Information Security
Remote Work Minimum Information Security Standards
Last modified 8/2/2021
Remote Work Assignments
These standards are required for any University employee that enters a remote work assignment as defined in the 3.1.31 Policy on the University Policies and Procedures website.
Definitions
Endpoint Device: Any laptop, desktop, tablet, smartphone, or similar end-user computing device used to conduct University work or process University data.
University Owned Endpoint Device: Any endpoint device the has been procured in part or in full with University funds.
Endpoint Peripheral: Any technology device connected directly to an endpoint device such as a keyboard, mouse, webcam, microphone, headset, printer, or scanner. Note: Standards for these devices have not yet been established.
Network Device: Any router, hub, modem, switch, or similar device used to manage or operate a network to conduct remote work.
Standards
Remote Networks
Non-University owned or operated networks used in the course of a remote work assignment must meet the following criteria:
- The network must not be an open or “public” network such as those available at hotels, coffee shops, airports, etc.
- The network must be configured in the following manner:
- Where permitted by the device, the default administrator password must be changed on all networking devices.
- Automatic updates must be enabled on all networking devices.
- Where permitted by the device, the default wireless network name (SSID) must be changed on all networking devices.
- The wireless security must be set to WPA2 or stronger.
- The wireless password must be compliant with the University Password Procedure.
All Endpoint Devices
Regardless of ownership, all endpoint devices used to conduct work under a remote work assignment must meet the following criteria:
- The device must have an operating system installed that is supported by the manufacturer and configured to receive security updates automatically.
- The device must have an automatic lockout that occurs after 15 minutes of inactivity by the user.
- The device must require a password, passphrase, pin, or other security key to sign into the device.
- The device must have the following software installed and configured:
- Cisco AnyConnect VPN + Umbrella software (Request software by emailing informationsecurity@ilstu.edu)
- OneDrive cloud storage software
- Anti-virus software
- Firewall software
University-Owned Endpoint Devices
If the endpoint is owned by the University, it must additionally meet the following criteria:
- The device must be managed and supported by a University IT team.
- The device must be registered and actively managed in one or more of the following University systems:
- Microsoft Endpoint Configuration Manager
- Microsoft Intune
- Jamf
- AirWatch
- The device must have the following software installed and configured:
- Microsoft Defender for Endpoint
Highly Restricted Data
Employees operating under a remote work assignment with a need and authorization to use data that is classified as highly restricted under the University 9.8.1 Data Classification Procedure, must be compliant with the following:
Endpoint Owned By University | Endpoint Not Owned By University |
---|---|
Highly restricted data may be accessed, but may not be stored on the endpoint. | Highly restricted data may not be accessed or stored on the endpoint. |
Restricted Data
Employees operating under a remote work assignment with a need and authorization to use data that is classified as restricted under the University 9.8.1 Data Classification Procedure, must be compliant with the following:
Endpoint Owned By University | Endpoint Not Owned By University |
---|---|
Restricted data may be accessed and stored on the endpoint. | Restricted data may only be accessed, but may not be stored on the endpoint. |
Device and Data Access
Employees operating under a remote work assignment must ensure that they are the only individual with access to University data at the remote work site.
Family, friends, and guests are prohibited from using University-owned equipment. Separate user profiles must be used for equipment not owned by the University.
Updates
These standards will be updated as necessary to ensure compliance with applicable regulation and institutional policy and procedure. This section will record summary notes of such changes.
- 08/02/2021 - Added instruction to contact the ISO for the Cisco VPN + Umbrella client.
- 05/25/2021 - Fixed hyperlink to the University 3.1.31 policy page.
- 05/20/2021 - Revised the language and formatting in the highly restricted and restricted data sections for clarity.