University IT Policies FAQ - APM 30.16

This FAQ answers common questions regarding University IT Policies, APM 30.16. IT standards contain the specifications, protocols, and details related to University technology policy, that provide direction for use of University technology resources.If you do not see your question please provide feedback by answering the question, "Was this helpful?", answer "No" then provide your question. 

30.16 Technology Hardware Lifecycle Management

Questions

 

Q1: Why was policy 30.16 implemented?

A:  Please see Section A of APM 30.16 for more information.

Q2: Do I have to purchase all IT related equipment through OIT?

A: Chapter 30.16 requires all technology hardware as defined by C-1 to be purchased through OIT. C-1 defines technology hardware as all University-owned, -leased, or -maintained computing equipment that processes or stores University data. Essentially, the definition includes computers (desktop and laptops), tablets, university purchased cell phones, printers, FAX machines and other hardware that processes and stores university data.

Central purchasing is also part of the U of I’s overall security posture.   The computers purchased must use other university infrastructure to make sure that the university assets and data are  secure,  and we are compliant with the policies and laws that govern how we operate.   This includes our ability to respond to public records requests and provide appropriate cyber-security measures and incident response to protect the university from harm.  Please consult Section E of APM 30.16 regarding non-compliance with this policy.

OIT strives to keep standard equipment in stock, ready for purchase. Please see Hardware Procurement Request and Computer Hardware Purchasing Standards knowledge base article for typical list of items kept in stock. The current supply chain issues have caused disruptions but, at this time, many items are in stock.

Q3: University standard equipment does not meet my requirements. How do I request an exception?

A: Submit a Hardware Procurement Request ticket. Select the option Request an exception to the standard equipment if the typical models don't quite meet your needs and need a upgrade memory, storage or another component. In the Purchase Description box include the equipment requirements and how it will be used, the application you'll be using, or reason the standard equipment does not meet your requirements.  Your Technology Solutions Partner will work with you to define your needs and move your request through the exception approval process.  Once the approval is complete, the order will be processed.

Q4: I was able to go to a big box store and immediately have equipment. I cannot do that now. What do I do if I have an emergency or immediate need?

A: OIT is here to help you and can respond to emergency requests.  We are making every effort to have standard equipment in stock and available for immediate purchase, configuration and deployment anywhere in the state. In many cases, we have loaner equipment available if equipment needs to be ordered.

Please see Hardware Procurement Request and Computer Hardware Purchasing Standards knowledge base article for typical list of items kept in stock. The current supply chain issues have caused disruptions but, at this time, many items are in stock.

Q5: I have found cheaper prices for the same configuration. Why?

A: OIT purchases enterprise class equipment versus consumer class equipment. They may have similar specifications but enterprise class equipment components usually are a higher grade and, thus, have a longer life span. Over time, the total cost of ownership is lower with enterprise class equipment with their longer longevity and maintaining performance over its entire life span. OIT also purchases computer warranties that covers the expected life span. 

In the event that a university standard computer, still under warranty, and purchased by OIT, were to break, a new computer from stock could be quickly configured and swapped for the broken one.  So long as your data is stored in OneDrive or Sharepoint, you are back up and running.  The broken computer would then be repaired and returned to you at a later time.

Back to Questions

Q6: I have grant funds. Do I still need to purchase equipment through OIT?

A: Yes, per APM 30.16 D-1, all purchases must go through OIT no matter the funding source.  If you are in the process of writing your grant and you need budget placeholders for your computers please go to the Hardware Procurement Request page and scroll down to see the types of computers we are ordering and pricing. 

Q7: Can I use my own personal equipment?

A:  The University of Idaho strives to provide a computer for all employees that require one for their work. Due to security and compliance concerns, use of personally-owned computers for university business is never recommended and is not allowed in most circumstances under APM 20.13APM 30.11 and the accompanying IT Data Classification Standards. Before a personally-owned computer is used, please contact OIT to ensure that use is allowed.  Due to security, data privacy and other concerns, OIT is unable to provide support when a personally owned computer is used.  

Use of personal email accounts and cloud data storage services for conducting university business is not allowed as documented in APM 30.10, section B-2. 

Q8:  What security and management software is on a U of I owned computer?

A:  U of I currently uses Sophos anti-virus with Managed Detection and Response (MDR) capabilities to help mitigate risks of compromised endpoints and ransomware. This includes automated detection with machine learning to flag activity that may be indicative of ransomware or malicious activity.  Alerts from Sophos may include what websites suspicious activity may connect with. That can include web browsing activity, particularly if malware is detected on a site. Some browser history can also be searched. This is to protect devices from malware or detect activity to compromise systems. Additionally, Sophos MDR service includes 24x7 response to detected malicious activity and may include real-time response by our contracted vendor. Access and use of this tool is audited.

In addition we have vulnerability scanning provided by Nessus and/or Tenable to see that devices are configured, and software patched consistent with U of I standards to meet all compliance requirements.  

Management software is run on both Windows and Mac in the form of Microsoft Configuration Manager and JAMF respectively.  They work in partnership with other vulnerability scanning tools to see that devices are configured, and software patched consistent with U of I standards to meet all compliance requirements. This typically detects out of date software or misconfigured devices.  These tools are widely used across higher education and other industries.

Q9:  Why is certain computing information being monitored?

A:  Such monitoring is required for effective legal and research compliance, including HIPAA, FERPA, DMCA, NIST, CMMC, Export Control, NSPM-33, and various research grants and contracts. The OIT Information Security Office has been tasked with evaluating the seriousness and immediacy of any threat to campus information resources, particularly for any information that requires confidentiality, and taking appropriate action to mitigate those threats.

Q10:  Are Browser histories, search engine requests, and keyword searches being monitored?

A:  Some browser histories can be searched during incident response.  Search engine requests, and/or keyword searches are not being monitored by OIT.  However, search engine requests and sites visited could show up in local browser history files.

Back to Questions

Q11:  Is software being monitored?  And if so, how?

A:  Software packages are monitored for patching updates, licensing and compliance purposes.  Software is monitored using Microsoft Configuration Manager for Windows, and JAMF for the Mac. Vulnerability scanning using Nessus is also performed.

Q12:  Are the wireless networks on campus monitored?

A. Yes, to track assigned IP address and port information.  Network name queries (DNS) are also logged for non-student networks to aid in search for compromised devices or accounts. Some networks are protected by automated packet inspection measures (Intrusion Prevention Systems, or IPS) designed to automatically alert or block malicious activity. Additionally, it is sometimes necessary to prove that a device did or did not communicate with an external entity to prove compromise or avoid breach. General flow information, including connection information to wireless access points, is also used by the network team for ensuring that networks and firewalls are operating optimally. 

Q13:  Are student lab computers being monitored?

A:  Student lab computers are monitored the same way other computers are monitored and for the same reasons.

Q14:  Are student accounts monitored?

A:  Steps are also taken to limit what data may be collected on students, and those activities are typically protected by FERPA even in cases where some data is collected.

Q15:  Is there information that is specifically not collected?

A:  Any real-time video or camera access or recording unless directly initiated or shared by the user (e.g., through Zoom, Teams, or Bomgar).

Also, Search engine requests or keyword searches, unless recorded as part of the URL, or searched directly through a U of I service or webpage. (Visiting a page could leave it in browser history, however.)

Back to Questions

Q16:  Who determined the guidelines for monitoring?

A:  OIT, and specifically the Information Security Office, are charged with creating and maintaining guidelines. Many of these guidelines are part of many policies and compliance mechanisms issued by the university, the State of Idaho, and the Federal Government.  Below is a list of some of the relevant resources:

Q17.  Who is authorized to review monitored material?

A.  Access to this type of information is limited to university personnel on a need to know basis.  Any requests for current or additional information outside of the Information Security Office are vetted by the appropriate campus authority: such as a research compliance investigation approved by the Research Compliance Officer; to comply with a legal request or court order as vetted by the Office of General Counsel; or to assist with an immediate issue of public safety – typically through the Dean of Students, Public Safety, or General Counsel. Information Security Office staff are trained in appropriate and ethical forensics and incident response and work to maintain confidentiality of all data collected.

Q18. Are there vendors and/or manufacturers that we aren't allow to buy?

A.  Yes.  US Department of Defense prohibits the purchase of equipment from the following vendors and manufacturers. University of Idaho IT policy strictly follows federal laws and mandates. This list is subject to change.  Please refer to the full knowledgebase article for the full list of vendors and manufacturers..

 

Back to Questions

 

100% helpful - 1 review

Details

Article ID: 2304
Created
Thu 9/8/22 8:33 AM
Modified
Thu 11/3/22 9:56 AM

Related Articles (1)

Related Services / Offerings (2)

For requesting U of I approved, standard Apple and Lenovo products or submitting non-standard item request for approval. If your hardware is broken or malfunctioning please submit an Incident Ticket.
Facutly and Staff use this service to purchase software or renew licensed software for their use on U of I owned computers, including new purchases of Adobe software products such as Creative Cloud or Acrobat Pro DC.