Endpoint Protection Policy

Purpose

The purpose of this policy is to establish requirements for implementing and maintaining endpoint protection controls to safeguard University IT Resources from malware, unauthorized access, data loss, and other security threats. This policy ensures that all endpoint devices are adequately secured in accordance with the University’s security standards and regulatory obligations. 

Scope

This IT security policy, and all policies referenced herein, shall apply to all members of the University community, including faculty, students, administrative officials, staff, alumni, authorized guests, delegates, and independent contractors (the “User(s)” or “you”) who use, access, or otherwise employ, locally or remotely, the University’s IT Resources, whether individually controlled, shared, stand-alone, or networked.

Policy Statement

• Users must be vigilant about detecting malware, spyware, or adware manifesting in various ways, including but not limited to unsolicited pop-ups, performance issues, or unrequested browser windows.  
• Users must immediately report any malware infections, suspicious activity, or signs of compromise to the IT Service Desk at 718-817-3999 or [email protected]. 
• All University-owned and operated devices running Microsoft Windows, macOS, or *NIX endpoint devices must employ secure, non-default, and auditable authentication controls and password policies that meet or exceed the Passwords and Authentication section of the Acceptable Use of IT Infrastructure and Resources policy.
• Password complexity requirements must align with the Acceptable Use of IT Infrastructure and Resources, ensuring passwords are strong and resistant to attacks. 
• Users must verify that required protections are present and functioning when the device is received. If any protection is missing or not functioning, the User must immediately contact the IT Service Desk at 718-817-3999 or [email protected] and must not connect the device to University IT Resources until remediation is completed. 
• Users are prohibited from disabling, uninstalling, or otherwise circumventing required endpoint protections, security configurations, or management profiles. Removal or modification of required protections is prohibited without documented prior approval from Information Security and Assurance. 
• All University-owned and operated devices running Microsoft Windows, macOS, or *NIX must have approved endpoint protection software (e.g., CrowdStrike Falcon) installed, regularly updated, and actively monitored to detect and mitigate threats promptly. 
• All University-owned and operated devices running Microsoft Windows, macOS, or *NIX must: 
  • Have enabled host-based Firewall to enforce inbound and outbound traffic. 
  • Have employed system hardening measures, per the Systems Hardening Policy. 
  • Have up-to-date security patches per the Patch Management Policy. 
• Download applications only from trusted sources (e.g., App Store, iTunes Store, Google Play, Microsoft Store). 
• Device encryption (e.g., BitLocker, FileVault) must be enabled to protect sensitive data in case of theft or loss per the Disk Encryption Policy to ensure confidentiality. 
• All Endpoint devices should be regularly backed up by the end-user to ensure data availability and integrity. End users may request assistance in accomplishing this requirement by contacting the IT Service Desk at 718-817-3999 or [email protected]. 
• All University-owned and operated devices must employ Data Loss Prevention (DLP) tools (e.g., Spirion, Proofpoint) in an effort to prevent Users' sensitive data from being improperly shared within the University and externally.  
• Endpoint configurations must also implement applicable controls listed in the “Common Examples of Security Controls” table within this policy, based on device role and risk profile. 

Common Examples of Security Controls

Definitions

Endpoint is a device, including desktops, laptops, mobile devices, servers, or Internet of Things (IoT) devices, that connects to the University’s network and requires protection from threats. 

Encryption is the process of converting data into a coded format to prevent unauthorized access, ensuring that only authorized users with the correct decryption key can access the original data. 

Firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules, protecting endpoints from unauthorized access and external threats. 

IT Resources include computing, networking, communications, applications, telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and related materials and services. 

Malware is malicious software, such as viruses, worms, ransomware, spyware, and adware, designed to harm or exploit computers, networks, or devices. 

Patch Management is the process of regularly applying software and system updates to address security vulnerabilities and ensure protection against known threats. 

Related Policies and Procedures

• Acceptable Use of IT Infrastructure and Resources 
• Data Loss Prevention (DLP) 
• Disk Encryption Policy 
• Patch Management Policy 
• Systems Hardening Policy 

Implementation Information

Revision History

Policy Disclaimer Statement

Deviations from policies, procedures, or guidelines published and approved by Information Security and Assurance (ISA) will only be considered cooperatively between ISA and the requesting entity, with sufficient notice to allow for conducting appropriate risk analysis, documentation, review, and notification to authorized University representatives where necessary. Failure to adhere to ISA written policies may be met with University sanctions up to and including dismissal.