RUL 08.00.18 – Endpoint Protection Standard

Audience
Purpose
Scope
EPS Security Controls
University-owned Endpoints
Endpoints not Owned by the University
Implementation Priorities
Exceptions
Non-compliance and Violations
Glossary
10.1 Security Controls
10.2 Acronyms
10.3 Terms

1. Audience

1.1 NC State Data Users: Complying with this standard is the responsibility of every user of NC State data, regardless of who owns the endpoint.

1.1.1 Endpoint Definition: A computer or other device, whether or not owned by the university, used to access university data. The term can refer to desktop computers, servers, laptops, smartphones, tablets, thin clients, printers or other specialized hardware such as Point of Sale terminals and smart meters. This list is non-exhaustive.

1.2 Data Trustees, Stewards, and Custodians: Specifically, with regard to managing university data using NC State IT resources, this standard applies to Data Trustees, Data Stewards, and/or Data Custodians and their delegates (including information systems development and support personnel, LAN admins/LANTechs, system administrators, database administrators, and so forth, who are typically responsible for the implementation of such standards).

1.2.1 Resource Definition: See Section 1 of REG 08.00.02 – Computer Use Regulation for the full definition of university IT resources.

1.3 Endpoint Owners: Regarding endpoints not owned by the university, all endpoint owners are responsible for complying with all security controls specified herein.

2. Purpose

2.1 This standard explains the minimum security precautions for protecting university data as required by the NC State University REG 08.00.02 – Computer Use Regulation. The Computer Use Regulation requires authorized users to take appropriate security precautions to protect and secure university data regardless of where it resides.

3. Scope

3.1 All endpoints. All endpoints that access, process, or store university data must adhere to mandatory security controls as specified in the following sections:

3.2 All levels of data sensitivity. NC State data is classified into the following data-sensitivity levels as defined in Section 6 of the NC State University REG 08.00.03 – Data Management Regulation, all of which are in scope for this standard.

3.2.1 Ultra-sensitive (purple data): Examples include social security numbers, passwords, encryption keys, and biometrics (such as fingerprints and iris scans).

3.2.2 Highly sensitive (red data): Examples include driver’s license, mother’s maiden name, passport, and immigration number.

3.2.3 Moderately sensitive (yellow data): Examples include date of birth, race, gender, and transcripts.

3.2.4 Not sensitive (green data): This information may be disclosed to individuals regardless of their university affiliation. The modification of green data is restricted to appropriate personnel. Examples include published university web content and any data that would not affect university business if disclosed.

4. Endpoint Protection Standard – Security Controls

4.1 The Endpoint Protection Standard (EPS) security controls specified here and in Sections 5 and 6 are the security requirements you must meet to be fully compliant with this standard.

4.1.1 Ownership and Purpose. As specified in the next two sections, the security controls required for each level of data sensitivity vary depending on who owns the endpoint and whether university data is being accessed or stored. In general, the requirements are higher for university-owned endpoints.

4.1.2 Configuration Management System (CMS). All university-owned endpoints accessing university data must be managed by a CMS that has been approved by OIT Security & Compliance if one is available. Refer to the NC State Configuration Management Systems web page for a list of currently approved CMSs and the procedure to request CMS approval.

4.2 All university-owned endpoints that store ultra-sensitive (purple) data and highly sensitive (red) data must also comply with RUL 08.00.16 – NC State University Security Standards for Sensitive Data and Systems, including the requirements for logging and alerts for mandatory controls.

4.2.1 Do not store ultra-sensitive (purple) or highly sensitive (red) data on endpoints not owned by the university.

5. University-owned Endpoints

5.1 For university-owned endpoints, the requirements for accessing and storing data are the same. You can use approved campus-managed CMSs to be compliant with most EPS security controls.

5.1.1 For details regarding appropriate storage locations for NC State data, refer to Storage Locations for University Data.

5.2 All university-owned endpoints must adhere to the EPS security controls per Table 1, which specifies the following:

5.2.1 For purple and red data, all controls are mandatory.

5.2.2 For yellow data, all controls are mandatory except for Application Control.

5.2.3 For green data, all controls except for Application Control are mandatory.

Recommended:

Encrypted Network Communication
Full Disk Encryption
Least Privilege Access

TABLE 1. Security Controls for University-owned Endpoints (Accessing and Storing University Data)

Security Controls (with links to Glossary) M = Mandatory R = Recommended	Data-sensitivity Level by Color
	Purple and Red Data	Yellow Data	Green Data
Anti-malware and antivirus software	M	M	M
Application Control	M	N/A	N/A
Authentication	M	M	M
Data Discovery and Protection	M	M	M
Encrypted Network Communication	M	M	R
Full Disk Encryption (with university key escrow)	M	M	R
Host-based Firewall	M	M	M
Least Privilege Access	M	M	R
Software Inventory	M	M	M
Web Reputation Filtering	M	M	M

6. Endpoints not Owned by the University

6.1 You must adhere to the following rules for endpoints not owned by the university:

6.1.1 You must not access, process, or store ultra-sensitive (purple)

6.1.2 Do not store highly sensitive (red) data.

6.1.3 You may access red data providing you comply with this standard; however, you must not store red data.

6.1.4 When accessing highly sensitive data (red data) and below, via any type of connection — for example, via direct connection, Virtual Private Network (VPN), or Remote Desktop Protocol (RDP), you must adhere to the security controls as specified in Section 6.3, Accessing University Data.

6.1.5 When storing moderately sensitive (yellow) data and below, you must adhere to controls as specified in Section 6.4, Storing University Data.

6.2 Operating Systems (OSs) typically offer many of the required security controls for accessing all levels of university data.

6.3 Accessing University Data

6.3.1 Accessing university data from endpoints not owned by the university requires compliance per Table 2, which specifies the following:

6.3.1a You are not allowed to access (or process or store) purple data.

6.3.1b For red and yellow data, all listed controls are mandatory:

Anti-malware and antivirus software
Authentication
Encrypted Network Communication
Web Reputation Filtering

6.3.1c For green data, the controls are specified as follows:

Mandatory:

Anti-malware and antivirus software
Web Reputation Filtering

Recommended:

Authentication
Encrypted Network Communication

6.3.2 Endpoints not owned by the university may access red data providing they are complying with this standard; however, they must not store red data under any condition.

6.3.3 Using a university-owned endpoint is preferred. If that is problematic then endpoints not owned by the university may be used if they meet these controls.

TABLE 2. Security Controls for Endpoints not Owned by the University – Accessing (and not Storing) University Data

Security Controls (with links to Glossary) M = Mandatory R = Recommended	Data-sensitivity Level by Color
	Accessing Purple Data (Not Allowed)	Accessing Red and Yellow Data	Accessing Green Data
Anti-malware and antivirus software	Access Not Allowed	M	M
Authentication	Access Not Allowed	M	R
Encrypted Network Communication	Access Not Allowed	M	R
Web Reputation Filtering	Access Not Allowed	M	M

6.4 Storing University Data

6.4.1 Storing university data from endpoints not owned by the university requires compliance per Table 3, which specifies the following:

6.4.1a You must not store purple or red data.

6.4.1b For yellow data, all listed controls are mandatory:

Anti-malware and antivirus software
Authentication
Encrypted Network Communication
Full Disk Encryption
Host-based Firewall
Least Privilege Access
Web Reputation Filtering

6.4.1c For green data, controls are specified as follows:

Mandatory:

Anti-malware and antivirus software
Web Reputation Filtering

Recommended:

Authentication
Encrypted Network Communication
Full Disk Encryption
Host-based Firewall
Least Privilege Access

6.4.2 Do not store ultra-sensitive (purple) or highly sensitive (red) data on endpoints not owned by the university.

6.4.3 If adhering to one or more of these controls is problematic, use a university-owned endpoint instead.

TABLE 3. Security Controls for Endpoints not Owned by the University – Storing University Data

Security Controls (with links to Glossary) M = Mandatory R = Recommended	Data-sensitivity Level by Color
	Storing Purple and Red Data (Not Allowed)	Storing Yellow Data	Storing Green Data
Anti-malware and antivirus software	Storing Not Allowed	M	M
Authentication	Storing Not Allowed	M	R
Encrypted Network Communication	Storing Not Allowed	M	R
Full Disk Encryption	Storing Not Allowed	M	R
Host-based Firewall	Storing Not Allowed	M	R
Least Privilege Access	Storing Not Allowed	M	R
Web Reputation Filtering	Storing Not Allowed	M	M

7. Implementation Priorities

7.1 Campus IT support staff have the authority and responsibility to implement this standard on university-owned endpoints for their respective areas. Owners of endpoints not owned by the university are responsible for EPS compliance.

8. Exceptions

8.1 OIT Security and Compliance (S&C) will consider compensating controls for specific requirements when an entity cannot comply with a security control explicitly as stated, due to a legitimate need, but has mitigated the risk associated with the security control sufficiently through the implementation of compensating controls. Requests for exceptions must be submitted to OIT S&C via the IT Exception Request form.

8.2 When OIT S&C receives an exception request, S&C will assess the risk, assist in identifying compensating controls, and communicate recommendations to the requesting party, as well as to applicable data stewards. For additional information, refer to the Data Management Framework web page.

8.3 Exception requests must clearly document justification for the exception and for the compensating controls that will be implemented for risk mitigation. Exceptions must be renewed annually and cannot be granted for more than a year.

9. Non-compliance and Violations

9.1 Violations of this standard will be handled in accordance with REG 08.00.02 – Computer Use Regulation. Violations may result in the endpoint being blocked or removed from the network. Endpoints being blocked will remain blocked until brought into compliance. In addition, their owners or responsible parties may be disciplined in accordance with Section 5 of REG 08.00.02.

10. Glossary

10.1 Security Controls
10.1.1 Anti-malware and Antivirus Software. Identifies and remediates viruses and malware; runs continuously or scans the entire endpoint periodically; uses heuristics-based or pattern-matching detection rules to identify viruses and malware. You must update definitions and detection rules so that they are current at all times.

10.1.2 Application Control. Enforce an application-allow or application-deny administratively within the OS to ensure that “known bad” applications cannot be executed and only “known good” applications can.

10.1.3 Authentication. Grants access to an endpoint only when you provide a passcode or username and password. In the event of inactivity, re-authentication is required periodically. Authentication factors can include but are not limited to passwords, PINs, and biometrics.

10.1.4 Configuration Management. In the context of this standard, the client OS is connected to an approved CMS, which gives system administrators the ability to react to vulnerabilities or attacks — to enforce security-related controls and mitigate risk.

10.1.5 Data Discovery and Protection (DDP). As a campus-wide data management initiative to safeguard all university data. This initiative meets the requirements captured in the Data Management Regulation (REG 08.00.03).

10.1.6 Encrypted Network Communication (ENC). Encryption protocols must be used when accessing campus resources from outside the NC State network or over any unencrypted wireless network. ENC can refer to the specific protocol (such as SSH or HTTPS) or an encrypted tunneling/transport protocol (such as an SSL, IPsec VPN, or the NC State VPN).

10.1.7 Full Disk Encryption. Prevents access to data stored on endpoint devices without approved credentials. Full disk encryption is not intended to supersede any data classification-specific security standards, as authorization from a Data Steward remains a requirement for storage of sensitive data on endpoint devices. Protection and escrow of encryption keys must be addressed appropriately.

10.1.8 Host-based Firewall. Installed and enabled to block inbound traffic by default. A firewall rule set to allow all inbound traffic would invalidate the firewall as a valid security control.

10.1.9 Least Privilege Access. Configuring hosts to provide only the minimum rights to the appropriate users, processes, and hosts; provide everyone with everything they need to do what they are supposed to do, and nothing more.

10.1.10 Software Inventory. Includes, at a minimum, OS information, patch lists, and software installed (including version information and dates of installation). Inventory data needs to be updated periodically. This data is used to determine compliance with RUL 08.00.14 — System and Software Security Patching Standard.

10.1.11 Web Reputation Filtering. A service that protects customers browsing through web pages by comparing the site (or its content) against a set of known bad sites, as identified by security organizations and companies. It is not required that the control is met locally on the device. For example, the control can be met by running the service within a web browser, on the local OS, or as a network proxy. Automatic updating of the Web Reputation Filtering block list must be enabled where possible.

10.2 Acronyms

Acronym	Definition
CMS	Configuration Management System
DDP	Data Discovery and Protection
ENC	Encrypted Network Communication
EPS	Endpoint Protection Standard
S&C	OIT Security and Compliance at NC State

10.3 Terms

10.3.1 access (accessing data). View, retrieve, alter, or create data.

10.3.2 Configuration Management System (CMS).

The CMS in this context means the client OS is connected to an approved CMS, which gives system administrators the ability to react to vulnerabilities or attacks to enforce security-related controls and mitigate risk.

10.3.3 compensating control. A suitable alternative to an EPS security control; meets OIT S&C conditions.

10.3.4 controls (security controls). EPS security requirements

10.3.5 controls, mandatory. Required for compliance with this standard. Any language including “must” is mandatory as well.

10.3.6 controls, recommended. Strongly recommended for optimal security; however, not required to be assessed as compliant with this standard.

10.3.7 endpoint. An endpoint is a user computer or smart device used to access university data whether owned by the university or not. The term can refer to desktop computers, servers, laptops, smartphones, tablets, thin clients, printers or other specialized hardware such as Point of Sale terminals and smart meters.

10.3.8 heuristics. Heuristic technologies search for previously unknown viruses, detecting and defending against new malware yet to be discovered (and added to virus-definition files). See also anti-malware and antivirus security controls.

10.3.9 resource. See Section 1 of REG 08.00.02 – Computer Use Regulation.

10.3.10 store (storing data). Retrievable retention of data; entering data into or retaining data from electronic, electrostatic, or electrical hardware or other elements (media).

Review Status
Committee Name	Anticipated Date of Review	Date of Review
OIT	2022-02-21	2022-02-21
Endpoint Implementation Team	Shared 1/31/19
Endpoint Steering Team	Shared at 1/31/19 Meeting
ITSAC-SCGS (includes review from Security Technology and Policy & Compliance Working Groups)	STWG: Feb 21, 2019 Meeting PCWG: Jan 2019 Meeting ISAG: 2/14/19	STWG: 2/21/19 PCWG: 1/24/19 ISAG: 2/14/19
Security Liaisons	Feb 27, 2019 Meeting	2/27/19
Campus IT Directors	3/9/22 Email with 3/15/22 deadline for comments.	3/15/22
OIT S&C	2022-02-02	2022-02-02
CIO/VC for IT	2022-02-08	2022-02-08
Chancellor’s Cabinet	2022-03-22	2022-03-22