Supported PCs and Assurance Policies
This is not a theoretical risk. These issues are already being experienced, and the root cause is insecure practice while having administrator privilege in the high number of unsupported/self-managed PCs and Laptops in the University IT estate. A lack of support for these devices leaves us vulnerable due to:
- Poor maintenance leaving them exposed to virus or malware infection,
- Data being lost due to inappropriate storage,
- Data being lost due to inadequate back-up arrangements,
- The risk of research data management plans being breached due to inappropriate data storage,
- Being unable to effectively investigate and address suspicious / fraudulent activity in our IT estate,
- Inadequate security arrangements providing an exploitation ‘path’ into our wider IT estate.
Therefore, to address this situation we will increase support to colleagues and mitigate further risks by ensuring that all IT devices connected to the University’s central IT network have effective security, storage and back-up provided and in operation. This is not the same as a ‘corporate’ managed service. It is expected that staff will not try to circumvent the application of the support solutions provided, nor attempt to obstruct or undermine the principles of the policy.
The University purchases computer devices for a variety of purposes. The majority of computers are allocated to individuals as their primary computing device – enabling them to undertake the day-to-day responsibilities associated with their work. Others are used for specific tasks, projects and research activities; or to support specialist equipment and instruments. It is critical that the best decisions are made regarding management of all of these computer devices – whether they are desktops, laptops or newer tablet devices that are equivalent to a laptop in terms of specification and capabilities.
The majority of computer devices should have software components installed on them to ensure that they can be safely used without risk to the information stored and processed on them. These provide (at least) access to secure data storage; ensure the devices receive consistent software and operating system updates; and that they are fully protected by anti-virus software and firewalls.
The installation of these software components gives the University assurance that the devices are safe and ‘assured’; there are two levels of assurance provided by different services.
- Fully Assured services are those provided for Windows, Mac and Linux devices and provide both full assurance of the security of the device as well as a range of other functionality (e.g. such as the program installer or equivalent.). This encompasses two types of service, the fully-managed Windows 7 service and the full assurance service provided to Mac and Linux users.
- The Light Touch Assured service is for Windows (only) devices; this is a simpler (hence “light touch”) service which focusses on providing the minimum level of technical assurance needed to ensure the device is safe to use without any extra functionality.
Manually Assured Devices are those which for some reason cannot have any software components installed on them to provide this assurance without affecting functionality. Because of this, these devices need to be manually checked (and periodically audited) to ensure that they comply with the University’s Information Security Policy.
These devices are referred to as ‘manually assured’ and this policy sets out how they will be supported.