Purpose and Applicability
Endpoint devices — desktop and laptop computers, as well as mobile devices and "internet of things" (IoT) smart devices — that connect to Portland State University (PSU) computer networks and/or process non-public PSU information are a fundamental part of the PSU information technology (IT) landscape. Such devices are a major source of risk to the confidentiality, integrity, and availability of PSU data and enterprise IT systems.
This standard applies to endpoints managed by the Office of Information Technology (OIT) Endpoint Engineering (EE) team through their Endpoint Management supporting service offering and makes recommendations for administrative controls that support good endpoint security and data stewardship practices.
Additionally, this standard can be referenced and mandated as needed for specific use cases to prescribe a minimum set of security configurations and administrative controls that must be applied to endpoints connecting to PSU computer networks and/or processing PSU non-public information.
Definitions
| Term | Definition |
| Administrative Controls | Policies, procedures, or guidelines that define personnel or business practices to meet specified security objectives. |
| Compensating Controls | Alternative security measures implemented when the prescribed technical controls or administrative controls cannot be applied, which provide an equivalent or greater level of protection than the original controls. |
| Device Custodian | The PSU employee who is managing the device or otherwise assigned the device. |
| Endpoint | A physical or virtual device that connects to a PSU network, including both physical and virtual desktops, laptops, printers, servers, mobile devices, and IoT devices. |
| Managed Endpoint | An endpoint enrolled in OIT’s Endpoint Management supporting service offering. |
| Technical Controls | Prescribed settings and controls applied to endpoints to meet specified security standards, including settings for user access, encryption, logging, and software restrictions. |
| Vulnerability Management | The process of identifying, assessing, prioritizing, and remediating security vulnerabilities in PSU endpoints. |
Standard
Controls
Vendor-Supported Endpoint Hardware
Managed endpoints that are on the PSU Hardware Standards Committee list of approved models are eligible to receive security and usability updates for both firmware and operating systems as specified in the OIT Supported Hardware Configurations Standard. Once this period ends, the device is considered to have reached its end of life, is no longer eligible to be managed by OIT, and should be taken out of service.
Most vendors do not provide advance notification regarding hardware that is reaching its end of life. OIT may periodically notify the Technology Administrators Group (TAGs) regarding hardware that cannot migrate to a supportable OS or firmware and provide a one month grace period during which no security updates will be provided. Once the grace period has ended, devices still in use will have their internet access restricted.
Patching
Applications, operating systems, and hardware require regular security updates and bug fixes. OIT applies these necessary updates on managed endpoints automatically at least monthly until the hardware or a managed application has reached its end of life. Device Custodians are responsible for applying security updates to applications that have been manually installed and are not managed by OIT.
Endpoint Protection
CrowdStrike Falcon is PSU’s anti-malware and vulnerability management solution for endpoints. The lightweight sensor agent is automatically deployed to all managed macOS and Windows endpoints.
Vulnerability Management
All managed endpoints are regularly monitored for vulnerabilities, which are remediated in a timely fashion based on risk and severity.
Full-Disk Encryption
The system and data disks in managed endpoints must be encrypted with industry-standard/recognized disk encryption technology following the OIT Encryption Standard.
Secure Data Disposal
All PSU-owned devices must follow the requirements and procedures for erasing, recycling, and destroying digital media equipment to ensure privacy and security as defined in the Digital Media Recycling Standard.
Loss/Theft of Device Reporting
Theft, loss, or suspected theft of a PSU-owned device must be reported by the Device Custodian as soon as they become aware via all of the following:
- File a police report with Campus Public Safety Office (CPSO) 503-725-4407
- Submit the OIT Stolen Computer Report Form
- Follow the Risk Management property claims process
Event Logging Standard
All managed endpoints follow the OIT Security Event Logging Standard.
Exceptions
The controls specified in this standard may be augmented, substituted with compensating controls, or otherwise modified by a security plan duly authorized by the Information Security Team (SEC) and agreed to by the Device Custodian.
Related Policies, Procedures, and Information
Point of Contact
Contact the OIT Information Security Team at help-security@pdx.edu with questions, comments, or concerns about this OIT standard.