Information Security

Specialized Use Device Standard

Last modified 8/9/2024

Purpose

The purpose of this standard is to establish clear guidelines and requirements for the secure configuration, management, and operation of specialized use endpoint devices within the University. These devices, tailored for specific tasks or functions, often have unique operational requirements that may limit the implementation of standard security controls. This standard aims to address these challenges by defining specific security measures that maintain the integrity, confidentiality, and availability of University data and resources. It supports the University's overall information security objectives and compliance with relevant regulations and policies.

Scope

This standard applies to all specialized use endpoint devices owned or operated by or on behalf of the University, including but not limited to digital signage, point-of-sale solutions, public kiosks, auto-logon computers, print release stations, and work order tablets. These devices are characterized by their specific configurations and limited functionalities, which are designed to fulfill distinct operational roles.

This standard is relevant to all University departments and units that manage or use specialized use endpoint devices, providing a structured approach to mitigate security risks and support the University's secure operational environment.

This standard does not apply to any devices that fall within scope of compliance for Health Insurance Portability and Accountability Act (HIPAA), Criminal Justice Information Services (CJIS), and Payment Card Industry Data Security Standard (PCI DSS).

Standard

Specialized use endpoints must meet the following criteria:

Device must:
1. Have an identified and documented functional owner for the specialized use.
2. Be managed and supported directly by a University IT team or through a partnership between a vendor and the IT team.
3. Be registered and actively managed in one or more of the University's configuration management systems or a vendor system.
4. Have a detailed, documented description of the device’s specialized use, including connected systems and an explanation of the data accessed, used, stored, or otherwise processed.
Device configuration must:
1. Limit enabled and running ports, protocols, and services to only those necessary for the device's specialized use.
2. Restrict privileged device access to only the IT staff responsible for supporting the device.
3. Enforce the installation and operation of Microsoft Defender for Endpoint on all supported platforms.
4. Enforce drive encryption wherever any Restricted or Highly Restricted data will be accessed or otherwise processed.
5. Enforce automated and continuous patch management for the operating system and all installed software.
6. Limit user functionality to only what is necessary for the device's specialized use.
7. Utilize available user interface modes, such as kiosk mode, single app mode, and replacement shell, where applicable and available.
8. Require a Basic Input Output System (BIOS) password when the device provides such functionality.
Installed software must:
1. Be appropriately licensed and under active support by the vendor.
2. Be limited to what is necessary for the specialized use of the device.
Device access mechanisms (e.g., passwords, passphrases, pins, etc.) must:
1. Comply with the 9.2.2 Password Procedure to the extent supported by the device
2. Utilize the maximum-supported length/complexity when unable to meet the 9.2.2 length/complexity requirements.
3. Utilize the shortest-supported lockout count (may result in no lockout policy) when unable to meet the 9.2.2 lockout requirements.
4. Be strictly limited to the associated devices when the mechanism is locally stored in a manner known to be insecure (e.g., unencrypted data in the Windows registry).
5. Be registered and tracked in an appropriate secrets management system when it enables local administrator privileges on the device.
Shared user accounts used to access services behind Central Login or connect to wireless must:
1. Have a 9.2 Appropriate Use Policy exception request reviewed and approved by the Chief Information Security Officer.
2. Be configured to only permit authentication when used on the associated device and to the services necessary for the specialized use.
Utilize network segmentation whenever feasible to reduce the risk to the network should the device be compromised.

Exceptions

While this standard is designed to be as applicable as possible, some devices meeting this standard's scope may be unable to comply with the full standard. Consult the Information Security Office (ISO) if the scope in this standard applies but one or more items in this standard cannot be met.

Requests for exceptions can be submitted via ticket direct to the AT Security Cherwell queue or by emailing informationsecurityoffice@ilstu.edu.

Definitions

Endpoint Device: Any laptop, desktop, tablet, smartphone, or similar end-user computing device used to conduct University work or process University data.

Specialized Use Endpoint Device: Any endpoint configured for specific tasks or purposes, often with restricted functionality tailored to a particular use case. Some examples include digital signage, point-of-sale solutions, public walk-up kiosks, auto-logon computers, or work order tablets.

Control: A security measure implemented to improve security and mitigate risks. This standard outlines the implementation of standard controls to provide appropriate security and risk mitigations for prevalent threats.

Configuration Management System: An IT system that manages a device's inventory, configuration, status, and reporting. Examples of such systems include System Center Configuration Manager (SCCM), Intune, JAMF, Ansible, and AirWatch.