Endpoint Protection Standard Q&A
The College of Sciences hosted a forum for Sciences faculty on January 18, 2019 that generated many good questions about the Endpoint Protection Standard and some other IT-related issues. This Q&A provides answers to the questions that were raised, and has been collaboratively developed by the Sciences IT, Office of Information Technology (Security & Compliance, Technology Support Services and the Coordinator of Special IT Projects and Faculty Collaboration), Office of General Counsel, and Internal Audit.
If you have any questions after reviewing this Q&A, please contact firstname.lastname@example.org and we will be glad to assist you.
Why are we doing this?
Definitions, risks, grant-funded computers, why concerned if no DoD grants
What it is, why used, impact of funding source, Linux, dual boot, Windows tablets
What it does, patching, reboots & operating system versions, performance, screen idle timeout, administrative access, encryption, memory/hard drive space used
Laptops while traveling, getting help, learning more & reporting problems
What is an exception, how to request, when granted, when processed, definitions, SURE (Security University Research Environment)
Collaborating with confidential data, scanning for sensitive data, Spirion
Deadlines and enforcement dates, liability and consequences for non-compliance
Deadlines, CMS, cell phones/mobile devices, privacy expectations, personal files
Box and DropBox, file sync alternatives, AFS future
We’re all in this together. There are many security hazards present in today’s Internet, and we can’t abandon the Internet or ignore the hazards. Our government, granting agencies and our own university administration are working to minimize the risks – and this has led to a number of operating requirements which we have to deal with.
The justification is that this will help insulate us from harm — harm to our research, to our students and to the university more generally. If we take these precautions we will minimize the harm and help insulate us from penalties that could result.
Since 1999, the university has required appropriate security precautions to protect and secure university data and IT resources. In order to meet these security needs, the Endpoint Protection Standard (EPS) was developed and outlines a set of minimum requirements based on security best practices used worldwide.
What risks should I be concerned about?
The risks to you and your data are real and significant – malicious actors have been known to:
- Steal and sell research data, which allows others to publish first
- Install malware that deletes data
- Publicly release sensitive unpublished research data
- Prevent university faculty and staff from accessing their data
- Publish grades, disability information for all students at a university
- Penetrate university networks and lurk for years, costing millions to fix
- Capture and expose student, faculty, and staff personal and financial information
A compromised system can be used to attack other systems which have data of interest, so even if your system doesn’t hold sensitive or research data, it’s important to protect it.
The security controls in the EPS are well established methods to protect your data and your peers’ data.
What is the Endpoint Protection Standard (EPS)?
The EPS is a university rule that requires certain security controls for computers and other computing devices (whether owned by the university or not) accessing or storing university data. It outlines the minimum requirements for computers and devices accessing university data.
What is an “endpoint”?
An “endpoint” is any computer or other device that is connected to the university’s network, either from on campus or remotely, or that accesses university data. For example, an office computer, a server, an iPad, an Android phone, and a laptop used in the field are all considered “endpoints”.
What is a “security control”?
A “security control” is a “safeguard or countermeasure that can detect, counteract, or minimize security risks” (source: Wikipedia). Some examples of security controls are encryption, antivirus, firewalls and the configuration of various settings on a computer or computing device.
My computer was purchased with grant funds, is it required to comply with the EPS?
Yes. Computers and other devices purchased partially or entirely with grant funds are still university-owned, because the grant is made to the university. Therefore, they must comply with the EPS and be managed by a configuration management system (CMS).
I don’t have Department of Defense grants, why should I be concerned?
While some funding agencies have more stringent security controls than others, such as the Department of Defense (DoD), other agencies still require reasonable levels of data security. If you are in compliance with the requirements of the EPS, then you are likely to be in compliance with most funding agencies’ current requirements.
You should be aware of what might be coming down the pike. Other funding agencies are expected to adopt similar stringent security policies and guidelines in the future.
The university has developed a Secure University Research Environment (SURE) that complies with the more stringent regulations (such as NIST 800-171). For more information on computing services that meet sensitive research data requirements, send a request to email@example.com.
When does the configuration management system (CMS) requirement apply?
What is a “configuration management system” or “CMS”?
A CMS, as the acronym is used in the security arena, is a software system that is installed on a computer and significantly enhances the security of the computer system. The CMS can do things such as make software available, patch the operating system or software, gather inventory information, encrypt hard drives, and apply security settings.
It allows IT to install required software, apply required security settings, or respond to a critical security problem on many computers simultaneously — as opposed to scheduling an in-person visit to each computer.
The approved CMSs for campus are:
- Windows – WolfTech Active Directory with SCCM
- macOS – Jamf Pro
- Linux – CLS (Campus Linux Services)
If I’m meeting the other controls, why do I need a CMS on my computer?
The CMS (configuration management system) does a few desirable things from an IT security and compliance perspective. It allows IT staff to:
- Quickly identify computers that are exposed to a new serious security vulnerability, and remotely provide a patch if this is desirable
- Generate a hardware and software inventory, which helps identify computers that are at risk because of outdated technology or unpatched software
- Provide updated versions of the required software
From the perspective of the users of the computer, there are also a few advantages:
- It is possible to set up automatic patching on a convenient schedule
- You will have access to the current versions a variety of site-licensed software that can be installed either automatically or on-demand
- Your IT staff can optionally provide you with some level of remote support
Can I purchase my own computers to avoid the EPS requirement to be managed by a CMS?
We suggest that you start with a direct conversation with IT about what a CMS really means for you and your system’s performance before spending your personal income to buy computers or other devices.
You can reach out to your local IT staff to identify what options are best for you. If you find the answers unsatisfactory, you should contact your IT director, who can help resolve any issues or assist with identifying cost effective solutions. In the College of Sciences you may contact the college’s IT staff or IT director at firstname.lastname@example.org.
If you have sensitive data, such as research data that is subject to a non-disclosure agreement, pre-patent research data, and certain student data, you may not store that data on non-university owned computers.
If you decide to buy computers with non-university funds, be aware that you still must comply with all of the security requirements under the Endpoint Protection Standard as well as other applicable university policies pertaining to the access, processing, and storing of university data.
The University discourages using personally owned devices to access, process, and store university data. The risk of inappropriately using personal devices to access, process, or store University data includes potential loss or theft of data, personal civil or criminal liability for misuse of data, and revocation of access privileges and other sanctions available under university disciplinary policies.
However, university services such as email, MyPack, Moodle, 2 factor authentication and VPN are acceptable uses on personally owned devices. These university services have been created to assist with ease of access and review of university data while the data is still maintained and secured on university servers.
Will Linux be required to be in a CMS?
Yes, computers running Linux will be required to be in a CMS. However, a deadline has not yet been set for Linux to be in a CMS.
Check with your local IT support — the new Linux CMS for campus is Campus Linux Services (CLS) has been approved and may be appropriate for your needs. CLS replaces Realm Linux.
Does the CMS requirement apply to all different versions of Linux, or just the campus Red Hat Enterprise Linux (RHEL)?
All versions of Linux are included. All university-owned computers and devices must be in an approved CMS if one is available, regardless of operating system.
What if I have a Windows tablet, such as a Microsoft Surface Pro?
Windows tablets, including the Microsoft Surface Pro, are managed in the same manner as other Windows computers and would be managed by a CMS.
Some tablets run a version of Windows that cannot be joined to a CMS, such as tablets running Windows RT. The other security requirements of the EPS would still apply. Please consult with your local IT support provider before acquiring these devices to make sure that support is feasible.
How will the CMS affect my computer?
What does the configuration management system (CMS) do to my computer?
Being in the CMS means that a small piece of software is installed on your computer to allow your computer to communicate with the CMS.
You may see some changes in the way you interact with your computer. Your local IT staff can give you more detailed technical information about settings and configuration if you need it.
You are most likely to notice:
- Login to the computer is required using Unity credentials
- Screen idle timeout is set. The default is 30 minutes.
(See “What is the screen idle timeout?”)
- Spirion is installed
(See ““What is sensitive data remediation?””)
- Antivirus is installed
- Temporary admin privileges application is available (Mac)
(See ““What is least privilege access?””)
- Automatic monthly patching is configured (Windows)
(See “Will my computer be patched unexpectedly?”)
- Access to software is available via JAMF Self Service (Mac) or SCCM Self Service (Windows)
Will I be able to install software on my computer?
Yes. If you need to be able to install software in order to do your work, you will have that ability.
It may be necessary for you to take an action prior to installing software, such as entering your password or running an application.
What if I need to remain at a specific version of an operating system?
If your computer must be at a specific version of an operating system, it’s possible to set things up so that it will not get automatic updates. Depending on your situation, it may be necessary to submit a request for an exception. If this is your situation, send email to email@example.com and we will help you.
Will my operating system be updated unexpectedly?
No, it will not. Operating system updates are planned and communicated in advance, and you will have the opportunity to raise concerns ahead of time.
Will my computer be patched unexpectedly?
No, not as a result of being in a CMS. Software vendors may automatically update their products on their own timetables (for example, Firefox), but this is unrelated to the CMS.
Windows operating system patches are managed by OIT and released monthly in accordance with Microsoft’s patch release schedule. Computers can be placed in groups to receive the patches on a predetermined schedule.
For macOS, we observed that in the past year, Apple patched all macOS devices without prior notification at least twice for serious security vulnerabilities. This included a required reboot, without the ability of system administrators to intervene. This was independent of the CMS.
For Windows, Microsoft releases patches outside of a normal patch cycle for extraordinary security threats. This has happened no more than once in any given year over the last 3 years. This was independent of the CMS. Computers that are not in a CMS would have received these patches directly from Microsoft.
Will there be performance impacts to my system?
You should not ordinarily experience performance impacts to your system simply from being in a CMS. It’s possible that antivirus/antimalware or full-disk encryption might have a small performance impact. If you notice performance problems impacting your research or workflow, your local IT staff can work with you to determine the cause and best course of action.
Will my computer reboot unexpectedly?
Your computer should not reboot unexpectedly due to being in a CMS. Windows patches are scheduled monthly and the time that your computer reboots can be configured. Bear in mind, reboots are necessary in order for many patches to take effect.
IT does not have control over what Apple chooses to do on the Mac, but any unexpected reboots would not ordinarily be the result of being in a CMS. Rare unexpected restarts on Macs are frequently the result of kernel panics caused for a variety of reasons that are unrelated to the CMS.
CMS-related reboots will normally allow deferrals or notify you ahead of a mandatory reboot.
If you have special needs regarding reboots, contact your local IT staff for assistance.
What is the “screen idle timeout”?
The “screen idle timeout” is the period of time between when you last use your mouse or keyboard and when your screen is locked such that you have to enter your password. The default timeout is 30 minutes. However, this default setting can be adjusted if there is a need.
Could we set our screen idle timeout to 4 hours? 24 hours?
The reason for the screen idle timeout is to help ensure that the person who is using the computer is really the person who’s logged in. It prevents a passerby, guest or intruder from accessing your email or data when you leave or step away for a while.
Timeouts are generally set for smaller timeframes, as shorter timeouts mean that there is less time a computer is likely to be simultaneously logged in and unattended.
As a rule, lengthy timeouts are not implemented because it’s unlikely that you would be consistently sitting in front of your computer continuously for that period of time without stepping away. However, if there’s a need for a longer timeout than the default, local IT staff can assist with configuring a reasonable period.
Can an entire college or department determine what settings they would like to have?
There are many settings that can be configured at a department or college level. It is necessary for any such choices to comply with the relevant rules, such as the EPS or Patching Standard. However, there is some flexibility.
For department-wide or college-wide settings, they should be developed jointly with IT. The appropriate department head or administrator should reach out to the IT director to talk through what you would like to see and what your concerns are.
How much hard drive space and memory will the CMS take up?
Overall, the CMSs do not take up large amounts of computing resources.
Technical details for Windows:
The SCCM agent takes minimal resources. Sitting idle, it takes up 0% CPU and 75 MB of RAM. Every 4 hours the client checks for updates, and once daily the client reports hardware and software inventory. Each of these events result in negligible resource usage. By default the cache is 20 GB, and will typically remain full.
Technical details for macOS:
The agent on a macOS client checks in with the JSS at computer start up and every 30 minutes thereafter, consuming 2KB of network traffic, 4MB Real Memory, and 0.10% CPU. In addition, computer inventory is uploaded to the JSS once a day, causing less than 200KB of network traffic, 8MB Real Memory, and 3.74% CPU. On average the inventory process takes 30 seconds to complete.
In the event the computer is not connected to the Internet, the hardware/software inventory and client check-ins will pause. This will not impact system performance.
What is “least privilege access”?
“Least privilege access” means that a person using a computer has only as much access rights or permissions (“privileges”) as are necessary to accomplish their legitimate work. For example, when doing daily work like email or word processing, having admin or root access to the computer is unnecessary. On the other hand, if you need to install software or perform systems administration, you would need a higher level of privilege when doing those activities.
Least privilege access does not mean that you cannot do your job. It sometimes means that you will need to take an extra step or do something a different way. For example, you may have to provide your password before installing software.
If my drive is encrypted, what happens if it fails and I need my data?
When your hard drive is encrypted by the CMS, the CMS stores a “key” that allows IT staff to unencrypt your drive.
As a best practice, to prevent data loss, we recommend that you regularly back up your data to a secure location. Google Drive and CrashPlan (a cloud backup service with an annual cost) are options. Contact your local IT staff or firstname.lastname@example.org for more information.
What is “key escrow”?
“Key escrow” refers to a way to safely store a unique piece of information (the “key”) that can be used to recover data from an encrypted drive or file. The “key” is used to decrypt a hard drive. The EPS requires that all hard drives that store moderately or highly sensitive data are encrypted, and that the keys are stored by the university.
When hard drive encryption is done through a CMS, the keys are automatically stored for macOS and Windows systems.
Are there problems with being in a CMS?
Can I expect problems with working offline?
The CMS will not cause problems due to not being connected to the Internet. You can continue to work while you are offline.
The CMS software on your computer routinely checks in with campus servers to update hardware/software inventory and to maintain its connection to the servers. However, when you are not connected, those activities are postponed.
My computer would not let me log in to the NC State network after I had been travelling. Why?
Usually, using laptops that are in a CMS does not present a problem when traveling or working from off campus locations.
If you work with your local IT staff before you leave campus, we can help you avoid a few common causes of difficulty that may occur if you are travelling for an extended period or to areas with poor network connectivity.
What happens if I have problems after my computer is added to a CMS?
You should immediately contact your local IT staff or send a request to email@example.com
Who configures these settings? Who is my point of contact?
Many settings can be configured by college or local IT staff.
Your local IT person is your point of contact. If they are unavailable, you can send email to firstname.lastname@example.org
Where can I learn more or report problems?
Please contact your local IT staff or Sciences IT if you have concerns about CMSs. We have found that CMSs themselves are not problematic, but sometimes there are settings that need to be changed to accommodate different needs.
If you encounter a problem, you should contact your local IT staff first. If you need more help, or have further questions, send email to email@example.com and we will follow up with you.
The College of Sciences is in the process of setting up a method that will enable interested or concerned people to discuss their experiences with each other and IT.
What is an “exception”?
An “exception” means that your computer is exempted from complying with some part of the EPS or other security requirements. Exceptions require that different methods (see “compensating controls”) be used to secure your computer in place of that requirement. Exceptions can be granted for all or part of the EPS, depending on the situation. Exceptions are required to be renewed annually or if there are any deviations or changes from the original exception request.
How would I ask for an exception?
You would work with your local IT staff or IT director to request an exception. In the College of Sciences, you should send a request for consultation to firstname.lastname@example.org
When would an exception be granted?
Exceptions are granted when there is a bona fide need and other compensating controls are in place. For example, a computer connected to an instrument may not be able to be rebooted or patched. In those cases, alternative ways to secure the computer must be found.
How quickly are exception requests processed?
OIT Security & Compliance expects that under ordinary circumstances, a determination can be made in 2-3 days.
What is a “compensating control”?
A “compensating control” is something that is done to secure a computer when a particular security requirement cannot be met. One example of a compensating control is to isolate a computer connected to an instrument by removing its internet access.
What is a “business case”?
A “business case” is an argument that explains why an exception request is necessary. It describes what you are trying to accomplish and an explanation of how a given requirement causes a problem. Ideally it would include a proposed solution or alternative.
What is a “use case”?
A use case is a description of how a person who actually uses a process or system will accomplish a goal. For example, if the goal is to run a simulation, the use case would be “The goal is to run a complex simulation. I start the simulation on my computer and let it run for 50 days. At the end, I save the output and start a new run.”
What is the SURE environment?
The SURE environment is the Secure University Research Environment developed by OIT and ORI. It is a complete computing environment intended to allow a researcher to meet funding agency requirements when they require compliance with the NIST 800-171 security standard. At the present time this applies only to the Department of Defense grants, but it is expected that these requirements will be adopted by other funding agencies in the future. For information about SURE, contact email@example.com
What is an “isolated network”?
An “isolated network” refers to a network configuration that prevents computers from communicating over the Internet. It may also mean that computers on that “isolated network” cannot communicate with other campus computers.
The terminology can be unclear, since the computers may still be on the campus network. The “isolated network” can be a subset of the campus network.
Confidentiality, Privacy and Collaboration
What if I need to collaborate with someone at another institution that has provided confidential information, and I cannot allow their data to be accessible to others at the university?
The first thing to do is to check with the group that owns the data and determine whether the technical possibility that IT or security staff could access the data is an insurmountable problem. Contact your local IT staff or firstname.lastname@example.org for assistance in this discussion. We can help you enumerate who would have access to the data and explore options for limiting access and providing security.
If this is an insurmountable problem, the university recommends that you use that group’s computing resources remotely to work with their data.
What if I need to share data with someone at another institution, and they do not have an NC State login account?
There are several possible solutions, depending upon what you need to do.
In cases where you have a research collaborator that will need to access NC State resources requiring a Unity account, your HR unit can enter the person into the HR system as a “no pay employee” and they will get a Unity account. For short-term collaborations (3 months or less) we can create a “workshop” Unity account that will expire.
Check with your local IT staff to get started finding the right solution for your needs.
What is “sensitive data remediation” or “Spirion”?
“Sensitive data remediation” refers to the university’s automated method for locating sensitive data on university-owned computers and addressing any data that is improperly stored.
Spirion is a software application that allows the university to scan computers to detect sensitive data. It is required to be installed on all university-owned computers.
See NC State’s Sensitive Information Identification and Remediation for more information.
What does Spirion look for?
At this time, Spirion searches only for potential social security numbers and credit card numbers.
Who gets notified if Spirion finds something on my computer?
If you run your own scan, you will get notified by the application. If an issue is discovered as part of a scan that was initiated by OIT Security & Compliance, they will work with you and your local IT staff to resolve the issue.
What control do I have over the settings and how Spirion behaves?
You have access to modify many Spirion client settings that affect the scans you run on your system. You cannot modify the settings used by OIT Security & Compliance when they perform central scans to identify social security numbers and credit card data.
Currently, Spirion scans are scheduled on the third Thursday of the month starting at 7 pm or later.
Can anyone see the contents of my files if Spirion finds an issue?
No, The information remains in place on your workstation. The notification OIT Security & Compliance receives from the potential issue only includes the file path and the first couple digits of the data.
Deadlines and Enforcement
What are the deadlines?
For Windows and macOS systems, the deadline for compliance is 6/30/2019 (extended to 12/31/2020 in departments that don’t have IT support). However, you can always implement the EPS before the deadline to protect your data and work sooner.
The deadline for Linux systems has not yet been established.
When and how will enforcement start?
Discovery of non-compliance will result in either the user’s Unity ID being disabled or their computer(s) being blocked from the network without access to the Internet or campus resources. The type of enforcement depends on the discovery.
Note that systems that store sensitive data are expected to comply as soon as possible and enforcement will apply upon discovery.
When enforcement begins:
- Systems with highly sensitive data (“purple data” or “red data”): Upon discovery (now)
- Systems without highly sensitive data: After the published deadline (June 30, 2019)
- Automatic enforcement for all systems will begin in 2021.
Bear in mind that your computers should comply with the EPS as soon as possible, because doing so protects your data and your colleagues as well.
If you can’t get into compliance, where is the liability?
If your computer cannot be made compliant with one or more of the requirements of the EPS, you should work with your local IT staff to submit an exception request.
What are the consequences for non-compliance?
Violation of applicable policies, regulations or rules regarding the use of university data or IT resources by faculty or staff may result in disciplinary actions, including but not limited to revocation of access privileges and other sanctions available under university disciplinary policies.
Personally-owned devices and personal data
What is the deadline for my personally-owned devices to comply with the EPS?
Personally owned devices such as cell phones, laptops, etc. are required to comply now if they directly access moderately or highly sensitive data (this includes all research data). Your local IT support staff can help you determine what you need to do.
Is my personally-owned computer, tablet or cell phone required to be in a CMS?
No. The CMS requirement only applies to university-owned computers.
What do I have to do about my personal cell phone?
Your personal cell phone doesn’t have to be in a CMS. If you do not use your cell phone to access sensitive data (what you access in MyPack Portal doesn’t count for this), then it just needs to have reasonable antivirus/antimalware software. There are many free versions available; your local IT staff can help you find a good one.
If you use your cell phone to access more sensitive data directly, there are additional required controls. However, it’s likely that most of them are already taken care of by your cell phone’s operating system.
- Remember that you are not permitted to store (e.g., download and save) sensitive data on your cell phone at all.
- If you have questions about what data is considered sensitive, ask your local IT staff or send your question to email@example.com to get OIT Security & Compliance to weigh in.
OIT provides guidelines to help you protect your phone and personal mobile devices. See Mobile Device Security.
What if I need help applying the EPS requirements to my personally-owned computer or device, or have problems after doing so?
If you have questions about meeting the EPS requirements or if your computer has problems after applying one or more of the EPS requirements, you can call the NC State Help Desk for guidance (firstname.lastname@example.org, 919-515-4357). Neither the university nor the college provide free technical support for personally-owned devices. Your local IT staff may be able to recommend a local company that could help you.
You should always ensure you have access to a recent system backup.
What expectation of privacy should I have if I store my personal data on a university-owned computer or device?
To best protect the privacy of your personal data you should not store it on university-owned computers or devices.
Personal data is data that was not created in the scope of conducting university business and is not considered university data. However, by storing this information on university-owned devices the university will have access to this information and may examine it on a case-by-case basis as expressed in NCSU Reg 08.00.02 – Computer Use Regulation.
What if I have personal files on my university-owned computer?
If you have personal files that you would like to keep private, your best option would be to store them on personally-owned computers, in a personal cloud account (such as your personal email account rather than your university-issued email account), or on other personally-owned devices such as flash drives or external hard drives.
University faculty and staff may access University IT resources for occasional, inconsequential personal uses if certain conditions are met. For a full list of these conditions please visit NCSU Reg 08.00.02 – Computer Use Regulation.
File sharing and file syncing
How secure is it to use cloud services like Box and Dropbox to share data?
All cloud storage providers are susceptible to data breaches. Some are more secure than others.
Under university policy, for cloud services such as Box and Dropbox, you can store sensitive data if the data steward approves. For research data, the PI is the data steward.
You cannot store social security numbers, credit card numbers, bank accounts, biometric data, or fingerprints in Box or DropBox unless it is encrypted and the data steward approves (note that the PI is not the data steward for these kinds of data.) As a best practice, you should never do that.
The data classification scheme and associated rules can be complex, so consult with your local IT staff or send a request for consultation to email@example.com if you are not sure about what services you can use to store your data.
What if I need to sync my files across multiple computers, and Google Drive is unreliable?
The College of Sciences recommends that you use Box or DropBox to sync files across multiple computers, until such time as the university is able to provide a reliable file sync solution. You must configure your Box or DropBox account to use two factor authentication.
You should consult with your IT staff before using any cloud service to store sensitive data. The data classification scheme can be complex, so talk with your IT staff for assistance in determining whether your data is considered sensitive.
See NC State Determining Sensitivity Levels for Shared Data
Is OIT going to discontinue AFS support?
OIT does not have immediate plans to discontinue AFS support. However, in the long term, OIT anticipates replacing AFS for some uses with another file system which has yet to be determined.