In addition to this overview, we want to highlight substantive changes to the following four policies:

• Acceptable Use Policy: We added a section on software. Only authorized software may be on university-owned devices. The software must be used for university work and in compliance with applicable laws, regulations, and license requirements.

• Endpoint Device Policy: The former “Mobile and Remote Device Policy” was renamed the “Endpoint Device Policy” to bring the policy in line with modern practices. This policy applies to any university-owned, external, or personal device that accesses non-public University IT resources.
  • Devices must run security protection (e.g., EDR), and University-owned endpoints must have Mobile Device Management software (Intune for Windows and Jamf for Macs) installed and enabled. Personal devices should be configured to enable these features where possible.

  • Confidential data should, in general, not be stored on endpoints, but if it must be, then the data must be encrypted.

• Network Access Policy: ITS is responsible for the University’s network environment. If there is a valid business use case for a unit to operate their own network infrastructure (e.g., firewalls or VPNs), they must provide ITS and ISO with administrative access and visibility into those systems for monitoring, diagnostics, and security purposes.

• System and Application Security Policy: Single Sign On (SSO) is mandatory for systems and applications. Systems that cannot use the central IAM solution must meet written documentation requirements and adhere to them.