The University provides information technology to advance its educational, research, scholarship, and health care missions. To preserve the integrity of this commons, end users are responsible for basic security measures to protect the computers and devices used to access the University’s private network . The following criteria pertain to end-user devices that connect to the University’s private network regardless of their ownership.
The criteria below define specific steps that end users should take to secure computers and other electronic devices from misuse or theft as required by the University’s Acceptable Use Policy.
These criteria do not pertain to dedicated-function devices used in research, instruction, health care, telephony, building automation systems, or other activities.
Departments, schools, divisions, institutes, administrative units, or other parts of the University may have policies regarding security measures for end-user devices. Those policies cannot diminish the baseline level of protection of end user devices as set forth below.
The following criteria apply to all end user devices that access the University’s private network:
- On devices where available and practicable, the device is running a supported operating system that automatically receives security updates and up-to-date security patches are installed.
- On devices where available and practicable, anti-virus software is installed and automatic check for updates occurs at least daily.
- On devices where available and practicable, a firewall is enabled.
The following criteria provide further protection when an end user device is used in the conduct of administrative activities by an employee or contractor in an administrative unit, or when an end user device is used to handle health records of University of Chicago Medical Center patients. The head of each department or unit is responsible for identifying which end user devices are permitted to be used in this manner.
- Access to the device is protected with a password or PIN.
- Where practicable, the screen or device locks after an inactivity timeout and a password or PIN is required to unlock it.
- Full-disk encryption or device encryption is enabled.
- As may be requested by management or by IT Security in IT Services, the Information Security Office in the Biological Sciences Division, or the Information Security Office in the University of Chicago Medical Center, the device is secured as above, registered, and attestation is given that the above protections are enabled for it.
Frequently Asked Questions
What is the University’s “private network”?
What is an “end user device”?
What is a “dedicated-function device”?
Can an alternative to password or PIN be used to protect devices?
How long should an inactivity timeout period be?
Which anti-virus solutions are acceptable?
Must security patches be installed as soon as they are available?
What full-disk encryption technologies are acceptable?
What if my desktop computer, laptop, or mobile device is too old to have a built-in disk encryption, do I need a new one?
How can I register my device and attest that it meets all of these criteria?
If I provide administrative support in an academic unit, do criteria 4, 5, 6, and 7 apply?
Do I need to encrypt my device if I handle confidential information even though I am not in an administrative department or one whose activities entail handling of patient health records?
What is confidential information?
Policy Owner: tbarton