Endpoint Security Standard
Summary
This Endpoint Security Standard (hereinafter referred to as “Endpoint Standard”) outlines the minimum system, software, and process protections that must be applied for all University-owned Endpoint Devices (e.g. laptops, desktop, servers, mobile devices, etc.) as well as all other Endpoint Devices that contain or process Institutional Data classified as Level 2 or above.
Endpoint Devices that contain or process Institutional Data are a fundamental part of the Northwestern University information technology landscape that includes internally managed information technology resources as well as externally managed resources in the cloud or at other third-party vendor locations. Endpoint Devices are an important source of connecting end users to Institutional Data via networks and systems and are a major source of how vulnerabilities and other information security threats are introduced into the University information technology landscape. Compliance with this Endpoint Standard helps ensure the protection, confidentiality, integrity, and availability of University systems and Institutional Data.
Departments and units may impose more, but not less, stringent requirements and standards as they deem appropriate or necessary based on applicable laws, regulations, or contracts.
Authority
The authority for implementation and enforcement of this Endpoint Standard is based on the Information Security Policy, effective January 1, 2022.
In the event of any conflicts between this Endpoint Standard, and the University’s other information protection standards, the most stringent requirements will apply. This Endpoint Standard is implemented in conjunction with Northwestern’s Appropriate Use of Electronic Resources Policy and Privacy Statement, including provisions on how data are collected and/or accessed from Endpoint Devices..
Purpose Statement
This Endpoint Standard is intended to protect the intellectual property, confidentiality, integrity, and availability of university systems and Institutional Data from unauthorized access as well as the introduction of vulnerabilities and threats to other University information systems. Specifically, University-Owned Devices, as well as all other (including Personally-Owned) Endpoint Devices that store or process Level 2 data (or higher), must be intentionally managed to reduce risk and safeguard the proper and efficient operation of and appropriate access to university resources and Institutional Data.
Scope and Audience
The scope of this Endpoint Standard applies to all University-Owned Endpoint Devices, as well as other (e.g. Personally-Owned) Endpoint Devices that are used to process and/or store Level 2 Data or higher.
Internet of Things (IoT) devices are included in the scope of this Endpoint Standard if they store or process Level 2 data or higher.
The audience of this Endpoint Standard is any member of the university community (including vendors, contractors, suppliers, visiting faculty, etc.) who use, manage, or maintain an Endpoint Device that accesses Institutional Data.
If a department or business unit determines that use of a Personally-Owned Endpoint Device is required for University Business, it is the responsibility of the department or business unit to ensure protections equivalent to those outlined in this Endpoint Standard are applied. Departments or business units can contact Northwestern’s Information Security Office with questions about the security of Personally-Owned Endpoint Devices.
Control Requirements
University-Owned Endpoint Devices
- Inventory
Any Northwestern school, unit, department, or group procuring Endpoint Devices is required to account for the status and intended end-user for its University-Owned Endpoint Devices. This inventory should be reviewed and reconciled periodically (no less than annually) to ensure the integrity and accuracy of Endpoint Devices that are the responsibility of the University to protect. - Endpoint Device Protection / Anti-Malware / Anti-Virus
All University-owned Endpoint Devices must have Northwestern’s licensed advanced threat protection software (Crowdstrike Falcon) installed. Crowdstrike should be configured in the most protective profile available for that host or operating system. In the event an Endpoint Device is not capable of running Crowdstrike (such as IoT, appliances, or systems that are required to run a certain OS version), an inventory must be maintained by the department of business unit of the device that contains details on the other mitigation steps taken to protect these devices (e.g. network segmentation). Mobile devices running a current and supported version of Android, iOS, or iPadOS are not required to run Crowdstrike Falcon. - Vulnerability Management
All University-Owned Endpoint Devices are required to participate in Northwestern’s institutionally-managed exposure and vulnerability management program (Tenable). Where possible, a host-based agent should be installed for the most accurate reporting. For Endpoint Devices that are not able to run a host-based agent, an authenticated network scan shall be configured to report similar data. This authenticated scan is required to run periodically, no less than once every two months.
Vulnerabilities should be remediated on Endpoint Devices in accordance with Northwestern’s Patch Management Standard. The Patch Management Standard includes the requirement for running vendor-supported operating systems and software. - Reporting Theft or Loss; Data Deletion
Theft or loss of any University-Owned Endpoint Device and any other Endpoint Device (including Personally-Owned) containing Level 2 or higher data must be reported to the department, school or unit responsible for the inventory of the device.
The department, school, or unit responsible must further report the theft or loss, in addition to details on the Institutional Data contained on that device, to the Office of Risk Management, Compliance Office, and the Information Security Office, so that the University can comply with its subsequent regulatory or contractual obligations.
Additional reporting to University Police and/or a local law enforcement agency may be required in some circumstances (for example, for Northwestern to file an insurance claim). - Sales / Disposal
Before the sale, disposal, or other disposition of a University-Owned Endpoint Device, the device must be erased per Northwestern’s Policy on the Disposal of University Computers. - Endpoint Device Configuration Standards
- All Endpoint Devices containing Level 2 or higher data classification are encrypted using a whole-disk technology (e.g. Bitlocker, FileVault);
- Endpoint devices and applications are licensed and kept current of recent patches and system protection configurations;
- Endpoint devices employ controls and technology to prevent unauthorized physical and logical access (e.g. firewalls, screen timeout, and lock screen are required);
- Unique user IDs and passwords are required to access Endpoint Devices;
- End user access rights to operating systems and applications is kept to a minimal level necessary to perform required duties;
- Endpoint devices are disabled from directory systems after 180 days of inactivity.
Contractors/Vendors/Third-parties External to Northwestern University
All contractors/vendors/third-parties external to Northwestern University must confirm in writing that they have in place endpoint protection standards that at a minimum include the following:
- Endpoint Devices are protected against malware and viruses by host-based malware detection and prevention software;
- Endpoint Devices are routinely assessed for threats and vulnerabilities;
- Endpoint Devices and applications are licensed and kept current of recent patches and system protection configurations;
- Endpoint Devices employ controls and technology to prevent unauthorized physical and logical access (e.g. firewalls and screen timeout and lock screen requirements);
- Unique user IDs and passwords are required to access Endpoint Devices;
- All Endpoint Devices are encrypted;
- End user access rights to the operating system and applications is kept to a minimal level necessary to perform required duties;
- The theft or loss of any device containing Institutional Data is reported to Northwestern’s Information Security Office.
Standard Implementation
- Endpoint Device Protection
University-owned devices are eligible for Crowdstrike Falcon Advanced Threat Protection. The agent is available for macOS, Windows, and many Linux distribution. Crowdstrike is not available for direct download by individual end users but is available from local IT support groups. There is no additional cost for end users to use Crowdstrike. Distributed Crowdstrike administrators are required to run the agent in the most protective profile feasible. Learn more about Crowdstrike.
Please contact your local IT support group to inquire if your endpoint device has Crowdstrike or to request its installation. - Vulnerability Management
University-owned devices are eligible for Tenable’s vulnerability management agent. This agent provides report-only data on application and systems versions and any corresponding vulnerabilities. Tenable is not available for direct download by individual end users but is available from local IT support groups. There is no additional charge for end users to use Tenable. For Endpoint Devices that are not able to run a host-based agent, or for non-University-owned Endpoint Devices on the University Network, an authenticated network scan shall be configured by the local IT support group responsible for the Endpoint Device to report similar data. This authenticated scan is required to run periodically, no less than once every two months. - Endpoint Device Hardening
The following additional configurations are recommended for all Endpoint Devices (regardless of ownership) and are required for all University-owned Endpoint Devices, as well as Personally-owned devices that process or store Level 2 (or above) data.- Encryption. Unless an Endpoint Device is used strictly as a kiosk or is only allowed to contain Level 1 data, the Endpoint Device must be encrypted using a whole-disk encryption method. University-owned devices should use to use FileVault (macOS) or Bitlocker (Windows). All University-owned devices should have encryption keys escrowed in a management system such as JAMF, MBAM, or Active Directory.
- User Authentication. Unique user identifiers and passwords are required to access Endpoint Devices. Where possible for University-owned devices, NetID authentication should be used for Endpoint Device access. At a minimum, passwords should meet the current lifecycle and baseline complexity requirements for a Northwestern NetID.
- Firewalls. Internal host-based firewalls must be enabled and set to deny all incoming traffic by default. Individual applications or ports should be enabled on a case-by-case basis when required.
- Role-based access. Administrative or privileged access to Endpoint Devices should not be a default setting and only allowed for individuals with a need for elevated permissions.
- Secure network access. Endpoint Devices should only connect to trusted and secure networks; Northwestern’s VPN should be used in situations where only untrusted networks are available.
- Server segmentation. Desktop and laptop devices should not be used for “server” functionality that accept external connections (e.g. serving web sites, databases, or remote code execution)
- Supported software and patching. Endpoint Devices must only run supported software and should patch vulnerabilities in accordance with Northwestern’s Patch Management Standard. Automatic update functionality for operating systems, as well as browsers and core business/productivity software (e.g. Zoom, Microsoft Office, Adobe Acrobat, Chrome, Firefox, etc.) should be enabled for all devices, including those that are managed by NUIT or a local IT unit.
Exceptions or Questions
Exceptions to this Endpoint Standard can be requested from the Information Security Office at the individual school/unit level, and must contain both a business case for the exception as well as other mitigating controls that will be implemented to compensate for the control requirements listed above.
Remedies and Compliance
Requests for any exceptions to this Standard should be submitted to the Information Security Office and will be reviewed in consultation with the Information Security Advisory Committee.
Lack of compliance to this Standard could result in sanctions relating to the individual’s use of ICT resources at Northwestern, or other appropriate remedies as authorized by the Appropriate Use of Electronic Resources Policy, Faculty Handbook, Staff Handbook, or Student Handbook. Civil or criminal penalties may also apply if non-compliance results in the loss or disclosure of confidential, restricted, or regulated information.
Definitions
Endpoint Devices ("Endpoints"): Endpoint Devices are physical or virtual machines that have the ability to collect, store, and/or process information. Some examples of Endpoint Devices include, but are not limited to, desktop or laptop computers, mobile phones, tablets, virtual machines, embedded devices, and servers. Internet-of-Things (IoT) devices, such as "smart" equipment (cameras, lighting, appliances, speakers, or thermostats) are also Endpoint Devices.
Information and Communication Technology (ICT): An umbrella term used to describe all information and communication technologies, that includes, but is not limited to, the Internet, wireless technologies, software, systems, applications, public/private/hybrid cloud, computers, social network, as well as other media applications and services.
See The National Institute of Standards and Technology Glossary of Terms
Information Security Advisory Committee (ISAC): A University-wide technology governance group that is responsible for monitoring the security maturity and controls of the University, and providing approval for all security vulnerability exceptions that pose a significant or high risk to the University.
Institutional Data: All data that the University is responsible and accountable for protecting. This data includes, but is not limited to, data the University owns, collects, intellectual property owned by faculty or others, staff data, student data, faculty data, research data, personal information, alumni data, vendor and contractor data, and data that the university shares or provides to third parties for storage, processing, and analysis.
Northwestern- or University-owned Systems or Devices: ICT (including, without limitation, laptops, desktops, tablets, mobile phones, and IoT devices) that are the responsibility of the University to account for and provide appropriate safeguards. This includes ICT purchased (either directly or by reimbursement) from a University chart of accounts, or devices with documented ownership or responsibility transferred to the University from another institution or organization (such as ICT loaned to a laboratory or department).
Personal or Personally-owned Devices: ICT (including, without limitation, laptops, desktops, tablets, mobile phones, and IoT devices) that are wholly owned by an employee, student, or affiliate of the University. This includes devices for which a user receives a stipend or subsidy, such as a mobile communication allowance.
University Business: Any activity carried out under the auspices of Northwestern University and in furtherance of the University’s mission.
University Network: The University Network is the infrastructure and equipment that connects information and communication technology (ICT) to enable the exchange of data and information at Northwestern. This includes connections that are limited to within the university as well as the broader Internet. The University Network includes both physical wired (wall jacks, wiring, routers, switches, etc.) and wireless network components, including ad-hoc wireless networks. The University Network also includes connections provided by a third-party telecommunications provider but managed by Northwestern IT, or network paths over hardware or software (such as VPN, site-to-site tunnel, etc.) by which a user or ICT device receives a Northwestern-managed IP address, telephone number, or other Northwestern-owned network descriptor.
Related Policies, Standards, Guidelines or Procedures
Contact Information
Approving University Official(s): Vice President for Information Technology/Chief Information Officer
Responsible Office: Information Security Office
The following office can address questions regarding this Standard:
Northwestern Information Technology, Information Security Office
- phone: (847) 491-4357 (1-HELP)
- email: security@northwestern.edu
Important Dates
Effective Date
December 31, 2023