End-User Device Policy
The University provides information technology to advance its educational, research, scholarship, and health care missions. To preserve the integrity of this shared environment, individuals are responsible for ensuring that the computers and devices they regularly use to access the University’s networks, services, and systems have basic security measures enabled.
The criteria below define specific steps individuals must take to appropriately secure from misuse or theft the computers and other electronic devices they regularly use for their own access to the network, as required by the University’s Acceptable Use Policy.
These criteria may not pertain to dedicated-function devices used in research, instruction, health care, telephony, building automation systems, or other activities.
Divisions, schools, and departments may also adopt their own more stringent policies regarding protection of end-user devices to supplement this Policy. If any such policy conflicts with this Policy, the terms of this Policy will apply.
The following criteria shall apply to all end-user devices that access the University’s networks, services, and systems or are used by any person to conduct university business regardless of their ownership.
- On devices, where available and practicable, the device is running a supported operating system that automatically receives security updates and up-to-date security patches are installed at least monthly.
- On devices, where available and practicable, application updates are applied, including security updates, at least monthly.
- On devices, where available and practicable, anti-virus software is installed and automatic check for updates occurs at least daily.
- On devices, where available and practicable, a firewall is enabled.
- Access to the device is protected with a password, PIN, or suitable biometric alternative.
- Where practicable, the screen or device locks after an inactivity timeout, and a password, PIN, or suitable biometric alternative is required to unlock it.
- As may be requested by management or by IT Security in IT Services, the Information Security Office in the Biological Sciences Division, or the Information Security Office in the University of Chicago Medical Center, the device is secured as above, registered, and attestation is given that the above protections are enabled for it.
Full disk encryption or device encryption must be enabled for all end-user devices used in, or for the purposes of, conducting University business or work. If enabling full disk encryption or device encryption is impracticable for any end-user device and the end-user device is required for the performance of an individual’s University responsibilities, then the individual may request an exception to the encryption requirement. Exceptions to the encryption requirement require the written approval of the appropriate University Dean or University Officer and the Chief Information Security Office.
Exceptions to the encryption policy require the written approval of the appropriate University Dean or University Officer and the Chief Information Security Officer.
Responsible University Officer(s): Kevin Boyd, Chief Information Officer
Responsible Offices: Office of the CIO
Effective date: October 1, 2020
Last Updated: October 1, 2020
End-user device: Any desktop or laptop computer, any tablet, smart phone, or other mobile device is an end-user device. “End-user device” does not include removable storage like USB flash drives.
Dedicated-function device: This term refers to both embedded and external devices in which a computer operates special purpose equipment, such as may occur in a research lab, core facility, clinical care devices, instructional gear, sensors, and many other circumstances. If the device is networked and also used for any non-dedicated tasks such as browsing, email, etc., it is subject to this policy.
Questions regarding this Policy may be directed to:
IT Risk Program
Frequently Asked Questions
Who is covered by this policy?
Those covered by this policy include:
- All staff
- All academic appointees; this includes all members of the faculty and any person, paid or unpaid, who is hired or affiliated with the University through the Office of the Provost and is provisioned with access to the network. This includes active faculty emeriti.
- Postdoctoral researchers
- Students who have access to University data (other than their own data) or who have an instructional role
Who is excluded from this policy?
Appointees, visitors, or affiliated persons, paid or unpaid, whose relationship to the University is of a duration of one quarter or less, provided that their position is terminated and their network access ends at the conclusion of their assignment. However, University units employing individuals in this category may require them to enable protections even if this policy does not require it. For example, units may make individual decisions about contractors, search firms, volunteers, inactive faculty emeriti, and others covered in this exclusion.
What's the difference between a University-owned device and a personally-owned device?
A University device is one purchased with University funds, including grants. Anything else is a personal device.
My device is managed by my school or division. What actions do I need to take?
If an end-user device is already managed by the school or division, they will manage your device to adhere to this policy. The IT team may ask you to take extra precautions to protect the data on the device.
Does this policy apply to my personally-owned cellphone or tablet?
This policy applies to personal cellphones and tablets if the device stores University data, including data received through a mobile device email client. (Note: Most current cellphones and tablets are encrypted by default.)
I use my personal device to do university work. Does this policy apply to me?
Yes. If University data* are kept, stored, or accessed using a personal device, you have two options:
- Ensure that the device complies with the end-user device policy. If you are not sure, reach out to the unit IT staff and seek guidance.
- Find a different, appropriately-secured device with which to conduct University business.
* The definition of University data is based on the University definition of Confidential Information, per Policy 601.
I want to limit the amount of University data on my end-user device. What should I do?
- Do not download unnecessary copies of data to your device.
- Use UChicago’s GSuite or similar tools to create and share documents that stay in the cloud.
- When accessing files in UChicago Box, open the documents using online editing tools instead of using software installed on your computer.
- If you use Box Drive, adjust your settings to sync only non-sensitive data to your device. Be selective when choosing files to store offline on the device hard drive.
- When reading email on your computer, use a web browser instead of an email client installed on your computer.
- When sending files, instead of using attachments, store the files on UChicago Box and send links to those files.
- On your phone, use the Outlook app instead of your default mail client.
- If your device is lost or stolen and you suspect you may have important or confidential data on it, contact email@example.com immediately.
What is an “end-user device”?
Any desktop or laptop computer, any tablet, smart phone, or other mobile device is an end-user device. "End-user device" does not include removable storage like USB flash drives.
What is a “dedicated-function device”?
This term refers to both embedded and external devices in which a computer operates special purpose equipment, such as may occur in a research lab, core facility, clinical care devices, instructional gear, sensors, and many other circumstances. If the device is networked and also used for any non-dedicated tasks such as browsing, email, etc., it is subject to the end-user device policy.
Can an alternative to password or PIN be used to protect devices? Are biometric choices like fingerprints or facial recognition acceptable?
Some devices have a biometric alternative to password or PIN that may be acceptable such as fingerprints or facial recognition. Gestured patterns and other non-traditional means of authentication may or may not be acceptable. The IT Security office in IT Services, the Biological Sciences Division, or the Medical Center will advise if you have a question about acceptable alternatives to password or PIN for securing your device.
How long should an inactivity timeout period be?
The inactivity timeout limits how long someone else may have to use your device without authorization if it is left unattended and unlocked. Hence, it is best set to a value appropriate to the context in which this might happen. A desktop in a busy office that is locked at night presents less opportunity, while a mobile device or laptop may afford more. In addition, laptops and mobile devices may lock and reduce power consumption to extend the time until the battery runs down. A guideline is 20 minutes for a desktop, 5-15 minutes for a laptop, and 30 to 60 seconds for a mobile device.
Which anti-virus solutions are acceptable?
The University licenses an antivirus package, available from the antivirus.uchicago.edu website, for all current faculty, staff, and students. Most computer vendors also provide an antivirus program that is acceptable. IT Security in IT Services, the Information Security Office in the Biological Sciences Division, or the Information Security Office in the University of Chicago Medical Center will advise if you have a question about a specific antivirus technology.
Must security patches be installed as soon as they are available?
Operating system security patches should be installed as soon as is practicable.
What full-disk encryption technologies are acceptable?
Most versions of Windows and Mac operating systems include built-in full-disk encryption: Bitlocker for Windows and FileVault for Macs. These are acceptable, as are most full-disk encryption options provided by computer vendors. If using an advanced setup or Unix-based operating system, encrypting each user partition is sufficient. IT Security in IT Services, the Information Security Office in the Biological Sciences Division, or the Information Security Office in the University of Chicago Medical Center will advise if you have a question about a specific full-disk encryption technology.
If my desktop computer, laptop, or mobile device is too old to work with disk encryption, do I need a new one?
Please discuss this with your unit IT support. Older equipment will either need to be replaced or a short-term exception will need to be requested.
I have other questions; how can I get answers?
Please contact the IT Risk team at firstname.lastname@example.org.