At the Office of Information Technology (OIT), one of our top priorities is ensuring that Portland State University’s digital environment remains secure and reliable. To keep pace with the evolving landscape of cyber threats, OIT is announcing an important update to the PSU Endpoint Security Standard.
What is an Endpoint?
If you are reading the phrase "Endpoint Security" and wondering what it means, you are not alone! An "endpoint" is any physical or virtual device that connects to the PSU network or processes PSU data. For most of us, this means our desktop computers, laptop computers, tablets, and smartphones.
The Reason for This Change
Devices that connect to our networks and access university information are a primary target for cyberattacks. If an endpoint is compromised, it poses a significant risk to the confidentiality and availability of PSU data—including student records, financial information, and research data.
What is Changing?
The primary change in this updated standard is that most endpoint devices must participate in OIT’s Endpoint Management service to access Confidential or Restricted PSU data, or conduct high risk operational activities such performing financial transactions, with a few exceptions noted in the FAQ below.
The good news is that the majority of PSU faculty and staff are already using Managed Endpoints for their daily work, meaning you likely won't need to change a thing! For those who are not, we are implementing a phased timeline to give everyone time to transition.
What is a Managed Endpoint?
In this context, a Managed Endpoint is a PSU-owned computer that is securely configured and maintained behind the scenes by OIT. OIT automatically installs the appropriate default software, applies standard settings, and performs regular system updates to ensure you have a reliable and safe workstation.
A Managed Endpoint provides many security benefits, including:
- Full disk encryption: if your device is lost or stolen, the data on your device is safe and cannot be accessed by the thief.
- Malware protection software: all Managed Endpoints have software loaded on them that monitor and protect against malware and bad actors.
- Security updates: ensures that your system is protected by automatically installing the latest security updates.
- Incident response: if your computer is compromised, PSU’s information security professionals can respond quickly to assist with minimizing the impact to our people and organization.
Timeline
To ensure a smooth transition, the new standard will be rolled out in two phases based on the type of data you handle in your daily work:
- July 1, 2026: Takes effect for devices that are used to perform sensitive operational tasks like financial transactions, or to access Restricted data (highly sensitive information such as Social Security Numbers, financial aid data, and bank account numbers).
- June 1, 2027: Takes effect for all devices used to access Confidential data.
Defining Confidential and Restricted Data
To know which deadline applies to you, it helps to understand how PSU classifies data, as outlined in the Information Security Policy.
- Restricted Data: This is our most highly sensitive data. Unauthorized disclosure would cause significant financial, legal, or reputational damage to PSU or individuals. Examples: Social Security Numbers, credit card numbers, bank account numbers, protected health information, and financial aid data.
- Confidential Data: This is sensitive data that is protected by law, contracts, or university policy. Examples: Student educational records (FERPA), employee performance evaluations, internal legal advice, and unpublished research data.
Frequently Asked Questions (FAQ)
Can employees still use a personal desktop or laptop computer to directly access PSU systems like Google Workspace and Canvas?
In general, after June 1st, 2027, the answer is no. This is because you are most likely working with Confidential data when accessing Google Workspace or Canvas. If you don’t have access to a Managed Endpoint, there are some options available to you. Keep reading this FAQ to learn more.
How do I determine if my current device is a Managed Endpoint?
It is easy to check! If you are using a PSU-owned Windows or macOS computer, look for the "Self-Service Software" application.
- On Windows: Check your Start menu.
- On macOS: Check your Applications folder.
If you see the Self-Service Software application, your device is an officially Managed Endpoint and you are already in compliance!
Can I convert my existing unmanaged device to a Managed Endpoint?
Possibly, it depends on whether or not the device meets OIT’s hardware standards. If your device was purchased through the ePSU Marketplace then it is likely compatible. If your computer was purchased with personal funds, it can not be managed due to privacy and licensing constraints.
To find out for sure, and/or to request that the device be converted to a Managed Endpoint, submit a request to the OIT Helpdesk to see if it can be enrolled in our Endpoint Management program.
Are smartphones and tablets in scope for this change?
Yes, but with specific provisions. We understand that many employees use smartphones or tablets to check email or view calendars. You can still use these devices to access PSU Confidential data if they meet the following conditions:
- The device must be actively supported by the manufacturer and be current on all security updates
- The device must require a password/PIN or biometric (e.g. Face ID or fingerprint) unlock to access
- No PSU Confidential data is stored on the device
- Only PSU-sponsored websites or applications are used to interact with PSU Confidential data. For example: myPSU, Canvas, Google Workspace, and Zoom
- If the device is involved in a security incident involving PSU Confidential or Restricted data, PSU may require the device be provided to PSU or a third party for forensic analysis.
What do I do if I don't have access to a Managed Endpoint?
If you do not have access to a Managed Endpoint, you can use the PSU Employee Virtual Desktop to access Confidential data. The device used to connect to the Employee Virtual Desktop must be running a supported operating system, be current on all security updates, require a password/PIN/biometric to login/wake, and PSU Confidential or Restricted data cannot be downloaded or stored on the device.
- Note for Adjunct Faculty: Adjunct Faculty may use a personal device to access PSU Confidential data specifically for their instruction-related activities, provided the device is fully updated, password/PIN protected, uses only PSU-sponsored apps (like Canvas or Google Workspace), and is not used for long term storage of PSU Confidential data.
Where can I purchase standard PSU desktop and laptop computers?
OIT has posted purchasing guidelines here. Your department's Technology Coordinator may be able to assist in this process.
Is using a Managed Endpoint the only way to meet the requirements in this standard?
Using a Managed Endpoint is the easiest way, but is not the only way to meet the requirements in this standard. With sufficient professional IT skills, it is possible for a PSU-owned laptop or desktop computer to meet the requirements in this standard without participating in OIT’s Endpoint Management service. For example, by configuring full-disk encryption, installing PSU-licensed CrowdStrike, sending system logs to a centralized logging service, and performing software patching in alignment with the OIT Vulnerability Management Standard, in addition to meeting the other requirements around secure disposal and reporting of loss or theft.
Where do I go if I have more questions?
We are here to help! If you have questions, comments, or concerns about this standard or how it applies to your specific workflow, please contact the OIT Information Security Team at help-security@pdx.edu or reach out to the OIT Helpdesk.
Thank you for your continued partnership in keeping Portland State University's data safe and secure!