The procedures described in this section support the Registration and Protection of Endpoints Policy. Specific work instructions for implementing these procedures are the responsibility of the Certified IT Groups. Note that additional procedures for Medical Devices or other specialized equipment may be required.

Please see the main CUIMC Information Security Procedures page for an overview, effective date and definitions.

A. Managed Endpoints

All Endpoints purchased, or subsidized, by the University and used by Workforce members will be explicitly managed by a Certified IT Group. To be explicitly managed, the Endpoint (a “Managed Endpoint”) must meet the following criteria:

• All Users in the applicable business unit, and their associated Endpoints, are inventoried and inventory data are collected by the Users’ Certified IT Group. Inventory data are integrated with the CUIMC IT's ServiceNow Configuration Management Database.
• All Managed Endpoints are required to utilize full disk encryption. All Windows endpoints must leverage, along with hardware-based TPM chips, monitoring of their encryption status by the central CUIMC IT Encryption Monitoring System, as should any other system that can support this configuration. For any non-Windows system which cannot support this configuration the Certified IT Group must monitor the endpoint’s encryption status and keep it current in the CUIMC Asset Management System.
• In the event a user’s system cannot support encryption for some reason, the user may ask for an exception to encryption by following the subsequent process:
  1. Users will validate that no EPHI, or other Sensitive Data, are stored or accessed on the Endpoint. For circumstances where EPHI does exist on the Endpoint, but the Endpoint cannot be encrypted, the following conditions must be met:
     1. The Endpoint is physically locked to a surface to prevent theft.
     2. The User submits a Request for Encryption Exception within the CUIMC IT ServiceNow ticketing system that includes a statement of why the Endpoint cannot be encrypted and, if applicable, any plans to upgrade the Endpoint to a model that supports encryption.
  2. Users will submit a Request for Encryption Exception within the CUIMC IT ServiceNow ticketing system. The request will contain the following elements:
     1. Hostname of the Endpoint;
     2. Type of Data accessed or stored on the Endpoint;
     3. The User’s UNI or CWID;
     4. The User’s supervisor;
     5. The User’s department or equivalent; and
     6. The User’s IT Group, and:
     7. An explanation of why encryption cannot be supported.
  3. The exception request will be routed to the User’s supervisor for approval.
  4. Upon approval, the request will be reviewed by the Information Security Office and, if appropriate, routed to the User’s Certified IT Group, which will remove the encryption, if enabled, and add the Endpoint to a list of excepted Endpoints.
• All managed endpoints are required to have basic security software installed including, but not limited to:
  1. Anti-virus/malware, and
  2. Endpoint security (Microsoft Defender for Endpoint) managed by CUIMC IT
• If possible, software is enabled to permit remote wiping capabilities of the Endpoint should it be lost or stolen.
• The Endpoint is joined to CUIMC IT’s Active Directory domain, where feasible.
  1. For Endpoints that cannot be managed by an Active Directory domain, the Certified IT Group will ensure that the Endpoint has met the minimum configuration standards.
• The Endpoint is provisioned with a local IP address (10.x.x.x).
  1. Public IP addresses are only permissible by explicit authorization of the CUIMC Information Security Office through the use of a Request for Public IP Address form.
• The Endpoint is configured to use the CUIMC Proxy Server for web based threat protection.
• The Endpoint receives timely operating System and third party application patches from the Certified IT Group.
• The Endpoint is configured to prevent the use of unencrypted and unauthorized Removable Media if supported by the operating system or management software.
• The Endpoint is configured to lock after 30 minutes of inactivity.

When a Workforce member changes functions or is no longer associated with the University, all Managed Endpoints used by the Workforce member must be returned to his/her supervisor. At this time, the endpoint inventory must be updated to reflect the current status of the endpoint, either decommissioning/disposal, reassignment with new owner noted, etc.

B. Personal Endpoints

The use of personally owned Endpoints (e.g. “Bring Your Own Device”, aka BYOD) to access secured CUIMC assets by a Workforce member is permissible only if the following conditions are met:

• The User agrees to grant the Certified IT Group administrative rights to and management of his/her Endpoint while the Endpoint is being used for CUIMC purposes as long as the device meets the specifications for FDE and Endpoint Security; and
• The User agrees to allow the Endpoint to be monitored by his/her Certified IT Group. 

1. Request for Personal Endpoint Authorization

A department and associated CITG may, or may not, choose to allow members of their department to use personally owned endpoints. If they do, the following procedure applies:

1. The User submits a Request for Personal Endpoint Usage form in the CUIMC IT ServiceNow system.
2. The User’s supervisor is notified via email of the access request.
3. The User’s supervisor reviews and approves or rejects the access request. If rejected, the User is notified via email for their approval.
4. If approved, the User’s HIPAA Privacy and Security training status is evaluated and if all trainings are current, the approval is forwarded to the User’s Certified IT Group via email. If the trainings are not current, the User and the User’s supervisor are notified and the request is rejected.
5. If approved, the User’s Certified IT Group configures the Endpoint so that it may be fully managed and enters it into the CUIMC Asset Management Database.
6. The Endpoint is returned to the User for use. 

All requests will be documented, stored and maintained in the CUIMC IT ServiceNow system with an appropriate retention period.

When a Workforce member is no longer associated with the University, the workforce member’s department – via their Certified IT Group – is responsible for ensuring that any all CUIMC Data on his/her personally owned Endpoints is sanitized in accordance with the Sanitization or Disposal Procedures.

C. Data Backup

If any Endpoint is the primary repository of EPHI, the User of the Endpoint must comply with Section III(C) of the Business Continuity and Disaster Recovery Policy relating to Data Backup Plans.

D. Approved Usages of Removable Media

Workforce members may only use Removable Media that meet all of the following security criteria:

• Encryptable Data to 256-bit AES Cipher-Block & FIPS Validations: 140-2
• USB 2.0 and higher (for USB connected media)
• Supports complex passwords on the media
• The drive locks down and reformats after a maximum of ten intrusion attempts
• Ability to disable auto run 

CUIMC IT maintains a list of approved Removable Media, and Certified IT Groups will only permit Removable Media that meet the above requirements to connect to Managed Endpoints.

At no time shall unencrypted Removable Media be used. Exceptions will be permitted on a case-by-case basis, if approved by a User’s supervisor as well as his/her certified IT Group. This exception can be requested through the Request for Encryption Exception form, as described in Managed Endpoints above.

When a Workforce member changes functions or is no longer affiliated with CUIMC, all Removable Media must be returned the User’s supervisor. Media may then be redeployed, in accordance with the Sanitization or Disposal of Internal Media and Removable Media procedure.

E. Third-Party Software Applications

All third-party software applications that do not process or store information directly on the endpoint must undergo an IT software review prior to use. This includes any applications, plug-ins, modules, or integrations, many of which may use external Cloud storage.

In accordance with the University’s policies for External Hosting and Registration And Protection Of Endpoints, users must contact their Certified IT Group well in advance to initiate an application review of a third-party software. Each department that owns or uses a third-party software is responsible for ensuring that the necessary review and approval is granted before deployment.

A review performed on third-party software may require different assessment workflows. Application assessments are evaluated based on criticality and sensitivity as determined by the software capabilities and interaction with institutional data as categorized under the University’s Data Classification policy.