UC’s Important Security Controls for Everyone and All Devices
Practicing good cybersecurity is essential to protecting UC's mission to provide world-class teaching, research and public service. Good cyber hygiene is also important to protect the privacy of our students, faculty, staff, patients, research participants and other stakeholders whose information we receive, create and maintain.
The following controls and practices are UC’s systemwide baseline designed to protect UC’s Institutional Information and IT Resources. UC, its Workforce Members, partners, consultants and Suppliers are also required to comply with any additional obligations imposed by local policy, contract, law and/or regulation. For information about cybersecurity resources near you, visit Location Information Security Resources.
To read the full standard, please click on the link below.
UC’s Security Standard for Everyone and All Devices
The following list offers basic information about the guidelines of the Minimum Security Standard. For more detail, including system requirements, either click on the topics below or scroll to the bottom of the page.
- Anti-malware: Anti-malware software must be installed and running up-to-date definitions.
- Approval and Inventory: Confirm that devices can be secured before making a purchasing decision. Make sure IT Resources and Institutional Information are appropriately recorded in Location inventory.
- Backup and Recovery: Institutional Information classified at Availability Level 3 or higher must be backed up and recoverable. Backups must be protected according to the classification level of the information they contain.
- Encryption: All portable computing devices must be encrypted.
- Encrypt Portable Media: Portable media containing Institutional Information classified at Protection Level 3 or higher must be encrypted and safely stored.
- Host-based Firewall: If host-based firewall software is available on a device, it must be running and configured to block all inbound traffic that is not explicitly required for the intended use of the device.
- Local Admin or Administrator: Non-privileged user accounts must be used and only elevated to root or administrator when necessary.
- Password/PIN lock: Secure devices with a strong password, PIN, smart card, or biometric lock.
- Patching: Supported security patches must be applied to all operating systems and applications.
- Physical Security: Devices and Institutional Information must be physically secured.
- Session Timeout: Devices used to store, or access Institutional Information or IT Resources classified at Protection Level 2 or higher must employ lockout/screen-lock mechanisms or session timeout to block access after a defined period of inactivity (15 minutes or Location limit). Mechanisms must require re-authentication before a return to interactive use.
- Supported Operating Systems: Run a version of the operating system that is supported by the vendor.
Anti-malware software must be installed and running up-to-date definitions.
Tips
- Enable real-time protection and regular full scans.
System
- Mandatory – MAC, Windows
- Recommended – Linux, Mobile
Confirm that devices can be secured before making a purchasing decision. Make sure IT Resources and Institutional Information are appropriately recorded in Location inventory.
Tips
- Consult your Location IT department or online resources to determine whether a device requires approval and recording in inventory.
- Many security breaches can be prevented, or their impact minimized if your IT department is aware of your device and what’s stored on it.
System
- Mandatory – Linux, MAC, Mobile, Windows
Institutional Information classified at Availability Level 3 or higher must be backed up and recoverable. Backups must be protected according to the classification level of the information they contain.
Tips
- Ensure the backup plan is consistent with business, regulatory and records management requirements.
System
- Mandatory – Linux, MAC, Mobile, Windows
All portable computing devices must be encrypted.
Tips
- Use the approved encryption method for your Location.
- If you don’t need it, don’t store it. If you need to store it, encrypt it.
- Device-level encryption is the best option. If the device is not encrypted, encrypt any Institutional Information classified at Protection Level 3 or higher when stored on laptops and mobile devices.
System
- Mandatory – Linux, MAC, Mobile, Windows
Portable media containing Institutional Information classified at Protection Level 3 or higher must be encrypted and safely stored.
Tips
- Encrypt all portable media and backups whenever possible. Lost or stolen media is a common cause of reportable data breaches.
System
- Mandatory – Linux, MAC, Mobile, Windows
If host-based firewall software is available on a device, it must be running and configured to block all inbound traffic that is not explicitly required for the intended use of the device.
Tips
- Use the firewalls that come with Windows, many popular anti-malware applications, Apple and Linux. Default settings are typically acceptable.
System
- Mandatory – Linux, MAC, Windows
- Optional – Mobile
Non-privileged user accounts must be used and only elevated to root or administrator when necessary.
Tips
- Perform routine and daily activities using non-privileged accounts.
- Use Administrator on Windows/Mac OS or Root/SU on Linux or UNIX only for a specific administrative action. Log out of the account after completing the action.
- Contact your Location help desk or IT support center to set up root or administrator accounts if necessary.
System
- Mandatory – Linux, MAC, Windows
- Optional – Mobile
Secure devices with a strong password, PIN, smart card, or biometric lock.
Tips
- Strong passwords and PINs are one of UC’s best defenses against unauthorized access.
- Consult Location resources for guidance on creating strong passphrases/passwords/PINs, smart card, or biometric lock that complies with the UC Account and Authentication Management Standard.
- Strong passwords are 10-64 characters in length and include upper and lowercase letters, numbers, and special characters.
- Do not share passwords or PINs.
- Do not use common or similar passwords across accounts.
- Do not use your UC username and password for personal accounts.
- Do not use default passwords, and change default passwords immediately.
- Never use your username, “password,” “123456,” “12345678,” “qwerty,” common words, phrases or your name as your password.
System
- Mandatory – Linux, MAC, Mobile, Windows
Supported security patches must be applied to all operating systems and applications.
Tips
- When possible, use automatic updating or connect to your IT department patching and upgrade service. Apply patching as soon as possible as it quickly reduces risk.
System
- Mandatory – Linux, MAC, Mobile, Windows
Devices and Institutional Information must be physically secured.
Tips
- Use physical security cables to protect against theft or loss of valuable information from your workplace or vehicle.
- Lock devices in a cabinet at the end of the day/shift.
- Do not leave unencrypted devices unattended.
System
- Mandatory – Linux, MAC, Mobile, Windows
Devices used to store or access Institutional Information or IT Resources classified at Protection Level 2 or higher must employ lockout/screen-lock mechanisms or session timeout to block access after a defined period of inactivity (15 minutes or Location limit). Mechanisms must require re-authentication before a return to interactive use.
Tips
- Enable the locking screensaver on Windows or Mac OS.
- Enable inactivity timeout on portable computing devices.
- Use TMOUT or another method to automatically log out on LINUX or UNIX.
System
- Mandatory – Linux, MAC, Mobile, Windows
Run a version of the operating system that is supported by the vendor.
Tips
- Do not use end-of-life operating systems such as Windows XP, Server 2003 or Vista. They no longer receive security patches and are vulnerable to compromise.
System
- Mandatory – Linux, MAC, Mobile, Windows