Endpoint Protection and Registration

A. Reason for Procedure

To ensure the security of the Lamont network, all Endpoint Systems that process, transmit and / or store Data must meet a miminum level of protection. That level of protection differs depending on the Data Type the System processes, transmits and / or stores. Endpoint Systems that process, transmit and / or store University Data must be registered to ensure the appropriate level of protection is in place.

Endpoint Systems are defined as single-user, general purpose systems, i.e. workstations, desktop computers, laptops and mobile devices.

B. Responsible Office and / or Officer

The Project Owner / Project IT Custodian is responsible for ensuring all Endpoint Systems that process, transmit and / or store the project's Data have all of the protections required by CU Policy configured and operating.  Registration of systems with the Lamont IT Department will provide a record that these protections are in place.

The Lamont IT Department is responsible for maintenance of this procedure, and for responding to questions regarding it.

C. Procedure

All Endpoints that process, transmit and / or store University Data (as defined here /content/data-classification) MUST be registered with the Lamont IT Department. Click here for the Endpoint Registration form and fill out the relevant sections for each Endpoint.  A copy of the form is emailed to the owner along with a link to edit the form - a separate copy is emailed to the IT department.

IMPORTANT: you need to open a new form for each Endpoint you wish to register.  Editing an existing form will only change the information recorded for that particular Endpoint.

For ALL Endpoint Systems that process, transmit and / or store project Data, ensure the following protections are enabled:

  • All Endpoint Systems

    The following protections are required by all Endpoint Systems that process, transmit and / or store Data on the Lamont network:

    • Access to the Endpoint is password protected.
    • The System is running vendor-supported Operating Systems (OS) and has up-to-date patches installed.
    • The System is running anti-virus / anti-spyware security software. Anti-virus definitions are automatically updated daily.
    •  
    • All University Data files are backed up following the LDEO Backup Procedure.
    • System disposal will be carried out by following the LDEO Computer Equipment Disposal Procedure.
  • Workstations and Laptop Endpoints

    In addition to the above protections, workstations and laptops are required to have the following protections:

    • The Endpoint is physically protected and not shared with unauthorized personnel.
    • A firewall is activated and configured to prohibit access to services from unauthorized personnel.
    • The Endpoint is configured to lock after 15 minutes of inactivity.
  • Mobile Device Endpoints

    In addition to the above protections, mobile devices are required to have the following protections:

    • The Endpoint has a mechanism to encrypt all University Data.
    • The Endpoint will lock after 5 minutes of inactivity.
    • The Endpoint has a mechanism for remote secure erase if the device is lost or stolen.
    • The Endpoint will securely erase all University Data after 10 failed login attempts.
    • It it recommended that the Endpoint have a device recovery mechanism through the use of GPS tracking.
  • Sensitive Data

    In addition to the protections above, Endpoint Systems that process, transmit and / or store Sensitive Data are required to have the following protections:

    • A record is kept of what type of Sensitive Data is stored on the System. Such documentation must be kept up to date and in a secure location separate from the System.
    • Sensitive Data is encrypted while in transit and storage.
    • Removable Media containing Sensitive Data are encrypted.
    • If the Endpoint is a workstation or laptop, full disk encryption is used.

D. Registration Form Instructions

More detailed instructions for the individual questions on the System Registration Form:

  1. Owner / Operator Information

    • Email Address

      This should be a valid email address - it's where the completed form will be sent and where LDEO IT will contact you if additional information is required.

    • Owner/Operator Name

      The main user for this endpoint - if there is no single main user, it probably qualifies as a server and should be registered using the Server Protection and Registration procedure.

      Please enter as Last Name, First Name - for example:

      Doe, Jane
      Public, John

    • Division / Department

      The primary affiliation for the Owner / Operator above

    • Project(s) Name

      Name of your Research or Administrative project(s) utilizing this asset. If the endpoint is not limited to work on specific projects, you can generalize - for example:

      General Administrative Projects
      Climate Research Projects

  2. System Details

    • IT Custodian / Email

      If someone other than the Owner / Operator is in charge of system management, enter their name and email address for these two questions, otherwise enter "N/A" or leave blank.

    • Machine Name

      A unique name for the system - i.e. "My Macbook Pro", "Dell Dimension", "HP Laptop", etc. This is mainly used to help differentiate multiple Endpoints owned / operated by the same user.

      If you are editing an existing form, you should not change this entry.  If you want to register an additional Endpoint, open a new form.

      Operating System
    • CU Policy requires a vendor-supported Operating System with the latest security updates installed.

    • Installed Software

      A short list of the types of software used to access or process University Data on the Endpoint.

  3. System Configuration

    • Waiver

      If it is not feasible for the endpoint to have some or all of the required protections applied, you may request a waiver from LDEO IT. If you have recieved a waiver, give the details here.

      If you have not recieved a waiver and believe it is not feasible to comply with the required protections, give the details here.

      In any case, answer all of the questions below about protections activated on the endpoint.

    • Password Protected?

      The criteria for strong passwords are detailed in the CU Information Resource Access Control Policy.

    • Firewall

      The default settings on most Operating System's firewalls are considered acceptable protection.

    • Auto-Lock

      The endpoint should require a password to be entered to unlock.

    • University Data

      University Data is defined in the CU Information Security Charter - any University Data stored on the system must be backed up, which is the next section. Only answer "No" if there is no data STORED on the system.

  4. Data Backup Plan

    University Data stored on the Endpoint should be backed up in accordance with a Data Backup Plan as part of the larger plans outlined in the CU Business Continuity and Disaster Recovery Policy.

    • Backup Plan: General Description

      Give a brief description of the Backup Plan that is protecting the University Data stored on the Endpoint. If you have decided to forgo backing up the Data, give a brief explanation here.

    • Backup Plan: Responsible Party

      You can enter "Owner" or "IT Custodian" if applicable.

    • Backup Plan: Schedule

      How often are the files backed up? Is it automatic or manual?

    • Backup Plan: File Retention Period

      How long are versions of files from X days ago available to be restored? LDEO IT recommends a minimum of 29 days.

    • Backup Plan: Software

      Name the software you're using for backups and where the backups themselves are being stored.

    • Backup Plan: Access to Backup Data

      A list of who has access to the backup data - you can enter full names and email addresses or use "Owner" or "IT Custodian" if applicable.

    • Backup Plan: Test Restoration

      Give a short description of how you perform test restores of data from the backups and how often you do the test. Testing the restoration procedure is important because you can't tell otherwise whether your backups are actually useful or not. Modern storage hardware is very reliable, so restoring files from a backup is normally a very infrequent occurrence. Regular testing will help to remind you of the steps your backup software requires to restore files.

  5. Sensitive Data

    Sensitive Data is defined in the CU Data Classification Policy as "any information protected by federal, state or local laws and regulations orindustry standards, such as HIPAA, HITECH, the New York State Information Security Breach and Notification Act, similar state laws and PCI-DSS."

    The Policy also has examples of this type of Data. Some things that are NOT considered Sensitive Data would be contact information, i.e. a person's name, email address, phone number, etc. Basically anything you would find on a business card is not considered Sensitive Data. If you have any questions about Data stored on this endpoint, please contact askit.

    • Sensitive Data

      If the endpoint processes, transmits or stores Sensitive Data, you will need to answer all of the questions in the next section.

  6. Sensitive Data Details

    • Sensitive Data: Record

      Endpoints that store Sensitive Data are required to have a record of that Data which is stored external to the Endpoint. Give a short description of the Sensitive Data stored on the endpoint.

    • Sensitive Data: Encryption in Transit, Storage

      Sensitive Data must be encrypted while in transit and storage, full details of the requirements can be found in the CU Registration and Protection of Endpoints Policy. Storage of Sensitive Data on a desktop or laptop computer requires full-disk encryption to be employed.

    • Sensitive Data: Backups

      Sensitive Data must be encrypted while stored on backup media, the encryption keys must be stored elsewhere. Give a description of how you perform the encrypted backups and restorations, along with your encryption key management procedure.

  7. Equipment Disposal Plan

    The LDEO Computer Equipment Disposal Procedure must be adopted for every Endpoint that processes, transmits or stores University Data. The Procedure simply ensures secure erasure of University Data takes place before the Endpoint is recycled / repurposed / sold, etc. It takes into account both University-owned and personally owned Endpoints.

    • Disposal Policy Adopted

      You should answer "Yes" here.

    • Disposal Policy CU Tag

      If your system does not have a CU Capital Asset Control Tag, answer "N/A", otherwise answer "Yes".

    • Disposal Policy Sensitive Data

      If your system does not have Sensitive Data stored on it, answer "N/A", otherwise you should answer "Yes".

    • Disposal Policy Equipment Recycling

      If this system is CU property, you should answer "Yes" here - if you own the system, then you should answer "N/A" here.

E. References

Refer to the CU Registration and Protection of Endpoints Policy here: https://universitypolicies.columbia.edu/content/registration-and-protection-endpoints-policy