Please refer to the University of Colorado’s Administrative Policy Statement (APS) 6005 IT Security Program and System-wide Baseline Security Standards which apply to all individuals who access or control CU Boulder information technology resources.
This standard identifies the minimum requirements for all University-owned computers (“university computers”) to ensure the integrity and security of University data and the shared information technology environment, including networks, services, and systems.
All university computers used by faculty, staff, students, or other Authorized Individuals must meet this Standard, regardless of manufacturer, function of the system, or location. These actions are necessary to ensure resource availability, reinforce the University's security and compliance posture, and protect the confidentiality of data assets.
The following IT capabilities must be met to ensure consistent application of protections and adherence to the CU baseline security standards, provide visibility into campus threats, and support incident response. At all times university computers must:
- Run current, supported software. The use of out-of-date operating systems or software that is not being actively updated and is considered end of life is prohibited.
- Be enrolled in Microsoft Endpoint Configuration Manager (Windows computers) or Jamf (Mac computers).
- Be encrypted with whole disk encryption.
- Run Microsoft Defender for real-time scanning to prevent, detect, and remove malware or potential vulnerabilities.
- Gather and send hardware and software information to central inventory for vulnerability tracking, network identification, and audit preparedness.
- Use OIT supported and approved enterprise cloud storage solutions to back up and protect University data from loss.
- Have the campus public safety emergency notification client installed to ensure timely awareness of campus incidents.
More information about the OIT supported and approved applications associated with the computer requirements listed above can be found on the OIT website.
University employees and authorized individuals who are unable to meet all components of the standard must apply to OIT for a computer exception. If a compelling business reason exists, exceptions to standards may be granted by the Provost and Executive COO in consultation with the Sr. AVC/CIO.
University computers subject to specific data protections (e.g., federal regulations, data use agreements) that exceed the requirements identified within this Standard must meet whichever controls are more stringent.
University computers not capable of meeting the requirements identified in this Standard must work with OIT Information Security to determine the appropriate compensating security controls for such computers. Should a computer be identified as high risk to the University network, it must be removed.
Administration and Enforcement
Computers that do not meet the campus certified computer standards may pose a risk to the CU Boulder campus and its data. Per the Acceptable Use Policy, the Chief Information Officer or Information Security Officer may suspend a computer’s and/or an end-user's access to the campus network or any campus computing resources when it reasonably appears necessary to preserve the integrity, security, or functionality of campus computing resources.
Authorized Individuals: This includes those in roles such as:
- Person of Interest (POI): an individual affiliated with the university but not paid as an employee who is granted an IdentiKey for official university needs.
- Sponsored Affiliate: an individual affiliated with the university who is granted an IdentiKey for official university needs when an HR appointment, including POI, is not a possibility.
End of life: A designation by the vendor when a product is unable to be supported and should be replaced. This generally occurs when the operating system is no longer supported, and the hardware cannot support a new operating system.
University data: Official information of the institution, including but not limited to university work products, results, materials, records, or other information developed or produced with university goods, funds or services. University information encompasses all information created by the university, including information classified as private or restricted. Examples include university web site content, schedules of courses, requests for proposals, policies and guidelines, personnel records, electronic communications, student data, and patient data.
University-owned computer: Any computer that was purchased with University funds used by faculty, staff, students, Persons of Interest (POIs) and sponsored affiliates to access information technology resources, including laptops, desktops, tablets or mobile phones. This does not include printers, removable storage, or Internet of Things (IoT) devices and sensors.
Sr. AVC for OIT and CIO
July 15, 2022