Reducing Risk for End-User Devices

Through the End-User Device Initiative, IT Services is leading a collaborative process with unit IT partners across campus to socialize, clarify, and implement a set of end-user device standards and policies. The standards and policies are largely finalized and awaiting governance approval. As such, IT Services has begun to work with unit IT partners to assess their end-user device management practices. Data collected will be used to focus future efforts within units and provide a baseline understanding of the overall campus technology risk environment.

The IT Risk Program’s End-User Device Initiative worked with unit IT partners and faculty to revise and ratify the primary end-user device policy governing the configuration and upkeep of computers used for University business. When the revised policy is ratified, it will provide a current and common practice for keeping University computers secure. In order to provide an accurate answer to the question “How secure are the University devices?” IT Services and unit IT partners across campus that manage device fleets will be expected to regularly report on their device inventory.

In November 2019, IT Services began coordinating the monthly reporting of staff desktops and laptops. The initial goal of the effort is to determine the overall level of staff device encryption. (When devices are stolen or lost, encryption provides peace of mind about the data on those devices. Staff devices routinely contain more sensitive data than faculty devices and was made the initial focus.)  Moving forward, IT Services will broaden the reporting efforts to include encryption levels of faculty devices and more details on compliance with the baseline policy tenets.

Standards

The End-User Device Policy can be reviewed on the IT Services Polices website.
The Information Systems and Managed End-User Device Standards and the Information Systems Physical Environment Standards can be reviewed on Box.

What end-user device risks are the University trying to prevent?

Proper configuration of devices significantly lowers the risk of your computer as a target for cyberattacks.

A successful cyberattack presents serious risks to the University community. Faculty and staff could see their sensitive correspondence shared with the public, confidential data leaked or altered maliciously, critical projects destroyed, and even discover that their private conversations have been recorded through hijacked microphones or webcams on their computers. These breaches could cause severe damage to reputations, achievements, and livelihoods. Students, alumni, donors, collaborators, research subjects, and hospital patients could also see their private information breached and be negatively affected.

I’m not a technical person. What does each of these policy tenets mean?

See the 1-pager for a simplified version of the key policy items.

What does this effort mean for me?

End-user devices (laptops, desktops, smartphones, tablets, etc.) are a significant source of risk.

The approach is to:

• Create a clear, agreed-upon definition of what needs to be done (in this case, a revision to the current End-User Device Policy)
• Develop services that support following the policy (encryption support, backup, device management)
• Communicate this policy and its implications (IT Leadership Council, Board of Computing Activities and Services) and
• Create a means to ensure that devices are following the significant tenets of policy.

Routinely collecting per-device data is the only sure way to validate that devices are following the policy tenets. If devices cannot support all of the policy tenets, these devices must be registered as exceptions. Unless the devices are managed by IT partners, gathering per-device information can be onerous. To make this easier, the University is developing a management solution that will automatically include policy reporting.

I support devices for my division or unit but many of the devices in use right now are devices I didn’t purchase, and/or set up. What are my obligations to the policy?

There are clear limits to what you’ll be able to do for these machines.

• If nothing else is reasonably possible, protect your users from data loss by installing University-provided backup software. In the event that a device breaks, is lost or stolen, their files are still recoverable.
• Remind your users to use UChicago Box and Google Drive for as much data as possible.

What support is there for following the policy?

These services are provided at no charge to help keep University devices safe.

• Backup software
• Device encryption key escrow for Mac and Windows devices
• Device management solutions
• Antivirus software

I have reservations about putting my machine on device management. Why would I want to use it?

<link to the device management FAQ>

Now that the policy is revised and support services are in place, what’s next?

The University needs to ensure that its devices are following the best practices set out by the policy. IT partners, along with IT Services, will regularly report on the computers they manage along with these best practices, and these reports will be shared with senior leadership and the Provost’s Office.