RUL 08.00.18 – Endpoint Protection Standard

Authority:  Issued by the Vice Chancellor for Information Technology.

History: First Issued: May 1, 2018. Last Revised: April 3, 2019.

Related Policies:
REG 08.00.02 – Computer Use Regulation
REG.08.00.03 – Data Management Procedures
RUL 08.00.14 – System and Software Security Patching Standard
RUL 08.00.16 – NC State University Security Standards for Sensitive Data and Systems
RUL 08.00.13 – Network Printer Security Standard

EPS References:
Endpoint Protection Standard (EPS) 3D Memorandum
Endpoint Protection Standard (EPS) FAQs
Endpoint Protection Standard (EPS) Implementation (Home Page)
Endpoint Protection Standard (EPS) Phases of Implementation

Additional References:
Clarification on University Owned Computers and Grants
Configuration Management Systems at NC State
Data Sensitivity Framework
Data Categories, Trustees, Stewards, and Custodians
Determining Sensitivity Levels for Shared Data
IT Exception Request
Mobile Device Security
NC State Help Desk
Sensitive Information Identification Remediation (SIIR) and  SIIR Requirement Letter
Technology for Travel

Contact Info:  Chief Information Security Officer, OIT 919-513-1194

Contents

  1. Audience
  2. Purpose
  3. Scope
  4. EPS Security Controls
  5. University-owned Endpoints
  6. Endpoints not Owned by the University
  7. Implementation Priorities
  8. Exceptions
  9. Non-compliance and Violations
  10. Glossary
    10.1  Security Controls
    10.2  Acronyms
    10.3  Terms

_________________________________________________________________________________________________

1. Audience

1.1  NC State Data Users:  Complying with this standard is the responsibility of every user of NC State data, regardless of who owns the endpoint.

1.1.1  Endpoint Definition:  A computer or other device, whether or not owned by the university, used to access university data. The term can refer to desktop computers, servers, laptops, smartphones, tablets, thin clients, printers or other specialized hardware such as Point of Sale terminals and smart meters. This list is non-exhaustive.

1.2  Data Trustees, Stewards, and Custodians:  Specifically, with regard to managing university data using NC State IT resources, this standard applies to Data Trustees, Data Stewards, and/or Data Custodians and their delegates (including information systems development and support personnel, LAN admins/LANTechs, system administrators, database administrators, and so forth, who are typically responsible for the implementation of such standards).

1.2.1  Resource Definition:  See Section 1 of REG 08.00.02 – Computer Use Regulation for the full definition of university IT resources.

1.3  Endpoint Owners:  Regarding endpoints not owned by the university, all endpoint owners are responsible for complying with all security controls specified herein.

2. Purpose

2.1  This standard explains the minimum security precautions for protecting university data as required by the NC State University REG 08.00.02 – Computer Use Regulation.  The Computer Use Regulation requires authorized users to take appropriate security precautions to protect and secure university data regardless of where it resides.

3. Scope

3.1   All endpoints.  All endpoints that access, process, or store university data must adhere to mandatory security controls as specified in the following sections:

3.2  All levels of data sensitivity.  NC State data is classified into the following data-sensitivity levels as defined in Section 6 of the NC State University REG 08.00.03 – Data Management Procedures, all of which are in scope for this standard.

3.2.1 Ultra-sensitive (purple data):  Examples include SSNs, PINs, passwords, credit cards, digital signatures, and biometric data (for example, fingerprints and iris scans).

3.2.2  Highly sensitive (red data):  Examples include personal information regarding health, financials, identity, and so forth.

3.2.3  Moderately sensitive (yellow data):  Examples include education-related data and any data that would affect university business if disclosed inappropriately.

3.2.4  Normal; not sensitive (green data):  The modification of green data is restricted to appropriate personnel. Examples include published university web content and any data that would not affect university business if disclosed.

3.2.5  Unclassified (white data):  Publicly available without ramifications. Examples include static content published on university web pages.

3.3  Phases.  This standard is being implemented in phases.  See Endpoint Protection Standard (EPS) Implementation Phases for deadlines and other details.

4. Endpoint Protection Standard – Security Controls

4.1  The Endpoint Protection Standard (EPS) security controls specified here and in Sections 5 and 6 are the security requirements you must meet to be fully compliant with this standard.

4.1.1  Ownership and Purpose.  As specified in the next two sections, the security controls required for each level of data sensitivity vary depending on who owns the endpoint and whether university data is being accessed or stored. In general, the requirements are higher for university-owned endpoints.

4.1.2  Configuration Management System (CMS).  All university-owned endpoints accessing university data must be managed by a CMS that has been approved by OIT Security & Compliance if one is available.  Refer to the NC State Configuration Management Systems web page for a list of currently approved CMSs and the procedure to request CMS approval.

4.2  All university-owned endpoints that store ultra-sensitive (purple) data and highly sensitive (red) data must also comply with RUL 08.00.16 – NC State University Security Standards for Sensitive Data and Systems, including the requirements for logging and alerts for mandatory controls.

4.2.1  Do not store ultra-sensitive (purple) or highly sensitive (red) data on endpoints not owned by the university.

5.  University-owned Endpoints

5.1  For university-owned endpoints, the requirements for accessing and storing data are the same.  You can use approved campus-managed CMSs to be compliant with most EPS security controls.

5.1.1  For details regarding appropriate storage locations for NC State data, refer to Storage Locations for University Data.

5.2  All university-owned endpoints must adhere to the EPS security controls per Table 1, which specifies the following:

5.2.1  For purple and red data, all controls are mandatory.

5.2.2  For yellow data, all controls are mandatory except for those not applicable — Application Control and File Integrity Monitoring.

5.2.3  For green and white data, all controls except the following are mandatory:

Not applicable:

  • Application Control
  • File Integrity Monitoring

Recommended:

  • Encrypted Network Communication
  • Full Disk Encryption
  • Least Privilege Access

TABLE 1.   Security Controls for University-owned Endpoints (Accessing and Storing University Data)

Security Controls
(with links to Glossary)
M = Mandatory      R = Recommended
Data-sensitivity Level by Color
Purple and
Red Data
Yellow Data Green and White Data
Anti-malware and antivirus software M M M
Application Control M N/A N/A
Authentication M M M
Encrypted Network Communication M M R
File Integrity Monitoring M N/A N/A
Full Disk Encryption
(with university key escrow)
M M R
Host-based Firewall M M M
Least Privilege Access M M R
Sensitive Information Identification and Remediation M M M
Software Inventory M M M
Web Reputation Filtering M M M

 6.  Endpoints not Owned by the University

6.1 You must adhere to the following rules for endpoints not owned by the university:

6.1.1 You must not access, process, or store ultra-sensitive (purple)

6.1.2   Do not store highly sensitive (red) data.

6.1.3  You may access red data providing you comply with this standard; however, you must not store red data.

6.1.4 When accessing highly sensitive data (red data) and below, via any type of connection — for example, via direct connection, Virtual Private Network (VPN), or Remote Desktop Protocol (RDP), you must adhere to the security controls as specified in Section 6.3, Accessing University Data.

6.1.5 When storing moderately sensitive (yellow) data and below, you must adhere to controls as specified in Section 6.4, Storing University Data.

6.2  Operating Systems (OSs) typically offer many of the required security controls for accessing all levels of university data.

6.3  Accessing University Data

6.3.1  Accessing university data from endpoints not owned by the university requires compliance per Table 2, which specifies the following:

6.3.1a  You are not allowed to access (or process or store) purple data.

6.3.1b  For red and yellow data, all listed controls are mandatory:

  • Anti-malware and antivirus software
  • Authentication
  • Encrypted Network Communication
  • Web Reputation Filtering

6.3.1c  For green and white data, the controls are specified as follows:

Mandatory:

  • Anti-malware and antivirus software
  • Web Reputation Filtering

Recommended:

  • Authentication
  • Encrypted Network Communication

6.3.2  Endpoints not owned by the university may access red data providing they are complying with this standard; however, they must not store red data under any condition.

6.3.3  Using a university-owned endpoint is preferred. If that is problematic then endpoints not owned by the university may be used if they meet these controls.

TABLE 2.  Security Controls for Endpoints not Owned by the University – Accessing (and not Storing) University Data

Security Controls
(with links to Glossary)
M = Mandatory      R = Recommended
Data-sensitivity Level by Color
Accessing Purple Data
(Not Allowed)
Accessing Red and Yellow Data Accessing Green and White Data
Anti-malware and antivirus software Access Not Allowed M M
Authentication Access Not Allowed M R
Encrypted Network Communication Access Not Allowed M R
Web Reputation Filtering Access Not Allowed M M

6.4  Storing University Data

6.4.1  Storing university data from endpoints not owned by the university requires compliance per Table 3, which specifies the following:

6.4.1a  You must not store purple or red data.

6.4.1b  For yellow data, all listed controls are mandatory:

  • Anti-malware and antivirus software
  • Authentication
  • Encrypted Network Communication
  • Full Disk Encryption
  • Host-based Firewall
  • Least Privilege Access
  • Web Reputation Filtering

6.4.1c  For green and white data, controls are specified as follows:

Mandatory:

  • Anti-malware and antivirus software
  • Web Reputation Filtering

Recommended:

  • Authentication
  • Encrypted Network Communication
  • Full Disk Encryption
  • Host-based Firewall
  • Least Privilege Access

6.4.2  Do not store ultra-sensitive (purple) or highly sensitive (red) data on endpoints not owned by the university.

6.4.3  If adhering to one or more of these controls is problematic, use a university-owned endpoint instead.

TABLE 3.   Security Controls for Endpoints not Owned by the University – Storing University Data

Security Controls
(with links to Glossary)
M = Mandatory      R = Recommended
Data-sensitivity Level by Color
Storing Purple
and Red Data
(Not Allowed)
Storing Yellow Data Storing Green and White Data
Anti-malware and antivirus software Storing Not Allowed M M
Authentication Storing Not Allowed M R
Encrypted Network Communication Storing Not Allowed M R
Full Disk Encryption Storing Not Allowed M R
Host-based Firewall Storing Not Allowed M R
Least Privilege Access Storing Not Allowed M R
Web Reputation Filtering Storing Not Allowed M M

 7. Implementation Priorities

7.1  See Endpoint Protection Standard Implementation Phases for implementation guidance.

7.2  Campus IT support staff have the authority and responsibility to implement this standard on university-owned endpoints for their respective areas.  Owners of endpoints not owned by the university are responsible for EPS compliance.

8.  Exceptions

8.1  OIT Security and Compliance (S&C)  will consider compensating controls for specific requirements when an entity cannot comply with a security control explicitly as stated, due to a legitimate need, but has mitigated the risk associated with the security control sufficiently through the implementation of compensating controls. Requests for exceptions must be submitted to OIT S&C via the IT Exception Request form.

8.2  When OIT S&C receives an exception request, S&C will assess the risk, assist in identifying compensating controls, and communicate recommendations to the requesting party, as well as to applicable Data Stewards. Refer to Data Categories, Trustees, Stewards, and Custodians.

8.3  Exception requests must clearly document justification for the exception and for the compensating controls that will be implemented for risk mitigation. Exceptions must be renewed annually and cannot be granted for more than a year.

 9. Non-compliance and Violations

9.1  Violations of this standard will be handled in accordance with REG 08.00.02 – Computer Use Regulation. Violations may result in the endpoint being blocked or removed from the network. Endpoints being blocked will remain blocked until brought into compliance. In addition, their owners or responsible parties may be disciplined in accordance with Section 5 of REG 08.00.02.

 10. Glossary

10.1 Security Controls
10.1.1  Anti-malware and Antivirus Software.  Identifies and remediates viruses and malware; runs continuously or scans the entire endpoint periodically; uses heuristics-based or pattern-matching detection rules to identify viruses and malware.  You must update definitions and detection rules so that they are current at all times.

10.1.2  Application Control.  Enforce an application-Whitelist (allowing access) or application-Blacklist (denying access) administratively within the OS to ensure that “known bad” applications cannot be executed and only “known good” applications can.

10.1.3  Authentication.  Grants access to an endpoint only when you provide a passcode or username and password.  In the event of inactivity, re-authentication is required periodically. Authentication factors can include but are not limited to passwords, PINs, and biometrics.

10.1.4  Configuration Management.  In the context of this standard, the client OS is connected to an approved CMS, which gives system administrators the ability to react to vulnerabilities or attacks — to enforce security-related controls and mitigate risk.

10.1.5  Encrypted Network Communication (ENC).  Encryption protocols must be used when accessing campus resources from outside the NC State network or over any unencrypted wireless network.  ENC can refer to the specific protocol (such as SSH or HTTPS) or an encrypted tunneling/transport protocol (such as an SSL, IPsec VPN, or the NC State VPN).

10.1.6  File Integrity Monitoring.  An internal control or process that monitors the integrity of OSs and applications to identify changes that introduce risk by comparing their current states to any previously known baseline states.

10.1.7  Full Disk Encryption.  Prevents access to data stored on endpoint devices without approved credentials.  Full disk encryption is not intended to supersede any data classification-specific security standards, as authorization from a Data Steward remains a requirement for storage of sensitive data on endpoint devices.  Protection and escrow of encryption keys must be addressed appropriately.

10.1.8  Host-based Firewall.  Installed and enabled to block inbound traffic by default.  A firewall rule set to allow all inbound traffic would invalidate the firewall as a valid security control.

10.1.9  Least Privilege Access.  Configuring hosts to provide only the minimum rights to the appropriate users, processes, and hosts; provide everyone with everything they need to do what they are supposed to do, and nothing more.

10.1.10  Sensitive Information Identification and Remediation (SIIR).  Scans systems for the presence of sensitive data and identifies the level of sensitivity.  See the SIIR Requirement Letter regarding scanning for sensitive data.

10.1.11  Software Inventory.  Includes, at a minimum, OS information, patch lists, and software installed (including version information and dates of installation).  Inventory data needs to be updated periodically. This data is used to determine compliance with RUL 08.00.14 — System and Software Security Patching Standard.

10.1.12  Web Reputation Filtering.  A service that protects customers browsing through web pages by comparing the site (or its content) against a set of known bad sites, as identified by security organizations and companies.  It is not required that the control is met locally on the device.  For example, the control can be met by running the service within a web browser, on the local OS, or as a network proxy.  Automatic updating of the Web Reputation Filtering blacklist must be enabled where possible.

10.2  Acronyms

Acronym Definition
CMS Configuration Management System
ENC Encrypted Network Communication
EPS Endpoint Protection Standard
S&C OIT Security and Compliance at NC State
SIIR Sensitive Information Identification and Remediation

10.3  Terms

10.3.1 access (accessing data).  View, retrieve, alter, or create data.

10.3.2 Configuration Management System (CMS).  The CMS in this context means the client OS is connected to an approved CMS, which gives system administrators the ability to react to vulnerabilities or attacks to enforce security-related controls and mitigate risk.

10.3.3 compensating control.  A suitable alternative to an EPS security control; meets OIT S&C conditions.

10.3.4 controls (security controls).   EPS security requirements

10.3.5 controls, mandatory.  Required for compliance with this standard. Any language including “must” is mandatory as well.

10.3.6 controls, recommended.  Strongly recommended for optimal security; however, not required to be assessed as compliant with this standard.

10.3.7 endpoint.  An endpoint is a user computer or smart device used to access university data whether owned by the university or not. The term can refer to desktop computers, servers, laptops, smartphones, tablets, thin clients, printers or other specialized hardware such as Point of Sale terminals and smart meters.

10.3.8 heuristics.  Heuristic technologies search for previously unknown viruses, detecting and defending against new malware yet to be discovered (and added to virus-definition files). See also anti-malware and antivirus security controls.

10.3.9 resource.  See Section 1 of REG 08.00.02 – Computer Use Regulation.

10.3.10 store (storing data).  Retrievable retention of data; entering data into or retaining data from electronic, electrostatic, or electrical hardware or other elements (media).

Review Status
Committee Name Anticipated Date of Review Date of Review
OIT Iterative Review

Dates TBD

Endpoint Implementation Team Shared 1/31/19 Feb 2019
Endpoint Steering Team Shared at 1/31/19 Meeting
ITSAC-SCGS (includes review from Security Technology and Policy & Compliance Working Groups) STWG: Feb 21, 2019 Meeting

PCWG: Jan 2019 Meeting

ISAG: 2/14/19

STWG:  2/21/19

PCWG:  1/24/19

ISAG:   2/14/19

ITSAC-CAS Shared via email on 2/19/19 with 2/28/19 deadline for comments 2/28/19
Security Liaisons Feb 27, 2019 Meeting 2/27/19
Campus IT Directors 2/19/19 Meeting with 2/28/19 deadline for comments. 2/19/19
OIT S&C Iterative Review
CIO/VC for IT March 2019 Will review after above groups
Chancellor’s Cabinet N/A Not needed for this revision