Software Security
Enhanced Endpoint Protection
Related Standard:Endpoint Security Administration (DS-23)
UM-Ann Arbor, UM-Dearborn, and UM-Flint use CrowdStrike Falcon for enhanced endpoint protection. All U-M owned systems (Windows, macOS, and Linux operating systems, whether workstations or servers) should have CrowdStrike Falcon installed.
Units are responsible for deploying Falcon on unit systems and having plans and processes in place to support deployment in an ongoing manner. Falcon sensor implementation status should be maintained in unit system inventory.
For complete instructions on how to deploy Falcon on your machines, or to request exceptions, visit CrowdStrike Falcon for Units.
Exception Process on CrowdStrike Falcon for Units
It may not be possible to install and run CrowdStrike Falcon on all U-M owned systems, due to technical and/or operational limitations. Examples of devices where it may not be possible to install and run CrowdStrike Falcon include:
- Network appliances (e.g. NAS)
- IOT devices
- Devices running incompatible operating systems (e.g. VMWare ESX, FreeBSD, etc.)
Questions and exception requests can be submitted using the Enhanced Endpoint Protection form.
Printers
- Any printer connected to the EECS network needs to be registered and configured by a DCO member (or one notified). The printer needs to be password protected.
- Any sensitive data as defined by SPG printed to an EECS private printer needs to be picked up immediately. No sensitive data shall be left on any printer.
- No sensitive data as defined by SPG shall be printed on a public printer.
Machines
- Any machine connected to the EECS network must have the latest security patches applied and a secure root/administrator password.
- If a machine connected to the EECS network is compromised, DCO will follow up, and either DCO or the machine owner will do what is necessary to eliminate the vulnerability.
- The machine owner of any machine connected to the EECS network will provide DCO with root access. Exceptions will be personally owned machines.
- Machines that store sensitive data as defined by SPG will be secured by a firewall, and access will be restricted to only a group of necessary individuals and machines that need access.
Other
- Passwords created will be secure and not shared with others.
- Sensitive data as defined by SPG will not be left in open offices or in printers.
- No sensitive data as defined by SPG will be emailed to someone without a compliant email server.
- A staff or faculty member with sensitive data as defined by SPG stored in their office shall make sure the doors are shut and locked when leaving the office. This includes filing cabinets and desk drawers.
|
