT Services, the Information Security Office in the Biological Sciences Division, or the Information Security Office in the University of Chicago Medical Center, the device is secured as above, registered, and attestation is given that the above protections are enabled for it.
Frequently Asked Questions
What is the University’s “private network”?
The University’s private network is that accessed by any wall jack in a University building or by any wireless connection to the “uchicago”, “uchicago-secure”, or “eduroam” wireless networks by a member of the University of Chicago community. It excludes the University of Chicago Medical Center network and wireless access of “eduroam” or “uchicago-guest” wireless networks by visitors to the campus.
What is an “end user device”?
Any desktop or laptop computer, any tablet, smart phone, or other mobile device that is regularly used by an end user to access data over a network is an end user device.
What is a “dedicated-function device”?
This term refers to both embedded and external devices used in diverse circumstances in which a computer operates special purpose equipment, such as may occur in a research lab, core facility, clinical care devices, instructional gear, sensors, and countless other circumstances.
Can an alternative to password or PIN be used to protect devices?
Some devices have a biometric alternative to password or PIN that may be acceptable. Gestured patterns and other non-traditional means of authentication may or may not be acceptable. The IT Security office in IT Services, the Biological Sciences Division, or the Medical Center will advise if you have a question about acceptable alternatives to password or PIN for securing your device.
How long should an inactivity timeout period be?
The inactivity timeout limits how long someone else may have to use your device without authorization if it is left unattended and unlocked. Hence, it is best set to a value appropriate to the context in which this might happen. A desktop in a busy office that’s locked at night presents less opportunity, while a mobile device or laptop may afford more. In addition, laptops and mobile devices may lock and reduce power consumption to extend the time until the battery runs down. A guideline is 20 minutes for a desktop, 5-15 minutes for a laptop, and 3-5 minutes for a mobile device.
Which anti-virus solutions are acceptable?
The University licenses an antivirus package for all current faculty, staff, and students. Most computer vendors also provide an antivirus program that is acceptable. IT Security in IT Services, the Information Security Office in the Biological Sciences Division, or the Information Security Office in the University of Chicago Medical Center will advise if you have a question about a specific antivirus technology.
Must security patches be installed as soon as they are available?
Operating system security patches should be installed as soon as is practicable.
What full-disk encryption technologies are acceptable?
Most versions of Windows and Macintosh operating systems include built-in full-disk encryption: Bitlocker for Windows and FileVault 2 for Macintoshes. These are acceptable, as are most full-disk encryption options provided by computer vendors. IT Security in IT Services, the Information Security Office in the Biological Sciences Division, or the Information Security Office in the University of Chicago Medical Center will advise if you have a question about a specific full-disk encryption technology.
What if my desktop computer, laptop, or mobile device is too old to have a built-in disk encryption, do I need a new one?
The head of your department or unit determines if your role will bring you into contact with confidential information used in connection with administrative activities, or with patient health records. If it does then each end user device you use in connection with those activities must have appropriate encryption enabled.
How can I register my device and attest that it meets all of these criteria?
You will be provided with this information along with the request to register and attest.
If I provide administrative support in an academic unit, do criteria 4, 5, 6, and 7 apply?
If you provide administrative support in any unit, your device is in scope for these specific criteria. If you do not routinely handle PII or PHI, and securing your device(s) in this way will impede your work, you may work with the head of your unit or division to request an exception from this portion of the policy. Please note: only the head of a unit or division can approve an exception to this policy obligation.
Do I need to encrypt my device if I handle confidential information even though I am not in an administrative department or one whose activities entail handling of patient health records?
Although the above criteria do not apply in your context, you should do so. You may also be required to do so by the head of your department or unit, an Institutional Review Board, or other body with authority over the activity in which the confidential information is a part.
What is confidential information?
Human Resource Policy 601, Treatment of Confidential Information, identifies a variety of types of information that are deemed to be confidential at the University of Chicago.
Policy Owner: tbarton