Endpoint Device Security Policy, Information Technology

Posted on by
Title: Endpoint Device Security Policy, Information Technology
Policy Owner: Information Technology Services / Chief Information Security Officer
Applies to: All faculty, staff, student employees, affiliates, and volunteers
Campus Applicability: All UConn Campuses, except UConn Health
Approval Date: March 4, 2026
Effective Date: March 9, 2026
For More Information, Contact: UConn Information Security Office
Contact Information: techsupport@uconn.edu or security@uconn.edu
Official Website: https://security.uconn.edu

BACKGROUND

Endpoints are important tools for the University, and their use is supported to advance the mission of the university. Endpoints also represent a significant risk to information and data security. If appropriate security measures and procedures are not applied, endpoints can serve as a conduit for unauthorized access to University data and IT resources that can subsequently lead to data leakage and a path for compromise of other systems.

PURPOSE

To ensure data and information systems security by establishing requirements for endpoint devices.

APPLIES TO

This policy applies to all University faculty, staff, student employees, and volunteers who use endpoint devices to access any non-public IT resources owned or managed by the University.

DEFINITIONS

IT Resources: Includes systems and equipment, software, and networks. Systems and equipment include but are not limited to computers, hard drives, printers, scanners, video and audio recorders, cameras, photocopiers, and other related devices. Software includes but is not limited to computer software, including open-source and purchased software, and all cloud-based software, including infrastructure-based cloud computing and software as a service. Networks include but are not limited to all voice, video, and data systems, including both wired and wireless network access across the institution.

Endpoint: Physical device that connects to and exchanges information with a computer or telecommunications network, often acting as the interface between a human user and the network, including but not limited to, desktops, laptops, tablet computers, and smartphones. Endpoints do not host services for other endpoints.

Confidential Data: Institutional information protected by law, government regulations, statutes, industry regulations, contractual obligations, or specific university policies.

POLICY STATEMENT

University of Connecticut faculty, staff, student employees, affiliates, and volunteers who use endpoints, whether University-owned, externally owned, or personally owned, are responsible for any institutional data that is stored, processed, and/or transmitted via an, endpoint, mobile, or remote device and for following the security requirements set forth in this policy.

To adequately protect the data and information systems of the University, all individuals covered under this policy are expected to meet the following requirements:

Endpoint Security Requirements

  • Configure the device to require a password meeting the requirements set forth in the University Password Standard (https://security.uconn.edu/password-standards/), biometric identifier, PIN (minimum of 6 characters), or swipe gesture (minimum of 6 swipes) to be entered before access to the device is granted. Device must automatically lock and require one of the authentication methods after no more than 15 minutes of idle time.
  • Keep devices on currently supported versions of the operating system and remain current with all published operating system and software patches.
  • Enable and appropriately secure the device’s remote wipe feature to permit a lost or stolen device to be securely erased.
  • Securely store the device when not in use to minimize loss via theft or accidental misplacement.
  • Ensure internal hardware and external peripherals, including but not limited to USB devices, external storage, scanners, input devices, and displays, are manufacturer supported and compatible with the installed operating systems and other installed software.
  • Except when being actively used, confidential information on endpoint devices must at all times be encrypted through a mechanism approved by the University. Whole drive or whole device encryption may be deployed to meet this requirement.
  • Endpoints must have software enabled and running to identify, protect, and respond to any threats to the data or operating systems of the devices. University owned endpoints must be enrolled in the university-supported endpoint detection and response (EDR) platform.
  • University owned endpoints must have Mobile Device Management software installed and enabled to facilitate device protection, including remote wipe and, if possible, device location technology for recovery. Personal devices should be configured to enable these features where possible.

Wherever practical, elements of these requirements will be enforced via centrally administered technology controls.University owned devices that are unable to meet these requirements must go through a security assessment prior to their use.

STORAGE OF CONFIDENTIAL DATA

In general, Confidential Data should not be stored on endpoints. However, in certain instances and depending on job responsibilities, this may be unavoidable. In these instances, Confidential Data must be stored ONLY on university-owned devices configured in compliance with this policy.

DEVICE DECOMMISSION OR SEPARATION FROM THE UNIVERSITY

When endpoints, including personally owned devices that may have had access to University resources or data, are no longer used, and sold, donated, given, placed in the control of or otherwise transferred to anyone else, the device owner is responsible for ensuring that any University information is securely deleted from the device, including University-related e-mails/accounts, user ID and password, or other cached credentials used to access University systems.

In the event of separation from the University, it is the employee’s responsibility to delete any University-related e-mail accounts or University licensed software that may have been installed on personal endpoints, devices, or computers.

EXCEPTIONS

In certain instances, there may be a justifiable business need to operate a device that is not in compliance with this policy. In these instances, users must work with the Information Security Office to request evaluation of an exception to this policy. Exceptions are reviewed on a case-by-case basis and are approved at the discretion of the Chief Information Security Officer based on justifiable business need and assessed risk. Exceptions must be reviewed and approved prior to implementation of any solution that does not fully comply with this policy.

ENFORCEMENT

Violations of this policy and any related procedures may result in appropriate disciplinary measures in accordance with University By-Laws, General Rules of Conduct for All University Employees, applicable collective bargaining agreements, and the University of Connecticut Student Code.
Questions about this policy or suspected violations may be reported to any of the following:

Office of University Compliance –  https://compliance.uconn.edu (860-486-2530)

Information Technology Services Tech Support –  https://techsupport.uconn.edu (860-486-4357)

Information Security Office – https://security.uconn.edu

REFERENCES

Data Classification Policy

POLICY HISTORY

Policy created: August 30, 2021 (Approved by President’s Senior Team)

Revisions: March 4, 2026 (Approved by the Senior Policy Council and President)