UM Endpoint Management & Configuration Standard

Body

   
Issued Under Authority of UM Information Security Policy
Responsible Office UM Information Security Office
Category Technology and Platform Security

IN PLAIN LANGUAGE

Every device used for University work — laptops, desktops, servers, tablets, and even personal devices — needs to meet basic security requirements. This standard sets the rules for how those devices must be configured, patched, protected, and monitored. Key requirements include keeping software up to date, using approved security tools, encrypting stored data, and enabling multi-factor authentication for administrative access. Personal devices may be used for some University work but must never be used to access or store confidential or high-risk data. If a device is lost, stolen, or compromised, it must be reported immediately.

1. Purpose

The purpose of this Standard is to establish minimum requirements for the secure configuration, management, and protection of endpoint devices and servers that store, process, or access University Data. Effective endpoint management reduces the risk of data compromise, service disruption, and unauthorized access while supporting the University's academic, research, and administrative missions.

This Standard implements the endpoint and system security requirements of the University's Information Security Program and aligns with the NIST Cybersecurity Framework (CSF) 2.0.

2. Scope

This Standard applies to:

  • University-owned or University-managed servers
  • University-owned endpoints, including desktops, laptops, tablets, and mobile devices
  • Personally owned devices that access University systems or University Data
  • Devices located on University networks, affiliated campus networks, remote locations, or cloud-hosted environments

This Standard applies regardless of physical location when devices are used for University business or connect to University Information Technology Resources.

3. Device Categories

For purposes of this Standard, devices are categorized as:

Servers — Physical or virtual systems providing shared services or applications.

Endpoints — University-owned desktops, laptops, tablets, and mobile computing devices.

Personal Devices — Non-University-owned devices authorized to access University systems or data.

4. Roles and Responsibilities

4.1 Chief Information Security Officer (CISO)

The CISO is responsible for:

  • Establishing and maintaining this Standard
  • Approving exceptions to endpoint security requirements
  • Escalating material endpoint-related risks to executive leadership

4.2 Information Technology Organizations

UM IT, UM System IT, and Distributed IT are responsible for:

  • Implementing and maintaining endpoint management and security controls
  • Deploying approved management, monitoring, and protection tools
  • Supporting vulnerability remediation and incident response activities

4.3 System and Endpoint Administrators

Administrators are responsible for:

  • Configuring and maintaining systems in accordance with this Standard
  • Ensuring systems remain supported and properly patched
  • Documenting configurations and approved exceptions

4.4 Device Users

Users of University or personal devices are responsible for:

  • Using devices in compliance with University policies and standards
  • Protecting devices from loss, theft, or unauthorized access
  • Promptly reporting lost, stolen, or compromised devices

5. Configuration and Security Requirements

5.1 General Configuration Baseline

All servers and endpoints must:

  • Be configured using secure baseline configurations based on vendor guidance and CIS benchmarks where applicable
  • Disable unnecessary services and default accounts
  • Enforce least privilege access principles
  • Use supported operating systems and software versions

5.2 Patch and Update Management

  • Security patches must be applied on a regular and consistent schedule
  • High and Critical vulnerabilities must be prioritized for remediation
  • Patch testing should occur prior to production deployment where technically feasible

Patch timing expectations are defined in the Vulnerability Management Standard and may be adjusted through approved exception.

5.3 Malware Protection and Endpoint Detection

  • University-approved Endpoint Detection and Response (EDR) or anti-malware tools must be installed on eligible servers and endpoints
  • Protection mechanisms must be enabled and kept up to date

5.4 Encryption

  • Data stored on servers and endpoints must be protected using full-disk encryption where technically feasible
  • Data transmitted over networks must be encrypted using approved protocols
  • Only secure TLS/SSL protocols and cipher suites may be used

5.5 Identity, Access, and Authentication

  • Access must be provisioned based on documented business need and least privilege
  • Individual user accounts must be used for access
  • University-assigned devices are configured with standard, non-privileged user accounts by default
  • Users must not be granted local administrative privileges on assigned devices unless a documented business or operational need exists
  • Exceptions granting local administrative privileges must be approved by the CISO or designee, documented with risk justification, and reviewed periodically
  • Users granted local administrative privileges remain subject to the requirements of the Account Security Standard
  • Multi-factor authentication is required for administrative or privileged access
  • Access must be reviewed periodically and removed when no longer required

5.6 Logging and Monitoring

  • Endpoint and server logging must be enabled in accordance with University logging standards
  • Security-relevant events must be protected from unauthorized modification

5.7 Backup and Recovery

  • Systems storing University Data must use University-approved backup solutions
  • Backups must be protected from unauthorized access and tested periodically

5.8 Remote Access

  • Remote access must use secure, encrypted methods approved by UM IT
  • Administrative remote access must require multi-factor authentication

5.9 Vulnerability Management Integration

  • All servers and endpoints must participate in the University Vulnerability Management Program
  • Vulnerabilities must be remediated or managed in accordance with the Vulnerability Management Standard

6. Personal Devices

Personally owned devices authorized to access University systems or data must:

  • Meet minimum security requirements defined by this Standard
  • Be protected with device locking and encryption where supported
  • Be promptly reported if lost, stolen, or compromised

Personally owned devices must not be used to store, process, or access Confidential (High Risk) Data.

Access to Restricted (Moderate Risk) Data from personally owned devices may be permitted only when explicitly authorized and when required security controls are in place, as defined by applicable standards and procedures.

7. Exceptions

Exceptions to this Standard must:

  • Be documented with risk justification
  • Identify compensating controls where applicable
  • Be approved by the CISO or designee
  • Be reviewed periodically

8. Review and Maintenance

This Standard must be reviewed at least annually and updated as necessary to reflect changes in risk, technology, or regulatory requirements.

9. References

  • UM Information Security Policy
  • UM Data Governance Policy
  • UM Data Security Standard
  • UM Vulnerability Management Standard
  • NIST Cybersecurity Framework (CSF) 2.0
  • Center for Internet Security (CIS) Benchmarks

Details

Details

Article ID: 171030
Created
Thu 3/19/26 6:00 PM
Modified
Thu 4/9/26 11:30 AM