Office of Information Technology

Checklists by Risk Classification Level for Endpoint Security Compliance

Policies

Endpoint Checklist: Level 1

  • You must lock your device with biometric lockout (like TouchID) or a password that only you know.
  • Set a timeout so your device locks automatically when it is inactive.
  • Enable automatic updates (may not be needed if your device is managed by Brown IT staff).
  • Install anti-virus/malware protection software.
  • Never leave your device unattended in an unsecured location.
  • Keep your area’s IT support staff apprised of all Brown-owned devices that have been entrusted to you, including desktop, mobile and removable media. If you are IT support staff, you must maintain a current list of your area’s devices.
  • Recommended: Be able to remotely wipe your device if it is stolen.
  • Recommended: Encrypt your device.

Endpoint Checklist: Level 2

  • The login for Brown-owned computers should be connected to Brown authorization services. IT support staff can set this up. For other devices, you must lock your device with biometric lockout (like TouchID) or a password that only you know.
  • You must set a timeout so your device locks automatically when it is inactive.
  • You must enable automatic updates (may not be needed if your device is managed by Brown IT staff). If your device can’t be updated, you must be exempted by OIT’s Information Security Group and have special protections put in place. 
  • Install anti-virus/malware protection software.
  • Never leave your device unattended in an unsecured location.
  • You must have the capability to remotely wipe your device.
  • Encryption must be applied if the device is capable of it.
  • If the device is removable (i.e., thumbdrive), seek a more secure storage option. If none exists, it must be encrypted.
  • Keep your area’s IT support staff apprised of all Brown-owned devices that have been entrusted to you, including desktop, mobile and removable media. If you are IT support staff, you must maintain a current list of your area’s devices.

Endpoint Checklist: Level 3

Complete the Level 2 Checklist but also apply the following extra measures to address the heightened risk of possible exposure of Level 3 data.

  • You should keep Brown data on its Brown system of record. If you must transfer the data: 
    1. it must be to a password-protected and encrypted device,
    2. only do so for as long as necessary to complete the transfer, and
    3. you must properly sanitize the device after the transfer is complete.
  • If you are using a device not capable of encryption, you must use other methods to minimize risk of data loss, such as additional physical security, physical detachment from the network, logical network segmentation, and enhanced automated auditing.
  • If your device is used to access or store data covered by data use agreements, government regulations (e.g., (PCI DSS, FERPA, CJIS, HIPAA), or compliance requirements, you must use the mandated security controls.