Information Security Requirements for Institutionally-Owned Computers (ISR-2)
Published: June 1, 2022
Compliance Required: September 1, 2022
Per the procedures defined in the Information Security for Institutional Information Policy (IT-8) this Information Security Requirement ("ISR") for Institutionally Owned Devices has been published Drexel University or its subsidiaries or affiliates ("Drexel") to better protect Drexel information and equipment.
Computers owned or managed by or on behalf of Drexel ("Covered Computers") are for the exclusive benefit of Drexel and must operate with all required software and in the required manner described below or within the requirements of individually approved Exception Requests granted by the office of the Chief Information Security Officer.
- Covered Computers must primarily run a Supported Operating System (listed at https://drexel.edu/it/computers-software/operating-systems/supported-operating-systems/), provided that the Support End Date for the operating system has not passed.
- Covered Computers that are running older versions of otherwise-supported operating systems must be updated to a Supported Operating System version. Covered Computers running an as-yet unsupported newer version of an operating system must be reconfigured to a supported version, even if doing so requires re-imaging the computer.
- Covered Computers that are not compatible with any Supported Operating System are in non-compliance with this ISR and must operate under the terms of the Non-Compliance section.
Computer Management and Required Applications
- Covered Computers must be registered with and actively reporting into the Computer Management tools used by Drexel IT (e.g., Microsoft Endpoint Configuration Manager (MECM) for Windows-based computers, JAMF Pro for macOS devices, etc.).
- In support of university security, privacy, and compliance goals, Computer Management will install certain applications on Covered Computers and will update the applications as necessary. These applications (e.g., Microsoft Defender for Endpoint, activation of BitLocker or FileVault, etc.) may not be removed, or reconfigured and their operation must not be impeded.
Accounts and Users
- IT staff may create additional accounts on a Covered Computer. Other persons may not create any additional accounts on a Covered Computer.
- Covered Computers assigned to an individual are provided solely for the use of that individual. Others—including family members or friends of a person with a Drexel account—may not use the Covered Computer.
Covered Computers operating outside of compliance with the requirements of this ISR will be denied access to all Drexel wired and wireless networks, including via VPNs; denied assistance from Drexel IT, except to achieve compliance with this ISR; denied requests to recover data from failed storage components; and reported to the Office of the Chief Information Security Officer ("CISO").
Covered Computers that cannot be brought into compliance because of hardware incompatibility with all the Supported Operating System should be promptly replaced. The expense for replacement rests with the department responsible for the incompatible Covered Computer. When prompt replacement is not practical, the head of the department responsible for the incompatible may submit an Exception Request to the CISO to continue to operate the incompatible Covered Computer for a limited time.
Some Covered Computers in non-compliance may require an extended time before replacement (e.g., specialized lab equipment requiring capital expenditures, delayed delivery because of limited availability, etc.). In such cases, the department responsible for the incompatible Covered Computer must submit its Exception Request along with one letter of support from its dean or VP and a second letter of support from a senior or executive vice president.
Requests for permission to operate Covered Computers outside of compliance with the standard requirements of this ISR must be made to the CISO. Such requests will not be unreasonably withheld. See Institutionally-Owned Computers for information on how to submit a request.
Should a request be approved, the approval will maintain as many of the requirements of this ISR as practical and may add alternate requirements. The Covered Computer must then be operated in compliance with the requirements issued by the CISO.
Should a request be declined, the Covered Computer must operate per the requirements of this ISR.
Any violation of this Information Security Requirement by any Applicable Member shall be construed as a violation of the Information Security for Institutional Information Policy (IT-8) and may result in disciplinary action up to and including termination.