Responsible Administrator(s):
Responsible Office(s):
Originally Issued: November 2012
Revision Date: November 2022

Statement of Purpose

The purpose of this policy is to:

  • Maintain a safe and secure campus computing environment;
  • Meet best practice computer security standards; 
  • Protect institutional data; and
  • Comply with federal and state regulations.

Entities Affected by this Policy

Entities affected by this policy include anyone who uses a university-issued computer, as well as anyone who transmits, stores, or accesses institutional data on any endpoint.

Who Should Read this Policy

Anyone who uses a university-issued computer, as well as anyone who transmits, stores, or accesses institutional data on any endpoint should read this policy.

Policy

To protect the security and integrity of the campus computing environment, all university-issued computers must:

  • Require valid credentials (e.g., username and password, biometric, etc.) to allow access;
  • Have current antivirus software installed with up-to-date virus definitions; 
  • Have up-to-date operating systems that are consistent with the levels approved by the Office of Information Technology;
  • Be set to require a password after a period of inactivity; and
  • Be encrypted using university-approved encryption solutions. All computers that meet the technical requirements of the university-provided encryption key management solution must be enrolled in that solution. 

All institutional data with a categorization of “Internal” or “Restricted” residing on any endpoint or removable media must be encrypted.

Users must log into computers and perform job-related tasks using the minimum level of privilege required for those tasks. Users may elevate privileges to complete tasks requiring administrative access (e.g., install software, install printers) using a mechanism approved by the Office of Information Technology. 

Refer to the webpage, , for additional information, including how to request an exception to this policy.

Related Information

University Policies

Links

Definitions

Administrative Access

Refers to accounts with the ability to modify computer hardware and operating system settings, which are above the level of a regular user's abilities on the given system. Some systems may refer to this as “root”, “administrator”, or “elevated” access.

Computer

Any university-issued desktop or laptop, listed as property of 51ԹϺ/NSHE on the university inventory list, regardless of whether the desktop or laptop is properly labeled or tagged as such.

Endpoint

Any end-user device that stores, processes, or transmits data. Examples include, but are not limited to, desktops, laptops, tablets, and smartphones.

Institutional Data

Any data element, or collection of such elements, that is:

  1. relevant to the management, oversight, or planning function of an administrative or academic unit within the university
  2. included in an official university-, college-, department-, or program-level administrative report or
  3. used to derive or is derived from an element, or collection of elements, that meets either or both of the criteria above

Additional details regarding institutional data can be found in the Institutional Data Governance and Management Policy (/DZ/ԲپٳܳپDzԲ-岹ٲ-DZԲԳ-Ի-Բ…). Definitions of “Internal” and “Restricted” data can be found in the ().

Period of Inactivity

To be determined by individual units but length of time not to exceed 15 minutes.

Removable Media

A system component that can communicate with and be added to or removed from a system or network and that is limited to data storage - including text, video, audio or image data - as its primary function (e.g., optical discs, external or removable hard drives, external or removable solid-state disk drives, magnetic or optical tapes, flash memory devices, flash memory cards, and other external or removable disks).