University Policies and Procedures Manual (previously Business Policies and Procedures Manual)

Electronic Device (Endpoint) Security

UPPM 87.10

For more information contact:
Information Technology Services

1.0 Overview and Purpose
- 1.1 Information Assurance Policies Generally
- 1.2 Specific Policy Overview and Purpose
2.0 Applicability
3.0 Roles and Responsibilities
4.0 Requirements
5.0 Training
6.0 Resources and Related Policies

1.0 Overview and Purpose

1.1 Information Assurance Policies Generally

The purposes of the information assurance policies in UPPM Chapter 87: Information Technology and Security are to:

Set requirements to ensure the privacy, confidentiality, integrity, and availability of Washington State University (WSU) data;
Support institutional goals and strategies with appropriate methods for administratively, technically, and operationally protecting data; and
Define the criteria WSU follows to meet requirements for protecting data, which are determined by Information Owners.

The policies in this chapter comply with Federal Information Processing Standards (FIPS 199), which are intended to help organizations achieve a common level of quality and interoperability in information technology (IT) by requiring categorization of systems as low-impact, moderate-impact, or high-impact for the stated security objectives of confidentiality, integrity, and availability. To determine the potential consequence of a loss event, the Federal Information Processing Standards:

Define WSU Information Owners’ impact categorization rating (Low, Moderate, or High);
Dictate which security controls are mandatory based upon the categorization level;
Define the strength, frequency, and formalization of those controls; and
Influence audit burden and continuous monitoring rigor.

See UPPM 87.01 for definitions, general information, and violations related to this policy, as well as additional information regarding roles and responsibilities.

1.2 Specific Policy Overview and Purpose

The security of endpoints, including but not limited to smartphones, tablets, and computers, is critical to protect institutional data and prevent unauthorized access and other security threats to WSU systems. This policy sets forth requirements for the use of WSU-owned or employee-owned endpoints for the purpose of creating, storing, transmitting, and protecting institutional data.

2.0 Applicability

This policy applies to all WSU system users who have contact with, or potentially may have contact with, WSU data, applications, and computing resources.

Security control exceptions to policy statements in UPPM Chapter 87 are managed and maintained in accordance with UPPM 87.23.

3.0 Roles and Responsibilities

3.1 Chief Information Officer

The Chief Information Officer (CIO) of WSU, or designee, is responsible for administering this policy and reviewing it on an annual basis.

3.2 Information System Owners

WSU Information System Owners, or their delegates, are responsible and accountable for developing appropriate Standard Operating Procedures (SOPs) for this policy’s implementation.

3.3 Office of Information Security and Assurance (OISA)

WSU’s Office of Information Security and Assurance (OISA) shall maintain the standard (PDF) associated with this policy and provide guidance for the associated procedures for the implementation of this policy (see examples (PDF)).

Note: While all units are required to adhere to the standard established by OISA (NIST SP 800-53), procedural examples for implementation are optional.

4.0 Requirements

4.1 WSU-Owned Endpoints

When technically feasible, Information System Owners are to ensure that WSU-owned endpoints display a system use notification or banner to users prior to granting access to the system.

Only approved operating systems may be supported on WSU-owned endpoints. Any attempt to circumvent built-in operating system security controls is prohibited.

A WSU Information Owner, or their delegate, must be assigned for all WSU-owned endpoints, including mobile endpoints. If an Information Owner cannot be determined for an endpoint, the endpoint is to be decommissioned in accordance with UPPM 87.72.

A centrally managed WSU endpoint management solution must be used.

Once a WSU Information System Owner, or their delegate, has determined that the endpoint is no longer necessary, it must be decommissioned, in accordance with UPPM 87.72.

Only approved software applications are to be installed on WSU-owned endpoints in accordance with UPPM 87.30 and 87.32.

Each WSU-owned endpoint must run the latest tested, approved, and updated software for endpoint operating systems as well as all applications installed on the endpoint, in accordance with UPPM 87.40.

All WSU-owned endpoints are to use:

Endpoint protection software that includes the capability to detect and remove malicious code, in accordance with UPPM 87.42; and
Malicious code protection mechanisms that are automatically updated whenever new releases are available, in accordance with UPPM 87.40.

Information System Owners, or their delegates, are responsible for maintaining an inventory of allowed applications within their environments.

WSU-owned endpoints are to be configured to automatically lock after a period of inactivity, in accordance with UPPM 87.03.

All WSU System-owned endpoints must require user authentication prior to use in accordance with UPPM 87.03.

4.1.a User Accounts

WSU endpoint users may access WSU institutional data from WSU-owned endpoints. In no circumstance may this data be generated, stored, or transmitted to data storage systems outside the control of WSU, except:

As covered by existing contract with that vendor; or
As specifically allowed as part of assigned job duties; and
When doing so is not a violation of WSU policy or state or federal law and is managed in accordance with UPPM 87.15, 87.40, and 87.53.

All WSU user accounts utilized on WSU endpoints are to be based upon the principle of “least privilege,” in accordance with UPPM 87.03.

WSU endpoint users may not be granted direct administrative/root level access to WSU-owned endpoints. When official job role functions require administrator/root level access, a separate user account must be created for this purpose. As with other user accounts, these separate administrative/root level accounts are to be authorized, inventoried, and utilized in accordance with UPPM 87.03.

Generic administrator or privileged user accounts must never be directly used to access a WSU-owned endpoint except in the case of a documented emergency on the system.

By accessing or using WSU-owned endpoints, WSU employees consent to routine monitoring of data stored, processed, transmitted, or otherwise used on the endpoint system, in accordance with UPPM 87.40.

4.2 Employee-Owned Endpoints

WSU Information Owners, or their delegates, may allow the use of employee-owned endpoints to access WSU data if:

The endpoints comply with WSU’s security and privacy control requirements;
WSU data is maintained and backed up using a WSU-managed backup solution; and
The employee-owned endpoint is enrolled in a WSU-managed endpoint management solution with remote-wipe capability of WSU managed data.

Use of employee-owned endpoints on WSU networks is a privilege and may be revoked by the appropriate business unit (WSU Information Owner, or their delegate) for any reason.

Employee-owned endpoints with compromised security controls (i.e., operating system security controls that have been circumvented) are prohibited from accessing WSU resources, in accordance with UPPM 87.40.

All employee-owned endpoints that access WSU data must be configured to utilize whole-disk encryption on the endpoint, in accordance with UPPM 87.33 and 87.40.

4.3 Digital Endpoint Security

All endpoints used to store, process, transmit, or otherwise use WSU data are required to be secured and managed by a WSU-managed endpoint management solution with remote-wipe capability of WSU managed data in accordance with UPPM 87.30 and 87.72.

Logging and monitoring must be enabled on WSU-owned endpoint systems in accordance with UPPM 87.50, 87.12, and 87.40.

Information System Owners, or their delegates, must document and maintain a System Security Plan (SSP) for WSU-owned endpoints, in accordance with UPPM 87.15.

The SSP must include the security controls implemented on the endpoints to protect the confidentiality, integrity, availability, and privacy of WSU information. Selected controls must be based upon the classification of the data that is stored, processed, transmitted, or otherwise used by the endpoint, in accordance with UPPM 87.53.

WSU Information System Owners, or their delegates, are to establish, document, and maintain baseline configuration requirements and security controls for WSU-owned endpoints, in accordance with UPPM 87.30. Baselines must be based upon the principle of “least functionality.”

Endpoint devices must have WSU data backed up using a WSU-managed backup solution, in accordance with UPPM 87.70. WSU is not responsible for conducting system- or user-level backups of non-WSU data on employee-owned endpoints. (See also Section 5.2.)

Vulnerability scans are to be performed on a regular basis on WSU moderate- and high- impact endpoints, in accordance with UPPM 87.17 and 87.25.

Remote administration must be performed in accordance with UPPM 87.51.

4.4 Physical Endpoint Security

4.4.a Travel to High-Risk Areas

WSU employees known to be travelling to high-risk areas external to WSU (e.g., foreign countries) with moderate- or high-impact endpoints, are to be issued systems or components by the WSU area unit with configurations and controls to counter any increased threat. (See UPPM 95.53 for international travel policy information, including export controls and specific requirements for federally-funded researchers.)

See the following websites for security tips for international travel:

4.4.b Visiting Third-Party Entities

The appropriate WSU Information System Owner, or their delegate, must:

Provide authorization to any visiting third-party entity, (e.g. vendor, supplier, etc.) to allow them access to WSU-managed network resources; and
Escort the visiting third-party entity.

This requirement does not apply to access to the guest wireless network, which provides visitors with general access to the internet.

4.4.c Lost and Stolen Endpoints

Employees are to report any lost or stolen WSU-owned endpoint to the WSU Pullman Information Technology Services (ITS) Security Operations Center (SOC) as soon as possible in accordance with UPPM 87.55.

Physical security controls are to be implemented for all WSU-owned endpoints, in accordance with UPPM 87.62.

4.5 Moderate- and High-Impact Systems

Moderate- and high-impact WSU-owned endpoints that access WSU data must be configured to utilize whole-disk encryption on the endpoint, in accordance with UPPM 87.33 and 87.40.

Moderate- and high-impact WSU systems must implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.

4.6 WSU Information Datasets

WSU Information System Owners, or their delegates, must work with WSU Information Owners, or their delegates, to identify and document all WSU internal, confidential, and regulated information datasets that are approved to be stored, processed, transmitted, or otherwise used on endpoints, in accordance with UPPM 87.15 and 87.53.

WSU data and communications created, sent, received, or stored on WSU-owned or employee-owned endpoints are the property of WSU and are considered WSU information, in accordance with UPPM 87.40.

4.7 Public Records

WSU is obligated to preserve and make available to the public all records containing information relating to WSU business that are prepared, owned, used, or retained by the University, unless the record is exempt (see RCW 42.56 and WAC 504-45).

Public records formats include, but are not limited to, documents, texts, phone calls, voicemail, email, instant messaging, calendars, photos, and videos.

By using WSU- or employee-owned endpoints to conduct WSU business, employees understand and acknowledge this obligation, in accordance with WSU’s records management and public records policies, UPPM 90.01, 90.03, 90.05, 90.06, 90.07, and 90.12. (See also Policies, Records, and Forms Records Retention and Disposition.)

5.0 Training

See UPPM 87.21 for training requirements related to UPPM Chapter 87.

In addition to the requirements in UPPM 87.21, Information System Owners are responsible for ensuring that users receive appropriate information security and privacy training commensurate with their roles, responsibilities, and authorized access to information systems under the Information System Owner’s authority.

6.0 Resources and Related Policies

UPPM 90.01: University Records-Retention and Disposition Policy
UPPM 95.53: International Travel Policy

_______________________
Revisions: Feb. 2026 (Rev. 651); June 2020 – new policy (Rev. 549)