Overview
The University of Oregon requires all university-owned devices used by employees (faculty, staff and students) be configured to protect the data they access, process, or store on these devices. The Information Asset Classification & Management policy categorizes data into three levels of risk:
- Low Risk (Green)
- Moderate Risk (Amber)
- High Risk (Red)
Technology support teams will work with employees to ensure that devices under their responsibility have adequate safeguards or controls in place to prevent unauthorized access, modification, or loss of data. The university has defined its Endpoint Management Standard, outlining the different safeguards and security controls associated with the applicable data risk levels. In addition, remote workers must follow all security guidelines as outlined in the HR Remote Work Arrangement web page.
To facilitate specific departmental business requirements, we have developed several device visibility and management options. These options ensure that data is secured and protected with safeguards in accordance with university policies.
Device Management Options
Device management falls within four options depending on the device that is used.
- University employees processing or storing High Risk (or Red) data must do so using a UO-managed device following Option A or Option B below.
- Option C and Option D still require that necessary security safeguards and security controls are deployed in the specified systems. Systems determined to be out of compliance might be removed from the campus network until compliance is met.
Option A – Full Protection Model and Regular Software Updates
This is the preferred standard option which ensures devices are updated regularly with the latest software and operating system releases from vendors and that critical updates are installed for data security and privacy.
Your departmental IT support team will also ensure that other required safeguards, such as disk encryption and appropriate local permission levels, are implemented.
Option B – Full Protection Model and Quarterly Software Updates
This option is identical to Option A, with the difference that updates are installed quarterly.
This option is used in situations where regular updates interfere with administrative, academic, or research related processes. Under some circumstances and in coordination with the employee, an emergency update might need to be deployed to remediate a specific threat that could not wait for the regular quarterly update cycle.
Option C – Inventory and Visibility Model and Manual Updates
In this model, the IT support team will set up the devices with a supported operating system, management , endpoint detection and recovery, and vulnerability scanning agents. These agents will check-in periodically with management systems for inventory purposes and to report anomalies.
The employee will be responsible for all software updates and ensure the computer is always protected. Employees must work with IT support for recommended best practices.
Operating under this model requires the employee and department to demonstrate the reasons why the previous options will prevent them from performing their regular duties. Employees must submit an exception through the UO Service Portal and require approval by the department’s top-level Dean or VP and the Chief Information Security Officer.
Option D – Isolation Model and Manual Updates
This option should only be considered for mission critical computers which are not connected to the university network. The employee or department is responsible for all the required software updates and security safeguards. IT support may be available upon request.
Operating under this model requires the employee and department to demonstrate the reasons why the previous options will prevent them from performing their regular duties. Employees must submit an exception through the UO Service Portal and require approval by the department’s top-level Dean or VP and the Chief Information Security Officer.
Additional resources