Desktop and Laptop Security

  • Procedure Type: Information Technologies
  • Procedure Title: Desktop and Laptop Security
  • Procedure Number: NA
  • Office Responsible: Information Technologies
  • Related Policies: Information Security & Acceptable Use
  • Related Procedures: NA
  • Related Laws: NA
  • HLC Criterion: NA

Objective
In accordance with the Information Security and Acceptable Use Policy, all OCC-owned desktop and laptop computers must comply with the following procedure.

Additional notes on applicability:

    • Computers that are providing shared resources via the network and are best described as servers should follow the Procedure for Servers.
    • Desktops that are used offsite have a risk profile similar to laptops and should follow the requirements for laptops detailed below.
    • Computers used to store or process HIPAA, PCI, or other Confidential Data may require additional security protection beyond this procedure.

Scope
This procedure applies to all desktop and laptop computers owned or managed by OCC. 

Operating System
Operating system software must be a licensed and supported version of Microsoft Windows, Apple Mac OS X, Linux, or other UNIX variants. For Microsoft Windows, Windows 10 Enterprise is recommended and Windows 7 Enterprise may be used only for application compatibility; other versions and editions of Microsoft Windows are not recommended. For Apple OS X, Apple typically supports the current version and one previous version. For Linux and UNIX, any commercially or community supported version is acceptable.

Naming Conventions
The standard naming convention for employees should include the campus identifier followed by the employee ID. For example, a computer belonging to Jane X Smith located at the Auburn Hills Campus would be assigned the name “AH-JXSMITH”.
The standard naming convention for student use PCs should include the campus identifier followed building, room, and unique sequential identifier. For example, a computer located at Auburn Hills building C, room 209 would be assigned the name “AHC209-01, 02, etc.”

DNS Registration
All computers must be registered with the OCC Domain Name Service (DNS) network addressing system in order to properly communicate on the OCC wired network. It is recommended that a static address reservation be used to promote consistent records. For systems that connect solely to a segmented network managed by local school or department personnel, registration is recommended but not required.

Domain Membership
Participation in the Microsoft Windows Active Directory domain (oaklandcc.edu) allows convenient access to shared resources, ease of authentication, and automated policy settings. When feasible, computers should be joined to the domain. If a computer cannot be joined to the domain, the following security controls must be applied manually:

    • OS Patch Updates: Automatic installation of the latest security patch updates on a weekly basis must be enabled.
    • Access Control: Built-in system accounts, such as Administrator and Guest, should be disabled if not used and must not have blank or default passwords. All users must gain access with unique login credentials and passwords should meet complexity requirements comparable to those required for OCC’s EID.
    • Privilege Elevation: Systems should be used to require confirmation before administrative functions are executed.

Workstation Configuration
All workstations must be configured with a:

    • System Logon Banner: The computer must be configured to display the OCC Technology Appropriate Use Regulations (TAUR) policy and be accepted prior to gaining access to the computer system.
    • Screensaver Lock: Users are to immediately lock workstation prior to leaving workstation unattended. The computer must be configured with an automatic screensaver lock that requires re-authentication after not more than 15 minutes of inactivity.
    • Log retention: The system must be configured to retain logs for a minimum of 90 days to facilitate troubleshooting and support investigations.
    • Local Admin privileges are restricted to support staff unless permission is granted via request through the IT department for the purpose of fulfilling job requirements.

Patching
All applications must be at least at version n-1. Security patches must be installed in a timely manner, depending on the likelihood and impact of vulnerability exploitation, at least within 14 days of release.

Remote Access
Remote access to a desktop or laptop computer must only be achieved through an encrypted service sanctioned by IT. For example, Citrix Access is permissible, while freeware such as RealVNC downloaded from the Internet is considered unsafe. SSH is permissible, while telnet is considered unsafe because it is natively clear text. VPN clients only on OCC issued equipment to access OCC internal devices.

Locally Installed Applications
All installed applications must be at least at version n-1. Security patches must be installed in a timely manner, depending on the likelihood and impact of vulnerability exploitation, at least within 7 days of release.

Software Agents
Computers must run the following security agents where compatible:

  • Eset Endpoint Protection, for malware defense
  • PDQ or WSUS, for simplified patching including 3rd party applications

Backups
If data is stored locally on the workstation or laptop, copying data with value to OCC to network storage is recommended as frequently as necessary to sustain job responsibilities.

Data Restrictions
Full-disk encryption is required for all laptops, regardless of age or operating system where employees responsibilities include handling of confidential, FERPA, HIPPA, PII data, or has financial approval authority for purchasing or payments

No unlicensed applications nor unauthorized Copyrighted content (software, music, video, pictures, etc.) shall be loaded on the system. Pursuant to the Digital Millennium Copyright Act (DMCA) the device will not be used to stream illegally obtained content to or from the device.

Data Removal
Users are required to remove College Data from any device before giving it to a third-party for maintenance, re-use, or trade-in. Devices may also be subject to remote wiping by authorized College personnel in the event owner’s affiliation with OCC ends, the device is lost or stolen, or at the direction of IT to contain an incident. Users are responsible for the data from their business area, users are required to remove all business data from their device before device is surrendered for replacement or re-use. Warehouse staff will follow their written procedures to remove all OCC data from devices before salvage.

Software-Based Firewall
Laptops must be configured to enable software-based firewall functionality when connected to nonOCC networks. AD group policy will control firewall configurations on attached Windows devices.

Physical Security
Desktop and laptop computers may use cable locks to deter physical theft. When traveling, laptops should not be left unattended in public areas and should be stored in a manner that prevents observation by potential thieves, such as inside the trunk of a car or within a hotel safe.

Logical Security
All OCC laptops where device tracking is available in the Operating System must enable that feature.

Exemptions
In the event that compliance with this desktop and laptop procedure cannot be met, please contact itsecurity@oaklandcc.edu to submit an exemption request which will be approved or denied by IT. Denied exemption requests may be appealed to the CIO for final decision.

Change Log

  • 07-01-2018  Effective date

OCC Logo