not mobile

Information Technology Handbook

5.8 USG Endpoint Security Standard

Print friendly Version date May 16, 2014

5.8.1 Purpose

The USG encourages the use of IT and the USG PeachNet™ network in support of business, learning, education, research, and public service. However, this resource is limited and vulnerable to attack. Therefore, the USG promulgates this standard in direct support of the Appropriate Use Policy (AUP) and the Minimum Security Standards for Networked Devices Policy.

5.8.2 Scope

This standard applies to all USG participant organizations’ devices that are connected (wired or wireless) to the USG network or use a Internet Protocol (IP) address to originate electronic communications. Such devices include computers, mobile, smart-devices, printers, or other network appliances, as well as hardware connected to the USG network from behind firewalls or Network Address Translation (NAT) systems. This USG security standard mandates that all devices connected to the USG’s network or to the USG participant organization’s network comply with the following requirements, referred to collectively as the Endpoint Security Standard.

5.8.3 Authority

5.8.4 Enforcement

USG participant organizations are responsible for developing internal policies, standards, processes, and procedures to facilitate compliance with USG security policies and standards. The standards are designed to comply with applicable laws and regulations. However, if there is a conflict, applicable laws and regulations will take precedence.

USG participant organizations may establish more stringent policies, standards, and procedures consistent with this USG standard.

Violations of this standard could result in serious security incidents involving state, federal, sensitive, or privacy data. Violators may be subject to disciplinary actions including termination and/or criminal prosecution.

5.8.5 Standard

USG network services and assets are privileges accorded at USG discretion. Devices connected to the USG PeachNet™ network and the USG participating organization’s network(s) must comply with this minimum endpoint security standard. The colleges, departments, offices, units, or service providers of any USG participant organization may develop stricter standards for themselves. Devices that do not meet minimum endpoint security standard for security may be disconnected.

The following are the minimum endpoint security standard requirements/capabilities:

Asset Discovery and Inventory See and report all assets connecting wired or wirelessly to the network.
Anti-phishing, anti-spyware, anti-malware, and antivirus management Protect all endpoints from malware.
Host Intrusion Prevention (HIPS) Search for and stop suspicious behaviors typical of malicious attacks before they can execute.
Whitelisting/Blacklisting Configure which programs are authorized to run or not run when connected or disconnected from the network.
Firewalling Configure trusted programs (applications), trusted network scopes, and connection rules to protect managed devices from unauthorized intrusions.
Encryption Enforce USG Encryption Standard governing encryption of all mobile endpoints including laptops, desktops, handhelds, and other external media. Reporting to demonstrate compliance.
OS/App Patch Management Evaluate systems with active vulnerability scanning, and remediate known vulnerabilities through automated targeting and patch distribution.
Dashboard and Reporting Manage and monitor hardware and software assets.
Removable Media and Device Control Secure IT resources from core and network servers to desktops, laptops, and portable storage media in order to prevent data leakage.
Inventory Management/Discovery Discover any managed or unmanaged IP-enabled device on your organization network or track devices in the cloud, as well as all applications. Inventory tracking functionality.
Software Management and Reporting Manage and report on software licensing, distribution, and installation across the network.
Mobility Management - Mobile Device Management (MDM) Manage and secure any mobile device connected to the network including tablets, smartphones, and other mobile devices.
Management Gateway (off-network devices) Manage access endpoints inside or outside the firewall and without VPN using certificate-based authentication and SSL encryption.
Remote Management (managed and unmanaged devices) Manage asset data, remote access, control features, and remote monitoring.
Cloud Security Management
  • Use certificate-based authentication and SSL encryption.
  • Send all data with SSL encoding.
  • Allow only authorized staff to access the core server in order to maintain the security of the organization’s firewall.
  • Use SSL session architecture.
  • Include firewall functionality.
  • Include monitoring and logging features.
Compliance Verification (FERPA, HIPPA, PCI, etc.) Assess and enforce alignment with compliance standards:
  • Payment Card Industry - Data Security Standards (PCI DSS)
  • SANS
  • National Institute of Standards and Technology (NIST)
  • National Security Agency (NSA)
  • Federal Information Security Management Act (FISMA)
Data Analytics (2016) Aggregate and analyze IT data.

Return to Top