Guidelines for Compliant Access to High Risk data

[DRAFT] Overview

This guide outlines the policies and standards which must be met in order for users to have access to data which has been classified as High Risk under APM 30.11. In an increasingly flexible and work-from-home environment, this compliance enables users to access to the most sensitive U of I data while still ensuring needs for data security and compliance are met. ITS is enabling access to high risk data through Microsoft Intune Application Protection on iOS and Android, JAMF management on macOS, and Microsoft Endpoint Manager (with Intune and Configuration Manager) on Windows. These technologies are already enabled and in place, but additional settings or configuration may be required on your device once you have access to High Risk data

Users with access to High Risk data may be referenced as "High Assurance" users.

If users in the High Risk data access group wish to access U of I data from that personal device they may be required to install a management agent on their personal devices, e.g., the Microsoft Company Portal.

Expected Impact

  • Users will be required to set an authentication method (PIN or biometric) on their mobile device in order to access to many U of I applications that access U of I data (including any High Risk data) from their mobile device

  • Users may be required to encrypt their device in order to access to U of I data (including High Risk data)  from their device

  • Some user may opt not to use their non-compliant device to access U of I data

Device Compliance Requirements for Operating Systems

  Windows macOS Android iOS
Ownership U of I owned or operated device1 U of I owned or operated device1 Personal or U of I Personal or U of I
Management ITS-managed with ConfigMgr+Intune ITS-managed with JAMF U of I applications U of I applications
Encryption ITS-managed Bitlocker ITS-managed Filevault Required Required
Firewall Host-based firewall enabled, no unapproved services open Host-based firewall enabled, no unapproved services open N/A N/A
Versions Current Windows 10, 8.1 Current macOS 10.14 or 10.15 Current Android 8.0+ Current iOS 13 or 14
Patching3 ITS-managed with ConfigMgr+Intune (10 business days)  Current supported macOS, or as managed through JAMF (10 business days) Must receive current patches in a timely fashion from vendor, and patched within 60 days 2 Current versions within 10 business days
Local Device Authentication Windows Hello, 6+ digit PIN, or current UI password standards 12 characters or more consistent with UI standards, Biometrics 6+ digits Screen Lock (and optionally Biometrics) 6+ digits Passcode (and optionally Biometrics)
Screen Lock 5 minute timeout 5 minute timeout No more than 5 minute timeout No more than 5 minute timeout
Antivirus ITS-managed Sophos Antivirus ITS-managed Sophos Antivirus N/A N/A
Application Protection N/A N/A Required for all Microsoft or approved apps Required for all Microsoft or approved apps
Data disposal / wipe Through U of I IT personnel Through U of I IT personnel Automatic or ITS-enforced app data protection/removal Automatic or ITS-enforced app data protection/removal
Third party file storage Not allowed Not allowed Not allowed; save or copy/paste limited to managed apps Not allowed; save or copy/paste limited to managed apps
Network access May be denied from unapproved VPN or Tor May be denied from unapproved VPN or Tor May be denied from unapproved VPN or Tor May be denied from unapproved VPN or Tor
Backups N/A N/A No third party data backup No third party data backup
Jailbroken/Rooted devices N/A N/A Blocked Blocked

 

References

 

Footnotes

  1. U of I operated device includes devices purchased by the university as part of any grant funding or provided to the university for facilitation of any official program or project.
  2. 60 days of patching delay for Android is a deviation from current U of I 10 day patching requirements and is subject to change.
  3. Some patching may be enforced through Duo Health or manual audits, when not supported by App Protection.

 

 

Details

Article ID: 1746
Created
Tue 10/13/20 11:49 AM
Modified
Thu 11/5/20 2:19 PM