![University of Â鶹´«Ã½ at Mānoa](/its/template/system_2019/images/uh-nameplate.png")
Endpoints — Minimum Security Standards
Last Updated 2023-02-06
An endpoint is any desktop or laptop.
Please refer to the Implementation Guides for assistance with implementing the minimum security standard for your device.
Key
| Item | Description |
|---|---|
| Implementation required | |
| Implementation recommended | |
| Recurring task |
When working with Regulated Data, please refer to the applicable Standard, Act, or Policy (e.g., CMMC, PCI DSS, HIPAA, FERPA, NIST SP800-171, etc.) for specific details on any additional controls needed.
The standards listed below are adapted from a subset of the Center for Internet Security's (CIS) Controls, which are a prioritized set of actions that collectively form a defense-in-depth set of best practices that mitigate the most common attacks against systems and networks. The subset of CIS Controls were chosen based on their applicability to the University of Â鶹´«Ã½.
If a standard cannot be implemented in your environment for any reason, please contact infosec@hawaii.edu for consulting.
Quick Reference
- 1.0 - Automatic Updates
- 2.0 - Firewall Configuration
- 3.0 - Password Security
- 4.0 - Data Management
- 5.0 - Encryption
- 6.0 - Asset Management
- 7.0 - Data Inventory
- 8.0 - Removable Media
- 9.0 - Malware Protection
- 10.0 - Session Timeout
- 11.0 - Backups
| # | Standards |
Institutional Data Category |
||||
|---|---|---|---|---|---|---|
| Automatic Updates | Recurring Task | Public |
Restricted |
Sensitive |
Regulated |
|
| Enable automatic operating system and software updates. | ||||||
| Ensure all software is kept up to date. | ||||||
| Ensure operating systems and software including email clients and browsers are fully supported by their vendors. End-of-life software and operating systems do not receive security updates. | ||||||
| Firewall Configuration | Recurring Task | Public |
Restricted |
Sensitive |
Regulated |
|
| Ensure that host-based firewalls are enabled with a default deny-all policy. | ||||||
| Password Security | Recurring Task | Public |
Restricted |
Sensitive |
Regulated |
|
| Ensure all users have individually dedicated endpoint account logins with strong and unique password for each user. | ||||||
| Data Management | Recurring Task | Public |
Restricted |
Sensitive |
Regulated |
|
| Utilize the University's records management process for . | ||||||
| Securely dispose of Institutional Data following our Disposal Guidelines. | ||||||
| Utilize Spirion to scan for sensitive and regulated information on a monthly basis. | ||||||
| Encryption | Recurring Task | Public |
Restricted |
Sensitive |
Regulated |
|
| Utilize Â鶹´«Ã½Filedrop or Â鶹´«Ã½Enterprise Dropbox to transfer files securely. | ||||||
| Utilize Windows BitLocker or Apple FileVault to enable whole disk encryption on endpoints and removable devices | ||||||
| Utilize Â鶹´«Ã½Enterprise Dropbox to store Sensitive and Regulated data online. | ||||||
| Asset Management | Recurring Task | Public |
Restricted |
Sensitive |
Regulated |
|
| Complete the Annual Device Registration. | ||||||
| Data Inventory | Recurring Task | Public |
Restricted |
Sensitive |
Regulated |
|
| Complete the annual Personal Information Survey (PIS). | ||||||
| Removable Media | Recurring Task | Public |
Restricted |
Sensitive |
Regulated |
|
| Disable autorun / autoplay for removable media. | ||||||
| Malware Protection | Recurring Task | Public |
Restricted |
Sensitive |
Regulated |
|
| Ensure an anti-malware solution is enabled. | ||||||
| Ensure automatic anti-malware signature updates are enabled. | ||||||
| Enable anti-exploitation features. | ||||||
| Session Locking | Recurring Task | Public |
Restricted |
Sensitive |
Regulated |
|
| Enable automatic session locking (maximum 15-minutes) on endpoints. | ||||||
| Backups | Recurring Task | Public |
Restricted |
Sensitive |
Regulated |
|
| Maintain an offline backup instance. Update backup instances on a weekly basis. | ||||||
| Ensure backups are encrypted. | ||||||