1610 PR.05 Device Security Standards

Revision Date: 
December 14, 2020

Contents

1.     Overview

2.     Device Configuration Standards

1.  Overview

These standards shall be used to configure computing devices, wherever required by policy.  If an exception is needed to the standards below, please contact Information Security, Policy and Compliance (it.compliance@yale.edu).

2.  Device Configuration Standards

Note: ITS services are recommended to meet the following standards: encryption, patching, anti-virus protection, and backup.  Please contact the Helpdesk (203-432-9000) for more information on these services. 

1. Encryption – Whole disk encryption utilizing either Microsoft BitLocker or Apple FileVault 2.  This includes any external storage device used to transport Yale data. 

2. Administrator Privileges – Removal of administrator privileges.

3. Registration - Register all systems (e.g. desktops, laptops, clinical devices, etc.) in the Yale IP Address Management System.

4. Network Address - Private IP addresses shall be used on all systems (e.g. desktops, laptops, clinical devices, etc.).

5. Identification – All systems employ IBM Endpoint Manager for identification purposes.

6. Operating System – Operating Systems are to be in compliance with the published “Yale Standard Supported Operating Systems.”

7. Patching - Automatic distribution of security and other patches via central computer management software (IEM Endpoint Manager is recommended).  Questions or concerns regarding up-to-date device patching can be directed to scanit@yale.edu

8. Anti-Virus Protection - Installation and update of managed anti-virus/anti-spyware software (the ITS-managed Symantec AV is recommended).

9. Enterprise Directory - Configure all systems (e.g. desktops, laptops, clinical devices, etc.) to be on the Yale domain.

10. Enterprise Authentication - All system (e.g. desktops, laptops, clinical devices, etc.) logon requests will need to utilize Yale credentials and will need to be processed through Yale’s enterprise directory.

11. Backup – Registration in the ITS Crashplan backup service.

12. Inactivity Lock - Automatic locking and password protection of systems after 15 minutes of inactivity.

13. Application Security - Removal of applications that increase the vulnerability of computers such as Peer to Peer (P2P) file sharing (see Procedure 1610 PR.01 for more information on programs that pose significant security risks).

14. External Messaging Applications – Yale business must be conducted only on Yale-approved instant messaging applications.

15. Procurement - Purchase all new desktop and laptop computers from Yale’s Managed Workstation portfolio (located in SciQuest).

16. Other – Additional safeguards as they become technically feasible.