103 Information Security Device Management
The following table shows who is responsible for ensuring compliance with the policy requirements listed below.
| Requirement | All Users | Personal Device Users | Users with Access to Protected Data |
|---|---|---|---|
| All computers and devices that access university networks, services, systems, and data must have basic security features enabled (p. 2). | ✔ | ✔ | ✔ |
| Devices should be encrypted in accordance with Standard 213: Information Security Encryption (p. 2). | ✔ | ✔ | ✔ |
| Only devices that are encrypted and receive vendor updates and patches should connect to the WashU network (p. 3). | ✔ | ||
| Meet CIS Benchmarks recommendations for Windows and Mac devices. Other vendor devices are acceptable only if they meet these recommendations (p. 3). | ✔ | ||
| Do not use computer operating systems beyond the manufacturer end-of-life date or submit an exception request documenting compensating controls and a replacement strategy (p. 3). | ✔ | ✔ | |
| Avoid storage of Protected Data and Information on personal devices. If Protected Data and Information must be stored on a personal device, it must be protected by encryption (p. 3). | ✔ | ✔ | ✔ |
| Ensure the device is up to date on all patches and antivirus definitions (p. 3). | ✔ | ✔ | ✔ |
| Never connect to the university network using unsecured or public Wi-Fi (p. 3). | ✔ | ||
| Always use WashU’s VPN service when connecting to the WashU campus network from remote locations (p. 3). | ✔ | ||
| Media that store WashU data must be protected from unauthorized access, change, and destruction (p. 3). | ✔ | ✔ | ✔ |
Summary of Policy
The policy outlines the security expectations for all devices (e.g., laptops, mobile phones, thumb drives, external hard drives, etc.) that access WashU information resources or store WashU data. The policy provides:
- Direction for personal device users
- Specific information for devices containing or accessing Protected Information
- A reference to Standard 203: Information Security Universal Device Management for additional information about securing media that store WashU data
Full Text of Policy
Policy 103 Information Security Device Management
This policy outlines the security expectations for all devices (e.g., laptops, mobile phones, thumb drives, external hard drives, etc.) that access WashU information resources or store WashU data.
Related Information
108 Information Security Requests to Access User Content
This policy describes how the Office of Information Security (OIS) handles requests for access to content created by active or former WashU Community members.
112 Information Security Acceptable Use
This policy outlines expectations for the appropriate use of WashU-provided information resources, ensuring that all WashU Community members understand their responsibilities.
200 Information Security Classification, Labeling, and Handling
This standard defines classification categories and control zones for data, information, and systems at Washington University in St. Louis (WashU).
203 Universal Device Management
DRAFT This standard is designed to mitigate risk, protect sensitive data, and maintain the overall security posture of Washington University in St. Louis (WashU) by ensuring all devices used for university activities are properly configured, secured, and maintained.
205 Information Security Risk Management
DRAFT This standard supports Policy 105: Information Security Risk Management by providing a detailed framework for identifying, assessing, mitigating, and managing security risks to the university.