ÂÌñÉç Computer Endpoint Security Standards

Policy Information
Policy TitleÂÌñÉç Computer Endpoint Security Standards
Responsible OfficeOffice of the Chief Information Security Officer (ITS)
Policy TypeInformation Technology
Policy Number309
Last Revision Date9/29/2025

Philosophy

The incidence of cyber-attacks, including ransomware, has been on an exponential increase in the last several years. A large number of organizations and institutions have experienced cyber-attacks which resulted in some or significant disruption to their ability to conduct their function and business. Preparedness and protection against cyber-attacks has become one of the most critical and required steps in safeguarding business continuity and protection of institutional resources and data. Among the many different steps an institution can take one of them is establishing and ensuring computing endpoint standards. This policy list benefits, approaches, and specific action items regarding the computing endpoint standards.

Purpose

University computer endpoint security standard sets consistency across university-owned devices and recommendations for non-university-owned devices which connect to university network to protect institutional data and meet the cybersecurity requirements in higher education.  These standards extend greater protection to institutional data, individually stored files, and intellectual property.   These standards can cover hardware, software, security configurations, and other aspects. Here are several benefits of setting endpoint standards:

  • Security Enhancement: Establishing endpoint standards helps in enforcing consistent security measures across all devices. This can include encryption protocols, password policies, access controls, and antivirus requirements. Standardized security configurations reduce vulnerabilities and the risk of cyber-attacks.
  • Compliance and Regulation Adherence: Compliance with industry or regulatory requirements, such as GDPR, HIPAA, or PCI DSS, is critical for many organizations. Endpoint standards ensure that devices meet these compliance requirements, avoiding potential legal issues or penalties associated with non-compliance.
  • Streamlined IT Management: Standardizing endpoints makes it easier to manage and maintain a consistent IT environment. IT staff can easily troubleshoot, update, or upgrade devices since they adhere to predefined configurations and software versions.
  • Interoperability and Integration: Endpoint standards promote interoperability, ensuring that devices can seamlessly communicate and work together. This facilitates integration of new technologies and applications, enhancing overall productivity and efficiency.
  • Cost Reduction: Standardizing endpoints can reduce costs associated with device procurement, maintenance, and support. By limiting the variety of hardware and software, organizations can negotiate better deals with vendors, optimize licensing, and streamline support services.
  • Improved Performance and Reliability: Having consistent configurations and specifications for endpoints ensures predictable performance levels. It reduces the likelihood of unexpected issues, downtime, or system failures due to incompatible hardware or software.
  • Ease of Scalability: Standardized endpoints facilitate scalability and growth within an organization. When new devices need to be added to the network, they can be quickly integrated since they adhere to the established standards.
  • Risk Mitigation: Endpoint standards help mitigate risks associated with non-standard or insecure configurations. By enforcing known secure settings and practices, organizations minimize potential risks to their data, systems, and operations.
  • Enhanced User Experience: Standardized endpoints provide a consistent user experience across devices. Users are familiar with the setup and operation, reducing training needs and improving user satisfaction.
  • Data Protection and Privacy: Endpoint standards can define data handling and privacy measures, ensuring that sensitive information is handled appropriately and in compliance with privacy regulations. This helps protect organizational and user data.

Definitions

Endpoint – a computing device that connected to the university network either in a wired or wireless fashion.   Examples include Desktops, Laptops, Smartphones, Tablets, Servers, Workstations, Printers, and Internet-of-things (IoT) devices.

The 5-Level Data Classification Model

Public data (Level 1) - information that is explicitly approved for public release. The unauthorized disclosure, alteration, or destruction of this data would result in little to no risk. This information can be freely shared, used, and redistributed without repercussions. Generally, this information presents low risk to the university.

Internal data (Level 2) - information intended for internal use only. While it is not intended for public distribution, its unauthorized disclosure would cause minor inconvenience or minimal damage, but not catastrophic harm. By default, any institutional data not classified as Restricted or Public is often considered Internal. Generally, this information presents low to moderate risk to the university.

Confidential data (Level 3) - sensitive information that would cause moderate damage to the organization if disclosed without authorization. Access is typically limited to a specific group or department on a need-to-know basis. This category includes information that could cause reputational or financial harm if compromised. Generally, this information presents moderate risk to the university.

Restricted data (Level 4) - highly sensitive information that is often subject to specific legal, regulatory, or contractual requirements. Unauthorized disclosure could result in severe damage, including significant financial loss, legal penalties, or severe reputational harm. This category is a crucial distinction for data that requires stringent controls due to its nature and the potential for misuse. Generally, this information presents moderate to high risk to the university.

Highly Restricted/Secret (Level 5) - the most sensitive data class, where unauthorized disclosure or compromise could result in grave or catastrophic harm to the organization or individuals. It is typically reserved for data that is protected by law or regulation and, if compromised, could lead to identity theft, severe legal consequences, or financial ruin. Generally, this information presents high risk to the university.

The 3-Level Data Risk Model 

Data risk is an assessment of the potential consequences of a data breach. 

Low Risk - unauthorized disclosure, alteration, or destruction of low-risk data would result in little or no risk to the organization. The impact on operations, assets, or reputation would be minimal or nonexistent. While little or no controls are required to protect confidentiality, some level of control is still necessary to prevent unauthorized modification or destruction, as even public data can have a moderate integrity or availability impact.

Moderate Risk - moderate-risk data is information whose unauthorized disclosure, alteration, or destruction could result in a moderate level of risk to the organization or its affiliates. A reasonable level of security controls should be applied to this data. The loss of confidentiality, integrity, or availability could have a mildly adverse impact on the organization's mission, safety, finances, or reputation.

High Risk - classified as such when its unauthorized disclosure, alteration, or destruction could cause a significant, severe, or catastrophic level of risk. This level of risk could result in serious harm to individuals or the organization, including significant legal liability or severe financial loss. The highest level of security controls should be applied to this data.

Policy Statement

Minimum Security Standards for Endpoints:

  1. Security Patching
    1. Automatic Updates should be enabled.
    2. Ensure third-party software is maintained and patched.
    3. It is recommended that Operating Systems and Applications are updated and patched when patches become available. 
  2. Password Authentication
    1. All systems must require password authentication.
    2. All systems must be restricted to authorized users of the device.
  3. Firewall
    1. Enable host-based firewall in a default deny mode and permit the minimum necessary services.
  4. Endpoint Security (Endpoint Detection and Response, Anti-Virus and Malware Protection)
    1. Install university-approved Endpoint Security, which includes antivirus/anti-malware tools with automatic updates and scanning enabled.
  5. Supported Operating Systems
    1. Use operating systems for which updates are available when security vulnerabilities are discovered.
    2. Operating systems that are no longer supported are not allowed on the University network. 
  6. Supported Software
    1. Use software for which updates are available when security vulnerabilities are discovered.
  7. Standard Account Login
    1. Account login should be with a standard account, not an administrator account.
  8. Administrative Account Privileges
    1. End users with a legitimate university purpose may be granted local device administrative account with elevated privileges on a local machine. The privileged administrative account should be separate and unique from the end user’s ÂÌñÉç account and should only be used for necessary administrative tasks. This privileged administrative account should have limited access to network shares or servers whenever possible.
  9.  Inactivity Timeout 
    1. An inactivity timeout/lockout of no more than fifteen (15) minutes must be enabled on all devices, requiring a password, passcode, or biometric authentication to unlock the device.
  10.  Whole Disk Encryption
    1. Recommend encryption of local hard drives, storage devices, external hard drives, and portable devices storing or processing data. BitLocker (Windows) and FileVault (MacOS) are recommended.
  11.  Device Procurement and Setupa.      
    1. All university-owned devices must be procured and set up by departmental IT or central ITS staff to ensure consistent configuration and security baselines.
  12. Secure Disposal and Re-use Procedures
    1. Disposal must follow University e-waste procedures and storage media must be certified as destroyed.
    2. For devices intended for re-use, hard drives and storage must be securely erased by IT staff using a NIST-certified method and the device reimaged.
  13. Device Procurement and Setup
    1. All university-owned devices must be procured and set up by departmental IT or central ITS staff to ensure consistent configuration and security baselines.
  14. Secure Disposal and Re-use Procedures
    1. Disposal must follow University e-waste procedures and storage media must be certified as destroyed.
    2. For devices intended for re-use, hard drives and storage must be securely erased by IT staff using a NIST-certified method and the device reimaged.
  15. Devices will be scanned for PII to meet policy and legal requirements.
    1. Remote Desktop Protocols access should be disabled by default. It should only be enabled if there is a clear business requirement.
    2. Remote access is only allowed with ITS supported RDP and SSH methods.
  16. Additional Security Standards for Endpoints with High Risk Data 
  17. Data Classification Level 4 Restricted data and above:
    1. Application Allow configuration
      1. Only approved software applications are permitted to run on the device, preventing the execution of unauthorized software, including malware.
    2. Vulnerability Management
      1. Endpoints will be scanned to identify Security Risks.

The above are the minimum standards. For special cases, stricter endpoint standards may become necessary due to Data Use Agreements, Federal and State laws and/or SUNY and local regulations.

This policy and standards will be reviewed at least once a year and revised as necessary or re-confirmed as is.

Scope

All endpoint devices that are owned by the university are subject to this policy. 

Additionally, the standards in this policy are recommended for the endpoint devices not owned by the university, but connect to the university network.

Procedure

ITS will automatically apply the standards in this policy to all endpoint devices it manages on a gradual basis until all are compliant. Some of the standards are established as guidelines. They will be applied as they are tested and are ready for full distribution.

Divisions and departments which are self-supported are required to follow the same process as above. ITS will provide information and consulting as necessary. 

In certain cases, it may be necessary to make exceptions to the standards specified in this policy. The Chief Information Security Officer of the university will make the final decision in those cases.

Revision and Approval History

Date Description  Responsible Party
8/29/2023 Approved by Senior Officers Group Information Technology Services
9/29/2025 Added 5-level data classification model and additional security standards.  Approved by Senior Officers Group on 9/29/2025. Information Technology Services