RUL 08.00.18 – Endpoint Protection Standard

Authority:  Issued by the Vice Chancellor for Information Technology.

History: First Issued: May 1, 2018.

Related Policies:
REG 08.00.02 – Computer Use Regulation
REG.08.00.03 – Data Management Procedures
RUL 08.00.14 – System and Software Security Patching Standard
RUL 08.00.16 – NC State University Security Standards for Sensitive Data and Systems
RUL 08.00.13 – Network Printer Security Standard

Additional References:
Technology for Travel
Mobile Device Security
NC State Help Desk
Data Sensitivity Framework
Determining Sensitivity Levels for Shared Data
Data Categories, Trustees, Stewards, and Custodians
NC State Configuration Management Systems
Clarification on University Owned Computers and Grants
Endpoint Protection Standard Implementation Phases
IT Exception Request
Sensitive Information Identification Remediation (SIIR) and  SIIR Requirement Letter
Endpoint Protection Standard FAQs
Endpoint Protection Standard Implementation
Configuration Management Systems at NC State
Endpoint Protection Standard 3D Memorandum

Contact Info:  Chief Information Security Officer, OIT 919-513-1194

Contents

  1. Audience
  2. Purpose
  3. Scope
  4. Standard
  5. University Owned Resources and Devices
  6. Personally Owned Resources and Devices
  7. Implementation Priorities
  8. Exceptions
  9. Non-compliance and Violations
  10. Glossary

_________________________________________________________________________________________________

1. Audience

1.1 This standard applies to every user of NC State’s network, which includes users of the following types of resources and devices:

1.1.1 University-owned Resources and Devices

1.1.2 Personally Owned Resources and Devices

1.2. Specifically, in reference to NC State IT resources, this standard applies to Data Trustees, Data Stewards, and/or Data Custodians and their delegates (including information systems development and support personnel, LAN admins/LANTechs, system administrators, database administrators, and so forth), who are typically responsible for implementation of such standards.

1.3. For devices not owned by the university, the device owners are responsible for implementing the specified controls.

2. Purpose

2.1 To comply with NC State University REG 08.00.02 – Computer Use Regulation, which requires authorized users to take appropriate security precautions to protect and secure data residing in or on assigned university accounts or other university and non-university IT Resources, this standard outlines the minimum requirements for information system components connected to NC State’s network.

2.2 IT Resources. NC State University IT resources; for example, university machines, systems or storage devices, non-university machines, and systems or storage devices that may contain the University’s data.  See Section 1 of the NC State University REG 08.00.02 – Computer Use Regulation for the full definition of University IT Resources.

2.3 To comply with REG 08.00.02 – Computer Use Regulation and ensure appropriate security protections are in place, NC State University has adopted the standard herein, which applies to anyone who accesses NC State’s network.

NOTE:  This includes the ncsu-guest network when used to access University IT resources.

3. Scope

3.1 All resources and devices that access, process, or store University data shall adhere to the mandatory and recommended security controls as defined in the following tables:

3.1.1 Table 1: Controls, by data-sensitivity level, for University-owned resources and devices.

3.1.2 Table 2: Controls, by data-sensitivity level, for personally owned resources and devices that access (but do not store) university resources.

3.1.3 Table 3: Controls, by data-sensitivity level, for personally owned resources and devices that store moderate security data (yellow data).

4. Standard

4.1 All University-owned IT resources and information system components connected to NC State’s network shall be managed by a Configuration Management System (CMS) if one is available for that component and the CMS has been approved by OIT Security and Compliance. Refer to NC State Configuration Management Systems for a list of currently approved CMSs and also for the procedure to request CMS approval.

4.2 Resources and devices that store high-security data (red data) and above must comply also with RUL 08.00.16 – NC State University Security Standards for Sensitive Data and Systems, especially with regard to required logging and alerts for mandatory controls. Ultra-High security (purple) and high-security (red) data are not approved for storage on personally owned resources and devices. See the Data Sensitivity Framework for additional information on data-sensitivity classifications.

5. University Owned Resources and Devices

5.1 For University-owned devices, many of the required controls can be met by using campus-supported managed environments.

5.2 All University-owned resources and devices shall adhere to controls as specified in Table 1.

5.3 See the Glossary in Section 10 for definitions of the controls listed in Column 1 of each table.

TABLE 1.   Controls, by Data-sensitivity Level, for University-owned
Resources & Devices

Controls for University-owned Resources & Devices
M = Mandatory      R = Recommended
Data-sensitivity Level by Color
Purple Red Yellow Green White
Anti-malware M M M M M
Antivirus M M M M M
Application Control M M N/A N/A N/A
Authentication M M M M M
Encrypted Network Communication M M M R R
File Integrity Monitoring M M N/A N/A N/A
Full Disk Encryption (with university key escrow) M M M R R
Host-based Firewall M M M M M
Least Privilege Access M M M R R
Sensitive Information Identification & Remediation M M M M M
Software Inventory M M M M M
Web Reputation Filtering M M M M M

 

 6. Personally Owned Resources and Devices

6.1 For personally owned devices that access the university’s resources, hardware and Operating System (OS) vendors typically provide many of the required controls.

6.2 All personally owned resources and devices that access the university’s resources via direct connection, Virtual Private Network (VPN), or Remote Desktop Protocol (RDP) shall adhere to controls as specified in Table 2.

6.3 All personally owned resources and devices that store moderate security data (yellow data) shall adhere to controls as specified in Table 3.

6.4 See the Glossary for definitions of the controls listed in Column 1 of each table.

6.5 Accessing Data

6.6 Storing Data

If adhering to one or more of the following controls on a personally owned device is problematic, use a University-owned machine instead.

NOTE:   Direct access or storage of purple or red university data is not permitted on personally owned resources and devices.

TABLE 2.   Controls, by Data-sensitivity Level, for Personally Owned

Resources & Devices Accessing (and not Storing)
Moderate Security Data (Yellow Data)

Controls for Personally Owned Resources & Devices Accessing (and not Storing) Yellow Data
M = Mandatory      R = Recommended
Data-sensitivity Level by Color
Purple Red Yellow Green White
Anti-malware N/A N/A M M M
Antivirus N/A N/A M M M
Authentication N/A N/A M R R
Encrypted Network Communication N/A N/A M R R
Web Reputation Filtering N/A N/A M M M

 

TABLE 3.   Controls, by Data-sensitivity Level, for Personally Owned
Resources & Devices that Store Moderate Security Data (Yellow Data)

Controls for Personally Owned Resources & Devices that Store Yellow Data
M = Mandatory      R = Recommended
Data-sensitivity Level by Color
Purple Red Yellow Green White
Anti-malware N/A N/A M M M
Antivirus N/A N/A M M M
Authentication N/A N/A M R R
Encrypted Network Communication N/A N/A M R R
Full Disk Encryption N/A N/A M R R
Host-based Firewall N/A N/A M R R
Least Privilege Access N/A N/A M R R
Web Reputation Filtering N/A N/A M M M

 7. Implementation Priorities

7.1 Campus should implement this standard in accordance with the Endpoint Protection Standard Implementation Phases document.

7.2 Campus IT support staff have the authority and responsibility to implement this standard for their respective areas.

8.  Exceptions

8.1 Compensating controls may be considered for specific requirements when an entity cannot meet a requirement explicitly as stated, due to a legitimate need, but has sufficiently mitigated the risk associated with the requirement through implementation of compensating controls.

8.2 OIT Security & Compliance will assess the risk, assist in identifying compensating controls, and communicate recommendations to the requesting party, as well as applicable Data Stewards. Refer to Data Categories, Trustees, Stewards, and Custodians.

8.3 Exception requests should clearly document justification for the exception and for the compensating controls that will be implemented for risk mitigation. Exceptions must be renewed annually and cannot be granted for more than a year. Requests for exceptions must be submitted to Security & Compliance via the IT Exception Process.

 9. Non-compliance and Violations

Violations of this regulation will be handled in accordance with REG 08.00.02 – Computer Use Regulation. Violations may result in the computer being blocked or removed from the network if negatively impacting security or performance on the campus network. Computers will not be unblocked until the machine is brought into compliance. In addition, users may be disciplined in accordance with Section 5 of REG 08.00.02 – Computer Use Regulation.

 10. Glossary

TERM DEFINITION
Anti-malware Anti-malware refers to installed software that runs continually or scans the entire machine periodically, using a set of heuristics-based detection rules to identify and remediate known viruses and malware. Definitions/detection rules must be kept up-to-date.
Antivirus Antivirus refers to installed software that runs continually or scans the entire machine periodically, using a set of pattern-based detection rules to identify and remediate known viruses and malware. Definitions/detection rules must be kept up-to-date.
Application Control Application control is the ability to enforce an application Whitelist or Blacklist administratively within the OS to ensure that “known bad” applications cannot be executed and only “known good” applications can be executed.
Authentication Authentication must be implemented so that it is not possible to access the endpoint in any way without providing a passcode or username and password.  In the event of inactivity, re-authentication is required periodically. Authentication factor(s) can include, but are not limited to, passwords, PINs, and biometrics.
Configuration Management Configuration Management, in this context, means the client OS is connected to an approved CMS, which gives system administrators the ability to react to vulnerabilities or attacks to enforce security-related controls and mitigate risk.
Encrypted Network Communication Encryption protocols must be used when accessing campus resources from outside NC State’s network or over any unencrypted wireless network.  Encrypted Network Communication (ENC) can refer to the specific protocol (such as SSH or HTTPS) or an encrypted tunneling/transport protocol (such as a SSL or IPSEC VPN).
File Integrity Monitoring File Integrity Monitoring (FIM) is an internal control or process that monitors the integrity of OS’s and applications to identify changes that introduce risk by comparing their current states to any previously known, baseline states.
Full Disk Encryption Full disk encryption prevents access to data stored on endpoint devices without approved credentials.  Full disk encryption is not intended to supercede any data classification-specific security standards, as authorization from a Data Steward remains a requirement for storage of sensitive data on endpoint devices.  Protection and escrow of the encryption keys should be addressed appropriately.
Host-based Firewall A host-based firewall must be installed and enabled to block inbound traffic, by default.  A firewall rule set to allow all inbound traffic would invalidate the firewall as a valid security control.
Least Privilege Access Employ the principle of least privilege by configuring hosts to provide only the minimum rights to the appropriate users, processes, and hosts.
Sensitive Information Identification & Remediation Scans systems for the presence of sensitive data and identifies level of sensitivity.  See the SIIR Requirement Letter regarding scanning for sensitive data.
Software Inventory Software inventory includes, at a minimum, OS information, patch lists, and software installed (including version information and dates of installation).  Inventory data needs to be updated periodically. This data is used to determine compliance with RUL 08.00.14 – System and Software Security Patching Standard.
Web Reputation Filtering Web Reputation Filtering is a service designed to protect customers browsing through web pages by comparing the site (or its content) against a set of known bad sites, as identified by security organizations and companies.  It is not required that the control be met locally on the device.  For example,the control can be met by running the service within a web browser, on the local OS, or as a network proxy. Automatic updating of the Web Reputation Filtering blacklist should be enabled where possible. 

 

Review Status
Committee Name Anticipated Date of Review Date of Review
OIT Iterative Review

November 2017 – January 2018

ITSAC-SCGS (includes review from Security Technology and Policy & Compliance Working Groups) 4/5 Reviewed added clarifications – one additional clarification made

3/5 Reviewed added clarifications

2/1 (Final Review before sending to CITD)

STWG: 12/2017

PCWG: 1/25/2018

SCGS: 4/5/18, 3/5/18, 2/1/18, 1/4/18 & 12/7/17

ITSAC-CAS 2/1/2018 (Final Review before sending to CITD) CAS: 1/4/18 & 12/7/17
Security Liaisons 2/6/18
Campus IT Directors 3/20/18 – additional review occurred with further clarifications identified.  Revised document will be shared for review/feedback before finalizing.

 

2/20/18 – endorsed with request to address comments in document and clarify the use of personally owned machines.  Final review will be made at 3/20 meeting.

4/17/18 – Full endorsement with no changes
OIT S&C 4/23 – 4/24 – Final edit review of document and associated links to ensure readiness for publishing 4/24 – Editing complete and sent to Marc & Deborah Harvey for review at 5/1 Chancellor’s Cabinet meeting.
Chancellor’s Cabinet 5/1/18