Data Privacy and Device Management @ SESP

Tags SESP

TECH.SESP

Relevant Northwestern Policy Regarding Computing Devices

As a premier research institution, SESP community members have unique responsibilities and obligations to ensure the security and confidentiality of research and institutional information and data. Northwestern has a number of policies which provide direct guidance concerning these issues.

Northwestern's Patch Management Standard https://www.it.northwestern.edu/about/policies/patchmanagement.html
Northwestern's Endpoint Security Standard. https://www.it.northwestern.edu/about/policies/endpoint-security.html
Northwestern's Appropriate Use of Electronic Resources Policy https://policies.northwestern.edu/docs/appropriate-use-policy-final.pdf

In concert, these two new policies most directly effect SESP community members in the three areas detailed below.

Applying Updates and Rebooting Your Computer

The Northwestern Patch Management Standard requires that all "Critical" security updates be applied to all devices within five days of the update being available.  New vulnerabilities and security bugs are discovered and patches made available most ever week.  As a general practice, SESP community  members should expect to receive notifications concerning required updates on a weekly basis and we ask everyone to please apply all updates as quickly as possible.  Our patch management tools provide the capability for community members to defer updates a limited number of times to try and ensure updates do not occur during classes or other times when access to your device is required.  However, the number of deferred is limited as we are required by the university to ensure all patches are applied within five days.  This is a new practice and will require patience and understanding from our entire community.  As a general rule, please apply all updates at the first available opportunity.

Running A Support Operating System

Another key provision of the new Patch Management standard is the requirement that all devices on the Northwestern network must be running an operating system that is fully supported by the operating system provider. Apple devices has historically been reliable devices with the capacity to meet daily computing needs for much longer than the typical computing device life cycle which has allowed for us to continue to maintain older machines in labs and in less demanding computing situations. With the new standard, SESP community members will most likely need to update to new computers on a more consistent four or five year replacement cycle. We again ask for everyone's patience and understand as we work to ensure that SESP is in compliance with all university policies and security guidelines.

All Northwestern Devices Must Be Actively Managed

The third major procedural and cultural change implemented by the new policies is the requirement that all faculty and staff computers run all required management tools. Currently these tools include JAMF, MECM, Crowdstrike, and Tenable. As a reminder, all computing devices purchased with Northwestern funds are the property of Northwestern. As detailed in the Northwestern policy detailing the appropriate use of electronics resources, "Northwestern makes available Electronic Resources to community members so that they can share and store knowledge, communicate, and conduct business in support of the University’s mission. The University is committed to maintaining an environment in which academic freedom thrives. At the same time, the University needs to ensure the security and stability of the Electronic Resources it makes available to community members." Additionally, "Northwestern’s Electronic Resources are intended primarily for the execution of University business. Northwestern strives to ensure the integrity of individual and institutional information stored in its systems. The University reserves the right to examine, capture, archive, and otherwise preserve or inspect any data or information related to Electronic Resources that is either transferred over University networks or systems, created or stored on University-owned equipment, or created or stored on personally-owned resources when used for University business."

The SESP technology team works diligently to ensure the privacy of all SESP computing devices, however, as a general practice, we do not recommend storing personal images, files, or data on university devices.

Brief descriptions of each required software tool is listed below.

JAMF

JAMF is a device management solution for Apple devices.  JAMF allows SESP to ensure all SESP Apple devices are current with all required security patches and updates.

When Apple Publishes Security Updates
What You Will See On Your Mac

If an update must be installed by a certain time in order to stay compliant with security guidelines, you may get a notification like this one, indicating the update must be installed but with an opportunity to defer. This will allow time to save important files and install the update at a time that is more convenient for you.

 

On rare occasions, SESP IT will use a program called Nudge to notify users when there is a critical update that requires immediate attention.

 

MECM

 Microsoft Endpoint Configuration Manager (MECM) is a Windows device management platform that centralizes the management and inventory of all SESP's Windows devices. It serves as a centralized hub for software distribution, Windows updates, and software updates.

Microsoft schedules the release of security updates on “Patch Tuesday”, the second Tuesday of each month.

SESP MECM server will curate and deploy windows security updates using the below schedule. 

When Microsoft Releases New Security Updates
What Your Will See on Your Windows Computer
Installation of windows updates will start at 4pm on the second Friday after Patch Tuesday. Maintenance window is 4pm – 6am daily and all-day Sunday. Windows updates will be installed during the maintenance window. Having your computer on during the maintenance window will ensure windows security updates are installed.

Once the updates have been downloaded and installed you will see a prompt like the one below asking you to restart with an option to “snooze” (prompt to restart appears during the maintenance window only).

If you select to snooze, the prompt will disappear for 90 minutes.

You can continue to “snooze” (if needed) until you’ve reached the end of the 12-hour limit.  After which your device will restart to complete windows update installation. Note: Although you are given up to 12 hours to reboot, we encourage you to do so at the earliest convenience.

CrowdStrike

CrowdStrike Falcon is a cloud-native security platform that integrates various capabilities to prevent breaches. It combines next-generation antivirus (NGAV), endpoint detection and response (EDR), and proactive threat hunting services.

Tenable

Tenable provides continuous monitoring, assessment, and remediation of security vulnerabilities across an organization’s IT infrastructure. By identifying and prioritizing vulnerabilities, Tenable helps organizations enhance their security posture and reduce the risk of cyber threats.

Crashplan

Crashplan is a secure hosted data backup solution for workstation machines provided by Northwestern IT. The software performs regular data backups to reduce the risk of permanent data loss that can occur for many reasons including hardware failure, power failure, and virus attacks. If you would like to use this service, request an account by emailing consultant@northwestern.edu.

MacOS Support App

The Support app gathers important SESP Tech information in one place. You can check your hard drive storage capacity, find links to create a support ticket and access tech resources.

You will also see when there is an update available and a gentle reminder that it is time to restart your computer.

 

Was this helpful?
0 reviews
Print Article

Details

Article ID: 2487
Created
Mon 10/23/23 10:33 AM
Modified
Tue 9/3/24 8:46 AM