�Թ���

Owner

Vice �Թ��� and Chief Information Officer, Office of Information Technology

Published Date

July 15, 2022

I. Background

Please refer to the �Թ��� of Colorado’s Administrative Policy Statement (APS)  IT Security Program and  which apply to all individuals who access or control CU Boulder information technology resources.

II. Purpose

This standard identifies the minimum requirements for all �Թ���-owned computers (“university computers”) to ensure the integrity and security of �Թ��� data and the shared information technology environment, including networks, services, and systems.

All university computers used by faculty, staff, students, or other Authorized Individuals must meet this Standard, regardless of manufacturer, function of the system, or location. These actions are necessary to ensure resource availability, reinforce the �Թ���'s security and compliance posture, and protect the confidentiality of data assets.

III. Standard

The following IT capabilities must be met to ensure consistent application of protections and adherence to the , provide visibility into campus threats, and support incident response.  At all times university computers must:

1. Run current, supported software. The use of out-of-date operating systems or software that is not being actively updated and is considered end of life is prohibited.
2. Be enrolled in Microsoft Endpoint Configuration Manager (Windows computers) or Jamf (Mac computers).
3. Be encrypted with whole disk encryption.
4. Run Microsoft Defender for real-time scanning to prevent, detect, and remove malware or potential vulnerabilities.
5. Gather and send hardware and software information to central inventory for vulnerability tracking, network identification, and audit preparedness.
6. Use OIT supported and approved enterprise cloud storage solutions to back up and protect �Թ��� data from loss.
7. Have the campus public safety emergency notification client installed to ensure timely awareness of campus incidents.

More information about the OIT supported and approved applications associated with the computer requirements listed above can be found on the website.  

Exceptions

�Թ��� employees and authorized individuals who are unable to meet all components of the standard must apply to OIT for a . If a compelling business reason exists, exceptions to the requirements outlined in this standard may be granted by the Provost and Chief Operating Officer in consultation with the VC/CIO. Inquiries regarding exceptions should be made to the VC/CIO.

�Թ��� computers subject to specific data protections (e.g., federal regulations, data use agreements) that exceed the requirements identified within this Standard must meet whichever controls are more stringent.

�Թ��� computers not capable of meeting the requirements identified in this Standard must work with OIT Information Security to determine the appropriate compensating security controls for such computers. Should a computer be identified as high risk to the �Թ��� network, it must be removed.

Administration and Enforcement

Computers that do not meet the campus certified computer standards may pose a risk to the CU Boulder campus and its data. Per the Acceptable Use Policy, the Chief Information Officer or Information Security Officer may suspend a computer’s and/or an end-user's access to the campus network or any campus computing resources when it reasonably appears necessary to preserve the integrity, security, or functionality of campus computing resources.

Definitions

1. Authorized Individuals: This includes those in roles such as:
   1. Person of Interest (POI): an individual affiliated with the university but not paid as an employee who is granted an IdentiKey for official university needs.
   2. Sponsored Affiliate: an individual affiliated with the university who is granted an IdentiKey for official university needs when an HR appointment, including POI, is not a possibility.
2. End of life: A designation by the vendor when a product is unable to be supported and should be replaced. This generally occurs when the operating system is no longer supported, and the hardware cannot support a new operating system.
3. �Թ��� data: Official information of the institution, including but not limited to university work products, results, materials, records, or other information developed or produced with university goods, funds or services. �Թ��� information encompasses all information created by the university, including information classified as private or restricted. Examples include university web site content, schedules of courses, requests for proposals, policies and guidelines, personnel records, electronic communications, student data, and patient data.
4. �Թ���-owned computer: Any computer that was purchased with �Թ��� funds used by faculty, staff, students, Persons of Interest (POIs) and sponsored affiliates to access information technology resources, including laptops, desktops, tablets or mobile phones. This does not include printers, removable storage, or Internet of Things (IoT) devices and sensors.

Related Policies

2. /policies/acceptable-use-cu-boulders-it-resources