Skip to main content

Minimum Device Security Guidelines

Updated

1. Purpose

These guidelines establish the minimum security standards for UC-owned devices that do not support Multi-Factor Authentication (MFA) for privileged access. These measures ensure compliance with UC’s IS-3 policy and protect Institutional Information and IT Resources.

2. Scope

Applies to all UC-owned desktops, laptops, mobile devices, and servers used by faculty, staff, researchers, and students that lack MFA for privileged access.

3. Minimum Security Requirements

  • Operating System & Software:
    • Devices must run a supported and regularly updated operating system.
    • Security patches and updates must be applied within 30 days of release.
    • Only approved and licensed software may be installed.
  • Authentication & Access Control:
    • Least Privilege Access (LPA): Administrative accounts must be used only for privileged tasks; standard accounts for daily activities.
    • Strong Password Enforcement: Minimum 12-character passphrases with a mix of letters, numbers, and symbols.
    • Automatic Screen Lock: Enforced after 15 minutes of inactivity.
    • Disable Default or Root Admin Accounts: If feasible, disable or rename default administrative accounts to limit attack vectors.
  • Data Protection & Encryption:
    • Full-disk encryption (FDE) required for all laptops and mobile devices.
    • Institutional Information classified as P3 or P4 must be encrypted in transit and at rest.
    • Secure data backups must be maintained according to UC retention policies.
  • Network & Endpoint Security:
    • Devices must use UC-approved antivirus and endpoint protection software.
    • UC-owned devices have P3 or P4 data locally they may only connect to secured networks (e.g., campus VPN, enterprise Wi-Fi).
    • Firewalls must be enabled and configured to block unauthorized access.
  • Device Management & Monitoring:
    • All devices must be enrolled in UCSB’s mobile device management (MDM) or endpoint security solution, if available.
    • Lost or stolen devices must be reported to IT within 24 hours.

4. Compliance & Review

  • These guidelines will be reviewed annually and updated as necessary to align with IS-3 and other UC security policies. The more detailed and up to date official UC policy can be found here
  • Non-compliant devices may be restricted from network access until they meet security standards.

For questions, contact the Unit Information Security Lead (UISL) at itcontact@bren.ucsb.edu

Powered by Zendesk