Tulane University Device Security Standards

Overview

All devices which access Tulane data/systems must adhere to the following standards. Additionally, compliance with all policies, laws, regulations, and/or processes applicable to the Tulane resource being accessed may require additional configuration or requirements. Please contact the Responsible Office within the applicable policies for any questions.


Device Security Standards (Tulane Owned & BYOD)


A. Operating System:

  1. Approved and licensed operating system and that has not reached end of support/end of life status (e.g., Windows 10/11, macOS, Linux distributions).
  2. Disk encryption is enabled for all drives storing Tulane data and the operating system.
  3. Local firewall enabled
  4. Security updates for the operating system must be installed within 2 months of release.
  5. Devices shall NOT be Jailbroken or otherwise altered to change built-in protections.

B.  Software:

  1. Software cannot be pirated or unlicensed.
  2. Must be a supported version that can receive updates, and security updates installed as released.

C. Security:

  1. Must have an anti-malware/anti-virus/EDR application installed.
    1. CrowdStrike EDR is automatically installed on all Tulane managed devices.
    2. CrowdStrike AV available for Personally Owned devices.
  2. Passwords must meet or exceed Tulane’s minimum-security standards.
  3. An encrypted password storage solution should be used if users store their passwords on the same device.
  4. Remote access to the Tulane Corporate network should ONLY be through the University provided VPN or Virtual Desktop Infrastructure (VDI), or Tulane IT approved methods. Tulane University’s Multi-factor authentication (MFA) will be required for all remote access connections.
  5. Employ access protection using a passcode, passphrase, fingerprint, or other electronic means.
  6. Devices must be kept physically secure to avoid unauthorized access, theft, or loss. If the device is lost or stolen the user must report it to the security office immediately.

D. Data Protection:

  1. All Tulane users must understand and adhere to Tulane University’s data classification policy, which defines how different types of information should be handled, stored, and transmitted.
  2. All sensitive or confidential information must be encrypted both at rest and during transmission, following the encryption protocols specified by Tulane University, and accessed only through Tulane approved devices and methods.
  3. The sharing of sensitive or confidential information must be approved, secure, and in compliance with all applicable regulations and policies.

E. Mobile Device Access:

  1. Accessing the M365 environment from a mobile device should be done through Microsoft Apps (Outlook for Mobile) or Office.com only. Native Android and iOS applications such as Mail are not as secure.
  2. Tulane will perform a remote wipe to ensure the protection of Tulane data under certain conditions. Using the Microsoft Outlook application will ensure personal data is not deleted in the event of a remote wipe initiated by Tulane.

Tulane Owned assets ONLY

In addition to the standards above, Tulane Owned assets must meet the following requirements:

A. Mobile Device Management (MDM):

  1. Enrolled or managed through a University approved Mobile Device Management (MDM) or configuration management system (i.e. Intune or JAMF).

B. Software:

  1. Only approved software should be installed on Tulane owned assets.

 

Applicable Policies and Compliance Frameworks:

  • Workstation & Mobile Device Policy
  • BYOD Policy
  • Compliance: NIST 800-171, HIPAA, CMMC, NIST CSF