Client Computing Security Standard
September 30, 2009/updated July 1, 2012
Date of Enforcement: November 1, 2010
Comments on this standard should be sent to ITSecurity@osu.edu
Client Computing Security Standard Evaluation Checklist PDF
I. Informal Overview
The purpose of the Client Computing Security Standard (CCSS) is three-fold: to help protect each user’s computer from harm; to protect other users’ computers from harm; and to protect OSU’s data network and its allied resources from misuse. The CCSS consists of four requirements, all of which must be met before using the computer on OSU’s network.
- The computer must use firewall software. This helps protect the user’s computer from external intrusions.
- Software on the computer must be current. This is particularly important for high-risk software, such as the operating system and web browser. Staying current makes the user’s computer less vulnerable to outside subversion, helping to protect the computer and its data.
- The computer must have software that helps guard against malicious or undesired software such as viruses, spyware or adware. Collectively, this anti-malware helps defend the user’s computer and helps prevent it from being used to exploit other’s computers.
- The computer must have a user name and password or other sign-on mechanism that helps prevent its use by unauthorized individuals. This password must meet the OSU password complexity requirements.
In addition to the CCSS, users are expected to comply with OSU’s Policy on Responsible Use of University Computing and Network Resources and the Policy on Institutional Data (particularly part IV.H).
II. Implementation Guidance
Since the scope of the CCSS encompasses an audience that does not necessarily include those well versed in information technology and might include other general users, the following section is meant to outline not just the intent but also some platform specific guidance to aid in meeting the requirement of the standard. This implementation guidance can be found in supporting documents on this site or in the 8Help knowledgebase.
III. The Client Computing Security Standard
a. Each device must meet the following minimum standards while connected to OSUNet.
- The device must be guarded by an up-to-date and active host-based firewall set to protect it from unauthorized network traffic.
- Supported operating system and application software with current security patches must be installed.
- The device must be protected against malicious or undesired software such as viruses, spyware, or adware.
- Access to the device must require appropriate authentication controls such as account identifiers and robust passwords.
b. Units must develop and maintain processes, practices or tools to ensure initial and continued compliance on university owned devices with the standard requirements either manually or automatically.
Note: Units should develop processes, practices or tools to quarantine or disconnect the non-compliant device until it is brought into compliance.
c. Passwords, including those used with university name.# Internet user names, may not be shared with others and must be changed periodically not to exceed a yearly cycle. All university owned/managed computers must meet or exceed the university Password Requirements including complexity and password life-cycle qualities. Generic accounts should not be created with weak passwords and when possible "guest" accounts should be disabled.
d. In some cases it may not be possible to bring a device into compliance. For example, older laboratory equipment software may not operate with current operating systems or security patches. In these cases operating units or individuals must employ compensating controls. Units must document compensating controls and must retain this documentation for audit so long as the device is in operation.
Units may request an exception to one or more elements of the standard if no compensating control is possible. These exception requests must be submitted to OCIO Enterprise Security who will review and approve or deny the requests within 15 working days of receipt.
e. University academic and administrative units may specify additional standards or requirements within their administrative areas of responsibility. Units must document and publish any additional requirements, preferably on a unit web site. These additional requirements must be reviewed annually and may be modified as needed. The unit’s additional standards may strengthen or extend but may not weaken the provisions of the CCSS.
a. Role of Units, IT staff, and others
The user’s department/unit is responsible for ensuring compliance with the CCSS, though departmental/organization IT staff may perform the actual implementation on university owned equipment.
The user is responsible for compliance on personally owned equipment. Users granted responsibility for administration on university equipment will share responsibility for compliance with local IT staff. (I.E local administrator rights, users granted access via a local administrative privilege standard policy)
Individual university community members who do not comply with this standard are in violation of the Policy on Responsible Use of University Computing and Network Resources. In accordance with that policy, violators may be denied access to university computing resources and may be subject to other penalties and disciplinary action including university disciplinary procedures.
b. Role of OCIO Enterprise Security
OCIO Enterprise Security is tasked with the responsibility of maintaining the CCSS standard and ensuring that the document is kept current with threats and technologies going forward. OCIO Enterprise Security will include community feedback and do publicity for any changes to the document.
OCIO Enterprise Security members are also identified as the enterprise subject matter experts on information security practice and policy and in that role can be asked to perform security assessments or consultations with university units.
c. Compliance Mechanisms
Compliance with the standard can be accomplished using a variety of technological or practical tools. Units that have the capability to perform automated detection of patches and vulnerabilities (such as Altiris, LANdesk, Cisco Clean Access, Juniper NAC, etc.) should use these tools to do regular inspection of their networks to gather information regarding the state of compliance.
Those units that do not have the capability to run automated tools to gather compliance information are encouraged to consider purchasing/acquiring these tools but may elect to use a manual process such as spot inspection of computers to determine overall compliance.
Units must conduct a compliance inventory on all university- managed devices on no less than a quarterly basis.
OCIO Enterprise Security may conduct an inspection of unit resources in cooperation with the unit leadership and IT staff to determine overall CCSS compliance. These spot inspections are required if a unit is confirmed through investigation to have been involved in a CCSS related data breach.
Devices found not to be in compliance must be quarantined from the general network and the compliance issue must be addressed before it may be restored to normal operation. If the device cannot be made compliant the unit may implement a compensating control or request an exception. Upon approval of the exception request the device may be restored to normal operation.
V. Compliance Reporting
Units are expected to report to the Office of the Chief Information Officer on the details of CCSS compliance. These reports will be submitted on a quarterly basis via a web based reporting tool and will detail the following details:
- Total number of computer systems subject to CCSS compliance
- Total number of computer systems in compliance by element
- Total number of computer systems with approved exceptions
These gathered numbers will be used for auditing and compliance checking by OCIO Enterprise Security during required and random checks. These numbers are also reported up to the Board of Trustees Audit committee. Units are encouraged to add comments using the web form when special circumstances surrounding compliance with the CCSS are identified. These comments will also help the university identify areas where compliance concerns exist and discussion of general technology solutions or security advice can be offered.
Designated members of each unit should file reports though colleges and larger departments may be asked to roll up report numbers to simplify the process of analysis. One administrative designee as well as at least one IT professional should be assigned the task of collecting and reporting this information.
The Office of the Chief Information Officer must review this document and must update or modify the standard requirements as necessary on at least a biannual cycle.
- anti-malware – software designed to combat malware software by protecting computers from attack, neutralization or removal of the offensive programs.
- compensating controls – a method of addressing the risk associated with a standard requirement by using alternative techniques to mitigate the risk.
- computer - a desktop or mobile device (including smart phones, PDA, etc.) that is used primarily for normal desktop application work. With regards to the CCSS computer does not include computing devices with a dedicated use like building control systems or dedicated appliances that perform only a dedicated function. This definition does not exclude desktop systems traditionally used for desktop purposes that are re-tasked for use in non-traditional roles. (i.e. lab instrument control)
- data network – a group of interconnected computers managed by The Ohio State University
- device – for the purposes of this standard, device is an interchangeable term with the above definition of computer.
- firewall software – a part of a data network that is designed to block unauthorized access while permitting authorized communication. Firewalls can be software or dedicated computers that are configured to control computer traffic between different computer networks based upon a set of rules and other criteria.
- manually – updated through a manual process, this process can include some automated tools but is generally accomplished using manpower resources and monitored directly by employees.
- non-compliant – a device that does not meet the requirements of the standard.
- operating system - The most important program that runs on a computer. Every general-purpose computer must have an operating system to run other programs.
- OSUNet – the Ohio State University data network.
- password - a sequence of characters that one must input to gain access to a file, application, or computer system.
- quarantine – to isolate the device from other connected devices in a way that protects the device from exposure and prevents the device from potentially affecting the other resources on the data network.
- supported – software and hardware that is currently receiving security updates by the manufacturer.
- university-managed devices – devices purchased, owned, gifted, granted and maintained by university employees. University-owned devices can include supported computer systems and devices purchased through any of the various funding models including but not limited to grants, endowment, direct purchase, etc.
- user name – a specific log in identity keyed to an individual user. User names are typically used to gain access to a computer operating system or application.
- viruses, spyware or adware – a group of computer programs classified as “bad” or malware. Viruses, spyware and adware often exploit flaws in computer programs and operating systems to extract information or attack the integrity of a data network.
- web browser - a computer program used for accessing sites or information on a network (such as the World Wide Web).
VIII. Revision History
- Revised Draft 2.1 9/30/09
- Revised Draft 2.2 SES 12/27/10
- Revised Final 2.3 TF 07/02/12