With choice and freedom, inevitably comes some guidelines, rules or policies. This is also the case with the university’s approach to the usage of electronic equipment, such as laptops, phones and tablets in the near future.
Due to our ever changing technological landscape Information Technology recently saw the need to compile a policy to act as a guide for the use of SU and private devices. (Read our previous article on BYOD.)
Then End-user equipment and media policy establishes rules for the appropriate use of end-user equipment and media in the Stellenbosch University environment in order to protect the confidentiality and the integrity of academic and institutional information and applications as well as the availability of services at the University. It specifies the University and individual user responsibilities for processing, managing, and securing academic and institutional information on University and privately owned equipment (devices) and media.
These guidelines apply to all staff, students and associates who access the University network and information that relates to University owned or privately owned end-user equipment that will be used to connect to, access and/or process academic and institutional information.
This week we’ll look at the measures that have to be taken when it comes to access control to devices.
Prior to initial use via a physical connection to the University internal network or related infrastructure, all end-user equipment (with the exception of devices that are used to connect via Virtual Private Network (VPN)) must be registered with University Information Technology (IT) Division.
The IT Organisation reserves the right to:
– Refuse, by physical and non-physical means, the ability to connect privately owned or non-sanctioned end-user equipment to the University Network. The IT Organisation will engage in such action if it feels such equipment is being, or may be, used in a way that puts the University’s systems, information or users at risk.
– Summarily ban the use of a privately owned end-user device at any time. The IT Organisation need not provide a reason for doing so, as protection of the University Network and information is of the highest priority.
– Physically disable communication ports (such as Universal Serial Bus (USB) ports, other ports that can connect to storage devices or media) on University-owned IT assets to limit physical and virtual access to University systems and information.
– Users who wish to connect privately owned or non-sanctioned end-user equipment to the University Network to gain access to University applications or information and/or the Internet must implement, for their devices and related infrastructure, appropriate and up-to-date:
* personal firewall;
* anti-virus software;
* anti-malware software;
* any other security measure deemed necessary by the IT Organisation;
* operating systems (e.g. Microsoft Windows, Android, Apple iOS, etc.) and operating system updates.
– Users must implement physical security practices to prevent the theft or loss of end-user equipment and media, especially mobile devices, and academic and institutional information, including:
– If it is absolutely necessary to leave a portable device unattended, it should be secured with a cable lock or similar security device,
– Ensure that portable devices are not visible when left in a vehicle. If portable devices are left unattended in a vehicle it is recommended that they be locked in the boot.
– Lock portable devices away when not in use.
– Portable end-user media or devices which contain confidential academic and institutional information must be protected by an access control mechanism (e.g. password, biometric, PIN code or pattern lock, etc.). If the latter is not possible, access to data files on these devices or media, must be protected by an access control mechanism. Devices that are unprotected by an access control mechanism may not hold confidential1 academic and institutional information.
