Technology Management Standards


Policy:                        Technology Management Policy

Document:                Technology Management Standards

Campus:                    MSU Bozeman

Revision:                    1.3

Contact:                     Ryan Knutson, Chief Information Officer
                                    rknutson@montana.edu


These Standards establish minimum guidelines for management of devices connecting to MSU’s network as outlined in the University Technology Management Policy (http://www.montana.edu/policy/enterprise_it/technology_management.html).


Operating System Requirements

Devices connecting to the University network must be using a supported operating system for which security updates are still being released by the manufacturer.

Examples of where Information on supported Macintosh, Microsoft, Linux and other server operating systems can be found below:

             • Apple: https://support.apple.com/en-us/HT201222
             • Windows: https://support.microsoft.com/en-us/help/13853/windows-lifecycle- fact-sheet
             • RHEL: https://access.redhat.com/support/policy/updates/errata

Software Maintenance Requirements

Software installed on University computers or attaching to the University wired or wireless network should be up to date with vendor supported patches.
Examples of where Information on supported software can be found below:

             • Microsoft: https://support.microsoft.com/en-us/lifecycle/selectindex
             • Java: http://www.oracle.com/technetwork/java/eol-135779.html
             • Adobe: https://helpx.adobe.com/support/programs/eol-matrix.html
             • Red Hat: https://access.redhat.com/support/policy/update_policies

Desktop/Laptop Security Software Requirements

When a viable client exists, the following software packages must be installed and used on Desktops or laptops:

             • Ivanti Endpoint Manager powered by LANDesk (for Windows computers)
             • Microsoft Defender for Endpoint
             • Spirion
             • RJamf (for Mac computers)

Server Requirements

The following requirements apply to all MSU servers including production, test, development, and research servers:

             • Must be managed by UIT system administrators
             • Must be hosted in UIT datacenters or on UIT approved cloud services
             • Must run a supported OS for which patches are regularly released 
             • All installed applications must be supported and regularly patched 
             • Where compatible, the following software must be installed:
                      - Microsoft Advanced Threat Protection
                      - Duo RDP/SSH
                      - Qualys
             • Updates and vulnerability mitigations must be applied in accordance with the vulnerability management standards
             • Must be entered in the MSU Server Inventory system
             • The following access controls must be implemented and maintained:
                      - Minimally permissive host firewalls
                      - Remote access restricted to appropriate VPNs
                      - Duo MFA protection (may be exempted on a case-by-case basis by UIT Security)
                      - Login restricted to appropriate tier(s), per MSU’s tiered access model
                      - LogRhythm access to system logs 
             • Where compatible, production MSU servers are to be backed up with a UIT approved backup protocol
             • Server hardware must be supported for firmware security updates
             • Any storage of controlled or restricted information such as PII, CUI, etc. must be approved by UIT and managed in accordance with the applicable additional standards            
             • The purchase of any new servers or server applications must be approved by UIT
             • When a server is decommissioned, data must be securely erased per DOD standards (physical systems) or properly deleted (virtual systems) and the system must be removed from
                or marked as decommissioned in all relevant integrations and documentation (firewall exceptions, server inventory, DNS, Qualys, etc.)
             • Exceptions to these requirements may be approved on a case-by-case basis by the VP/CIO or a designated delegate thereof