DEVICE CONFIGURATION MANAGEMENT

Effective Date: July 24, 2019

Last Revised: December 1, 2020

DEVICE CONFIGURATION STANDARDS

The capitalized terms used herein are defined in the Device Configuration Management policy.

Northern Arizona University owns, controls, or acts as custodian for a broad array of information, including
Sensitive Information protected by law or regulation. Maintaining the integrity of this data and the information
systems where it is stored is an important obligation. To support this crucial task, the University has established
the device configuration standards outlined in this document. These standards apply to three separate
categories of devices, which are: a) University servers; b) University desktops, laptops, tablets, and all other
mobile computing devices (collectively referred to as “Endpoints;”), and c) all types of non-University computing
devices (collectively referred to as “Personal Devices.”)

These device configuration standards are an adjunct of the University’s Device Configuration Management
policy. They are revised or updated as appropriate by the Chief Information Officer and are based on the four
data classifications described in the University’s Data Classification and Handling policy, which are:

 Level 1 Public Data – Very Low Risk

 Level 2 Internal Data – Low Risk
 Level 3 Sensitive Data – High Risk
 Level 4 Highly Sensitive Data – Very High Risk

In accordance with the Data Classification and Handling policy, all University Community Members and units
wherever located are required to classify all University data within their care and to implement the appropriate
device configuration standards as outlined below. Contact the appropriate Data Steward, the Chief Institutional
Data Officer, or Information Technology Services with questions or to request assistance with appropriate
classification of specific data types and to implement the most appropriate methods of protection.

These device configuration standards represent the minimum baseline approach for protecting and securely
handling Sensitive Information on the University’s servers, Endpoints, and non-University Personal Devices that
connect with the University’s information systems or networks and/or the network equipment itself for the
purpose of conducting official University business. In special circumstances, such as when a data type is subject
to special legal or regulatory control (e.g., health, financial, or research information) additional controls may be
necessary or advisable. Contact the Chief Information Officer or Information Security Services for assistance
with such situations.

To apply the appropriate device configuration standard:

1. Jump to the appropriate device category below depending on whether you are configuring a server, an
Endpoint, or a Personal Device. For servers, also review the server security standards. For network
equipment look for configuration standards within the server categories as all data classifications
traverse the network and through these devices, as such they should follow similar standards especially
for Level 4 Highly Sensitive Data.

2. Identify the appropriate data classification level that applies from the four categories delineated above
(the Data Classification and Handling policy provides additional guidance on proper classification of
data). If multiple data levels are present, select the highest applicable classification.

3. Use the matrices that follow to identify each device configuration standard. Based on the “R” for
“recommended” or “M” for “mandatory” indicators, apply the appropriate configuration standard.

Information Technology / Device Configuration Management Page 1 of 10

In the “Description” column, links are provided to any applicable Information Security Standard or to other
relevant or helpful information. View the Information Security policy for more information about the University’s
Information Security Standards.

SECTION I. – SERVER CONFIGURATION STANDARDS

Device
Level Level Level Level
Configuration Description
1 2 3 4
Standard

Physical Secure Data Center Physical Security

Protection
Server protected by physical access controls R R M M
(applies to Server hosted in an approved ITS facility with
networking access monitored, logged, and limited to authorized R R M M
devices) individuals only

Software Patch Management

Patching
Keep all software up to date on a regular and
consistent schedule as identified in the URL above, M M M M
(applies to
especially high or critical severity patches
networking
devices) Test and validate security patches before R M M M
deployment to production environments

Malware Install anti-virus software on eligible servers M M M M

Protection Update anti-virus software daily M M M M

Records Management
Media
Follow industry standards for secure wiping –
Disposal
deleting or reformatting media is not sufficient – R R M M
prior to transfer or removal
(applies to
networking Research data must be approved by the Office of
devices) the Vice President for Research before it may be R R M M
transferred (Level 3 and 4 data)

Stored data should be encrypted (required for Level

4 data) with full-disk encryption
Encryption Transmission of data should be encrypted (required R R R M
for Level 4 data)
(applies to
networking Where TLS/SSL certificates are used, only secure
devices) protocols and cipher suites must be used and the R R R M
certificate must be signed by a well trusted
authority such as Sectigo/Incommon or Let's
Encrypt or a centrally managed locally trusted CA

Information Technology / Device Configuration Management Page 2 of 10

 Device
Level Level Level Level
Configuration Description
1 2 3 4
Standard

Invalid certs should never be used

Data Backup and Disaster Recovery

Backup and
Backups to a CIO-approved solution is mandatory M M M M
Recovery
Encryption of Level 4 data backups is mandatory R R R M

Access should be provisioned based on the level of R R M M

need with least-privilege as the guiding principle

Access Approval from a manager or data steward should R M M M

Controls be obtained and documented
Access is reviewed regularly (annually at minimum) R M M M
(applies to and should be terminated when no longer needed
networking
devices) Access should be via unique account per individual
and all University Community Members must R M M M
comply with the Appropriate Use of Information
Technology Resources policy

Remote
Access Remote Access should be restricted to a local R M M M
network, a secure VPN group, SSH, or bastion host
(applies to
networking Requires multi-factor authentication R R R M
devices)
Activity
Logging Auditing, Logging, and Monitoring

(applies to Activity logging and monitoring should be enabled

R R M M
networking and follow the standards outlined in the above URL
devices)

Network firewalls must be configured to block ports

following a default “deny-all” rule for inbound traffic,
Firewall except those necessary for running the services R M M M
required by the server role
(applies to
networking Host based firewalls must be enabled and
devices) configured to block ports following a default “deny- R M M M
all” rule for inbound traffic, except those necessary
for running the services required by the server role

Information Technology / Device Configuration Management Page 3 of 10

 Device
Level Level Level Level
Configuration Description
1 2 3 4
Standard

Change
Management Enterprise System Change Management
Change management controls will be implemented,
(applies to followed, and documented for the University’s IT M M M M
networking Resource production environment
devices)

Vulnerability Vulnerability Management and Scanning

Management All servers attached to University’s network will be
scanned on a regular and consistent schedule as M M M M
(applies to identified in the Vulnerability Management and
networking Scanning Information Security Standard and must
devices) follow remediation plans as outlined

SECTION II. – SERVER SECURITY STANDARDS

The server security standards outlined below represent the minimum allowable baseline for the protection and
secure handling of Sensitive Information on all computer servers owned by the University or operated on the
University’s behalf, wherever located. Additional controls as determined by the Chief Information Officer acting
through the Director of Information Security may be necessary or advisable in special circumstances, such as
when a data type is governed by applicable law or regulations (e.g., health, financial, or research information).
Contact the Chief Information Officer or Information Security Services to request assistance or for more
information regarding such situations or these server security standards.

A. Ownership and Responsibility

All servers shall be managed by an individual or team of qualified System Administrators who shall be
responsible for the system’s proper configuration in accordance with the standards outlined in this or other
relevant or applicable policy documents. The responsible System Administrators shall establish and maintain
appropriate server configuration baselines and protocols that reflect and respond to server’s purpose and
business function. Information Security Services shall review these materials periodically as necessary or
appropriate. System Administrators are responsible for establishing and administering set processes for
maintaining and updating their server configuration baselines and protocols, and for documenting their server
configurations and any approved exceptions or alternative security controls. Specifically, System Administrators
are responsible for documenting the following information for each server they administer:

 Server contact(s) and physical location

 Network address and hostname(s)
 Operating system version
 Software packages – name, vendor, version
 Description of server primary functions, roles, services
 Data levels stored, transmitted, or processed

B. General Configuration Requirements

In addition to the Information Security policy and its ancillary set of Information Security Standards, all System
Administrators are responsible for assuring the following general configuration requirements:

 Services and applications not in use must be disabled where practical

Information Technology / Device Configuration Management Page 4 of 10

  Default passwords must be changed
 Access to services must be protected through appropriate access control methods
 Logging and auditing must occur in accordance with the Auditing, Logging, and Monitoring standard
 Security patches must be installed in accordance with the Software Patch Management standard
 Appropriate Data Backup and Disaster Recovery procedures must be in place
 Servers must be located in a secure physical location, such as a Secure Data Center
 Register for a private IP address unless public accessibility is required
 Implement a firewall ruleset following default “deny-all” rules for inbound traffic whenever possible
 Standard security principles of least access required to perform a function must always be used
 Use of ‘root’ or ‘administrator’ must never be used when a non-privileged account can be used
 Re-use of a local privileged account and password across multiple systems should not occur (instead
create server-specific local account/password unique to each system)
 Privileged access must be performed over secure channels, such as but not limited to encrypted
network connections, secure VPN, SSH, IPSec, bastion hosts
 Use the most restrictive trust relationship possible as simple trust relationships between IT Resources
are a security risk and should be kept to a minimum or avoided.

C. Monitoring

All servers, especially those that transmit or store Level 3 – Sensitive Data and Level 4 – Highly Sensitive Data,
provide network connections, or function as part of authentication, authorization, or access control systems must
be configured to record and retain appropriate auditing and logging information as detailed in the Auditing,
Logging, and Monitoring Information Security Standard. This includes the following:

 What activity was performed?

 When was the activity performed?
 Who or what performed the activity?
 What IT Resource was used to perform the activity?
 What was the activity performed on?
 What tools were used to perform the action?
 What was the activity’s outcome or result (success, failure, error)?

D. Baseline Server Configuration Guidelines

Information Technology Services maintains the following Windows and Linux server configuration guidelines
and best practices. System Administrators shall use this guidance to help secure servers on the University’s
network and, therefore, to help protect the data stored, processed, or transmitted using these devices. These
guidance documents are intended to provide baseline descriptions of a System Administrator’s server
administration responsibilities as outlined above.

Windows Server Configuration Guidelines

Linux Server Configuration Guidelines

SECTION III. – ENDPOINT CONFIGURATION STANDARDS

Device
Level Level Level Level
Configuration Description
1 2 3 4
Standard

Physical Endpoints will be kept in a physically secure location

Protection when not in an individual’s direct possession and
laptops and mobile devices involved with highly R R M M

Information Technology / Device Configuration Management Page 5 of 10

 Device
Level Level Level Level
Configuration Description
1 2 3 4
Standard

sensitive data including research must be locked and

stored when not in use
Endpoints which are stolen, lost or misplaced must
have a report made to the Northern Arizona University M M M M
Police Department or other law enforcement agency of
jurisdiction
R R R/M R/M
Remote wipe and device recovery software on laptops
and mobile devices may be necessary for certain data
agreements

Software Patch Management

Keep all software up to date on a regular and M M M M
consistent schedule as identified in the URL above,
especially High/Critical Severity patches
Patching
Software and apps should be installed and updated
from trusted sources only and configured to limit the R R M M
information made available to the app (example:
disable or turn off the location-based services wherever
it is not needed).

Malware Install anti-virus software on all eligible endpoints M M M M

Protection Update anti-virus software daily M M M M

Records Management
Follow industry standards for secure wiping—deleting R M M M
or reformatting media is not sufficient—prior to transfer
or removal
Media Research data must be approved by the Office of the
Disposal Vice President for Research before it may be R R M M
transferred (Level 3 and 4 data)
Remote wipe and device recovery software on laptops
and mobile devices may be necessary for certain data R R R/M R/M
agreements

Institutional data should not be stored on

Endpoints, but if necessary, the data should be
encrypted with full disk encryption via BitLocker for R R M M
Encryption Windows, FileVault for Macintosh)
Transmission, or sending, of data should be encrypted R R M M
and is required for highly sensitive data types

Information Technology / Device Configuration Management Page 6 of 10

 Device
Level Level Level Level
Configuration Description
1 2 3 4
Standard

Data Backup and Disaster Recovery

Institutional data should not be

Backup and stored on Endpoints
Recovery
Backups to a CIO-approved solution is required R M M M

Encryption of backups is required for highly sensitive R R R M

data types

Where possible, endpoints will be password protected R M M M

when unattended and configured to automatically lock
the screen after 15 minutes of inactivity
Access should be via unique account per individual and R M M M
Access all University Community Members must comply with
Controls the Appropriate Use of Information Technology
Resources policy R R M M
Where possible, limit the use of Administrator accounts
for system administration services only
R R M M
Mobile devices must be password or pin code protected

Remote Access should be restricted to a local network, R M M M

Remote a secure VPN group, SSH, bastion host
Access Multi-factor verification is required
R R R M

Host based firewalls must be enabled and configured to

block ports except those necessary for running the
Firewall services required by the server role, and deny inbound R M M M
connections unless needed by update, patch,
configuration management (RDP, SSH)

SECTION IV. – PERSONAL DEVICES

The increasing use of mobile computing devices, including but not limited to personally owned smartphones and
tablet computers, has resulted in an increased ability for University Community Members to work from
anywhere. These mobile devices provide convenience and productivity gains, but they also increase the risk of
data loss and theft if the device is lost, stolen, or compromised. Additional risks include possible violation of
University contracts or state or federal laws and regulations. Accordingly, individuals using Personal Devices to
access the University’s Sensitive Information are required to know and comply with the following:
1. Approved Devices and Support

Information Technology / Device Configuration Management Page 7 of 10

Any computing device may be connected to the University guest, secure, or eduroam wireless networks
provided the device use does not disrupt University IT Resources or violate the Appropriate Use of Information
Technology Resources Policy. The secure and eduroam networks require authentication for use and users are
required to follow all policies and standards for acceptable use. When within its coverage area, University
Community Members must use the University’s secure wireless network when handling University information or
data on a wireless device.

1.1. The University will maintain the availability of its network.

1.2. The University will maintain the availability of its network authentication systems.

1.3. The University will provide limited support to University Community Members, including:
1.3.1. Documentation and guidance for configuring email on Personal Devices
1.3.2. Documentation and guidance for configuring and use of VPN on Personal Devices
1.3.3. Documentation and guidance for connecting to network drives
1.3.4. Wireless compatibility for officially supported device types
1.3.5.Assessment and removal of viruses, malware, spyware

1.4. The University will NOT provide the following support for faculty, staff, or affiliate Personal Devices:
1.4.1. Performance issues
1.4.2. Hardware problems
1.4.3. Applications
1.4.4. Operating system upgrades or patches
1.4.5. Backing up data or migrating data to other devices

1.5. The University will provide the following support for student Personal Devices:
1.5.1. Support for University provided software. Including but not limited to University Gmail and Google
G Suite for Education, Office 365, and Blackboard Learn
1.5.2. Virus and malware removal
1.5.3. Connecting to and troubleshooting issues with University network connections
1.5.4. Performance issues and system crashes
1.5.5. Hardware problem diagnosis, limited repairs, replacements, and upgrades. Purchase of
equipment/parts is the responsibility of the student
1.5.6. Operating system re-installations, upgrades, and patches
1.5.7. Limited data recovery and backup

2. User Responsibilities

Individuals using Personal Devices to access Sensitive Information must abide by all applicable University
policies, including the Appropriate Use of Information Technology Resources policy, Information Security policy
and its related standards, the Device Configuration Management policy, and the Data Classification and
Handling policy. When within its coverage area, University Community Members must use the University’s
secure wireless network when handling University information or data on a wireless device.

2.1. Do not download or store Level 3 – Sensitive Data or Level 4 – Highly Sensitive Data on Personal
Devices.

2.2. Destroy or remove and return all data belonging to the University upon departure from the University or
when the Personal Device is sold/transferred.

2.3. The theft or loss of any Personal Devices containing University data must be reported to the Northern
Arizona University Police Department or other law enforcement agency of jurisdiction.

2.4. Follow the standards and guidelines outlined in the Device Configuration Management policy and
standards to implement safeguards to protect University data.

3. Conditions, Risks, Liabilities, Disclaimers

Information Technology / Device Configuration Management Page 8 of 10

University Community Members who use a Personal Device in furtherance of their job responsibilities or to
conduct University business may do so only after accepting and acknowledging the conditions, risks, liabilities,
and disclaimers outlined below. University Community Members who are unwilling to do so are encouraged in
the alternative to use University-provided computing devices to fulfil their work obligations.

3.1. The University at no time accepts liability for the maintenance, backup, or loss of data on a Personal
Device. It is the full responsibility of the device owner to backup Personal Device software and data.

3.2. The University at no time will be liable for the loss, theft, or damage of a Personal Device. This
includes, and is not limited to, when the device is being used for University business or during
University travel.

3.3. The University reserves the right to implement technology such as Mobile Device Management
(“MDM”) and/or Network Access Control (“NAC”) to enable the management of and the removal of
University information or data from Personal Devices that access its IT networks.

3.4. As permitted by law, the University may request that a University Community Member permit inspection
of or provide appropriate access to University information or data stored on their Personal Device when
doing so is necessary for the University to effectively administer its IT Resources, maintain the integrity
of Sensitive Information, enforce its policies, uphold its contractual obligations, or fulfill its legal duties.

4. Security and Monitoring

The University reserves the right to implement technology such as MDM and/or NAC to enable the
management, monitoring, and restriction of devices that access the University’s IT networks.

4.1. The University may perform vulnerability scanning, network scanning, and security scanning on
Personal Devices that access the University’s IT networks.

4.2. When necessary to protect the integrity of Sensitive Information, the University may prevent, block, or
remove access to its IT networks by a Personal Device which may disrupt or potentially harm
University IT Resources or violate University policies.

4.3. As outlined in the University’s Information Security policy, when necessary to protect the integrity or
security of its IT Resources or information systems and the University Information they contain, the
University may suspend access to its networks or devices and may examine any user account. At the
discretion of the Chief Information Officer, enforcement of this and related IT policies may include the
removal of devices or systems from the University’s information networks until compliance with
applicable requirements is achieved. Violations by a University Community Member of the duty and
responsibility to protect the University’s data, IT resources, and information systems in accordance with
this and other applicable policies, standards, or requirements may also result in denial of access to
University Information and/or University IT Resources or the temporary or permanent revocation of
access privileges. Individuals who violate this policy are subject to disciplinary action under applicable
Arizona Board of Regents and University conduct policies up to and including expulsion or termination
and possible civil liability or criminal prosecution. In cases where full compliance with the requirements
of this policy may not be immediately achievable, the unit’s leadership must consult with Information
Security Services to develop a plan for achieving compliance as soon as possible.

5. Sensitive Data Breach Response Protocols

5.1. Immediate reporting to Information Security Services of any suspected or actual release or breach of
sensitive data, systems, or devices is mandatory. Dial 928-523-3335 to make a report.

5.2. Upon receiving a report of suspected or actual release or breach of sensitive data, systems, or devices
Information Security Services will in collaboration with affected University stakeholders notify all
affected or responsible parties as appropriate.

Information Technology / Device Configuration Management Page 9 of 10

 5.3. The Chief Information Officer will assemble an incident response team to investigate, preserve
evidence, mitigate, and report on the event.

5.4. In incidences where health or safety may be a concern, the reporting party or Information Security
Services will immediately notify the Northern Arizona University Police Department and any external
authorities as may be appropriate.

Information Technology / Device Configuration Management Page 10 of

10