IT-005 Expectations for Users of UNI Owned Devices

Purpose

The University of Northern Iowa acknowledges its obligation to provide appropriate security and availability for data and IT resources in its domain of ownership and control. Furthermore, the University recognizes its responsibility to reduce risk to University IT devices and be good stewards of UNI property by enforcing reasonable requirements of users for the support and maintenance of IT resources.

The University of Northern Iowa develops, publishes, and enforces policies, procedures, and standards in order to achieve and maintain appropriate protection of University data. This document along with related security policies, procedures, and standards identifies key security issues for which individuals, colleges, departments, and units are responsible.

The confidentiality and integrity of government data, which encompasses all University data, is placed above the need for system availability. These requirements for government computers are not idle claims, they are laws with real consequences.

Scope

This procedure is authorized through UNI Policy 14.03 Data Security Policy which states, “The CIO or their designee shall publish security procedures and standards applicable to all UNI IT resources. The procedures and standards shall be updated regularly as advances in technology occur and will have the full force and effect of this policy.”

This procedure applies to all faculty, staff, and students as well as any other individuals or entities who use IT resources at the University of Northern Iowa. Further, this procedure applies to all IT resources owned or leased by UNI.

Procedure Statement

UNI Policy 14.03 Data Security Policy states, “Every member of the University community is responsible for protecting the security of university data and business systems….” Users are expected to participate in the proper maintenance of IT Resources provided for their use to the best of their ability. This does not require IT skills, just participation with the processes used for upkeep. Users of IT managed devices are expected to power on and/or reboot their devices at least weekly for maintenance procedures to take place, i.e., patching, updating applications, and applying configurations. IT devices in offices should be left plugged in and connected to the network for maintenance to occur.

In matters where IT needs to contact the user, IT will first attempt to contact users via existing support channels. Such communications will be repeated if there is no response. After at least two notices, their supervisor will be included on the communications. IT will attempt to call the user’s UNI phone number at this point as well if the matter is urgent. If unresponsive, additional leadership or Human Resource Services may be contacted if deemed necessary. In matters that involve large numbers of computers or users, other UNI communication methods may be used to deliver information to a larger audience of users.

Users with administrative rights on their computers are expected to participate in the same manner as any other user. However, they may be responsible for the upkeep and maintenance of the specialized software programs that necessitated the requirement for administrator rights. Such division of responsibilities will generally be made clear as part of the process of obtaining administrative rights.

IT devices that are either fully unmanaged or less than fully managed must still be kept up-to-date by the user responsible for their upkeep. Automatic updates must be enabled regardless of the entity managing the device. Disabling automatic updates may only be done on a temporary basis, no more than one week, during conferences, events, etc. The decision to delay updates may be overruled if sufficient security concerns arise. All computers must follow applicable UNI, BOR, state, and federal procedures and regulations. This includes using device-encryption, endpoint-security applications including any antivirus or data protection software, and required device security settings.

Automatic vulnerability scans are conducted by IT-Information Security. IT devices that are vulnerable for an extended period will be disconnected from the network until the vulnerability is eliminated. This timeframe is determined by IT-Information Security based on the risk level of the vulnerability.

In the rare cases where software, hardware, or special use cases require changes to security or typical support procedures, these must be reported via ServiceHub. IT-Client Services, in consultation with IT-Information Security, will review the various requirements and develop a solution. They will weigh the risk of the changes, the sensitivity of the data accessible, costs, time investment, and the various possible resolutions to meet the need. The deployed solutions vary greatly, but the goal will be to keep University data secure by minimizing the potential impact of harm to University data while still allowing work to be completed in a manner that respects limited available resources. However, IT will not compromise security should the software, hardware, or use case require inappropriate access to University data or introduce unacceptable risk. Some software and hardware may be unable to be used safely. Always follow proper purchasing procedures to ensure IT and security reviews can take place before purchasing IT resources.

Process

All software vendors regularly publish updates to improve the security of their software, introduce new features, and fix other issues. Given the numerous vendors utilized by UNI, this results in a regular influx of updates. Most important are the operating system updates, which generally occur monthly, but emergency updates are not uncommon. Unfortunately, many vendors have ceased publishing stand-alone security updates and bundle feature and security updates together. In these instances, the use of the software forces our rapid acceptance of these bundled updates. Installation of all security updates in a timely manner is required by numerous state and federal laws/regulations and by multiple contractual agreements.

IT strives to make the update process as unobtrusive as possible. Generally, IT is expected to ensure security updates are deployed within seven days of their release, but occasionally updates are of a greater security concern and will be selected for accelerated deployment. If IT resources are left powered off and/or update notifications are repeatedly dismissed, the IT resource may automatically install the pending updates. Depending on the update, this may result in a mandatory reboot of the device. The system will initiate this automatic installation of the pending updates after the deadline has passed. For IT devices that have been powered off, this will likely be upon, or shortly after startup. This process may occur during working hours and will cause temporary downtime or disruption to the user’s workflow. As such, devices should be allowed to update at times that are amenable to the user’s workflow.

Consequences

If no participation in the upkeep of IT resources is provided, the IT resources may cease to function properly –rarely as a punitive consequence but as a side effect of the non-participation. After six months of non-communication, IT devices lose their trust relationship with our network and will require manual IT assistance to permit login and rejoin the network. IT leadership may recall any IT resources that are inactive for extended periods or that require extended maintenance/repair activities. Recalled devices must be delivered to IT in a timely manner. As noted in policy 14.04 Acceptable Use of Information Technology Resources, all IT resources are subject to inspection at any time.

IT recognizes there are a subset of IT devices intended for occasional use, such as “spare” or “check-out” items. These devices must be powered on monthly and allowed to update. Further, users must expect that mandatory updates will be required when such devices are left powered off for multiple days. Such devices should be powered on and updated prior to their need. Laptops cannot be left on shelves powered off and be expected to be used on short notice. The security regulations we are under do not provide for any flexibility in this regard, viewing such devices as unnecessary if they are infrequently used.

When users request support for their IT resources, the user is expected to follow basic instructions from IT. If the user does not provide access to their devices and/or schedule time to work with IT for support, their support request will be considered resolved and closed. Users that berate, humiliate, or act aggressively towards IT staff will not be provided support and will be reported to appropriate UNI offices. 

IT Computers

IT devices used by staff in the various Information Technology departments are also expected to follow these procedures–in fact, many IT workstations and staff are held to higher security standards. IT staff do not run their computers with administrative rights as their primary account and the same hardening procedures are enforced with minor adjustments to allow administration of other IT assets.

Recommendations

Keeping IT devices up-to-date is easy. When notifications for updates appear, take note. Save your work and allow the update to install during a break or at the end of the workday. Updates may be deferred for a short period of time if required. Many updates will be completely invisible to you. However, for their full deployment, a reboot is often necessary. Be sure to reboot your computers at least once per week. iPads, phones, and similar devices should be allowed to install updates as requested by the device.

If a currently assigned device is not needed for an extended period, please be sure to power it on weekly, log in, and let it run for at least an hour to ensure continued, smooth operation of the device.

Disciplinary Action

Violations of this procedure may be referred for disciplinary action as indicated in UNI Policy 14.04 Acceptable Use of Information Technology Resources.

Usage of Terms

ADMINISTRATOR – An account on a computer that has complete and unrestricted access to the computer. Sometimes known as the “root” account. Administrators can change security settings, install software and hardware, access all files on the computer, and make changes to other user accounts.

AVAILABILITY – Availability is the ability to assure that systems work promptly and service is not denied to authorized users. A loss of availability is the disruption of access to or use of information or an information system.

CONFIDENTIALITY – Confidentiality ensures that confidential information is only disclosed to authorized individuals. A loss of confidentiality, for the purposes of this policy, is the unauthorized disclosure of information.

INTEGRITY – Integrity is the appropriate maintenance of information and systems. A loss of integrity is the unauthorized modification or destruction of information.

IT/UNI MANAGED DEVICE – IT or UNI managed devices are those IT resources that participate in centralized authentication, patch/update delivery, and support. Even devices where the user has administrator privileges are still managed devices if joined to the Active Directory domain run by UNI, managed by JAMF, or utilize some future management system.

IT RESOURCE – IT resources may include computers, software, servers, network utilization, storage utilization, virtual machine capacity, tablets, phones, multimedia devices, storage devices, wireless spectrum, and any other in-demand resource managed by IT staff.

IT DEVICES – IT devices are those typical end-user devices that have upgradable software, operating systems, or firmware. This includes desktops, laptops, tablets, phones, kiosks, docking stations, printers, and other hardware devices typically used in offices.

POTENTIAL IMPACT – Potential impact is the level of adverse effect a loss of confidentiality, integrity, or availability could be expected to have on University operations, University assets, or individuals.

UNIVERSITY DATA – University data are information that supports the mission and operation of the University. It is a vital asset and is owned by the University. Some University data are shared across multiple units of the University as well as outside entities.

UNMANAGED DEVICE – Unmanaged devices are IT resources where the primary user has taken full responsibility for the upkeep and maintenance of the device. Generally-speaking, IT-Client Services has no access to these devices. Having such devices requires approval from the department head and IT. These devices are few and rare.

USER – User includes any faculty, staff, student, developer, contractor, vendor, or visitor as well as any other individual or entity using information, University data, and/or IT resources of the University of Northern Iowa.