Secure Computing - FAQ

General FAQ

What is OIT's role in Secure Computing standards for computers and servers?  

As described in APS 6005, the CIO is designated by the Chancellor with oversight authority for all campus IT operations and may enforce the requirements of University and campus policies for information security. OIT is providing and supporting solutions that will make it easier to comply with the new standards. Finally, OIT may shut down IT operations that are out of compliance with this and other IT policies.

I do not have an IT person. How do I receive Secure Computing support?

Support for people who do not have dedicated IT staffing may request assistance through the IT Service Center by calling 303-735-4357 or oithelp@colorado.edu. Alternatively, you may schedule an appointment with Buff Techs.

With this change to Dell and Apple computers ordered through the CU Marketplace, will order fulfillment take longer than before?

No. This change to Dell and Apple computers will in no way affect order fulfillment or delivery times, so you don’t need to build in more time to your order.

Will I still contact my local IT support person for assistance with my new computer?

Yes, you can still contact your local IT support person for help or assistance with your new computer. The new out-of-box, hands-off setup experience provided through the Secure Computing standard should be quick and trouble-free. However, you might feel more comfortable scheduling a time with your IT support person to walk through that initial setup together. Alternatively, you could schedule a time with them after the automated setup is complete to make sure you have everything you need. Perhaps there are additional applications that need to be installed, or custom tweaks to your software are needed. Your IT support person can certainly continue to assist you with these and other needs, just like they have in the past.

Will the departments need to pay for adhering to the standards?

For desktops and laptops, licensing is included in our campus A5 license. OIT will pay for server licenses (Defender for Endpoint Plan 2) through June 30, 2024) Departments will need to anticipate and plan for this cost in future years starting in FY25. 

Will there be exceptions to the standards?

If there is a compelling business reason for an exception, it will be considered on a case-by-case basis. Exceptions must receive approval from both the Provost and Executive COO, in consultation with the Senior AVC/CIO. Visit the Computer Standard Exception Process page for a detailed description of the process as well as the necessary forms to fill out.

What mechanism will there be for securing or excepting specialized research software or hardware items from the restriction of end of life/unsupported software? What if a system uses legacy software which cannot be updated in support of an expensive piece of hardware?

As part of the exception process, OIT Security will work with the requestor to review the capability for compensating controls (e.g., network disablement/isolation) to minimize the risk of using legacy software. Exceptions will be granted on an individual request basis and, if a compelling business reason exists, must be approved by the Provost and Executive COO in consultation with the Sr. AVC/CIO. Visit the Computer Standard Exception Process page for a detailed description of the process as well as the necessary forms to fill out.

Do the standards apply to all brands of computers?

Yes. Ordering a Dell or Apple computer through the CU Marketplace will arrive pre-configured to automatically apply settings and software needed to ensure compliance with the Secure Computing standards. Other brands of computers will require more manual configuration and setup to comply with the standards and will be the responsibility of the user in a later phase that addresses existing computers. All computers will be required to comply with the Secure Computing standards unless an explicit exception has been granted.

Can I install my own software?

Yes. You can still install your own software on the computer. You may find the software you need is already available via the Software Center (Windows) or Self Service (Mac) applications that come pre-installed on your computer. If you find that you need software that isn’t available via the self-service options, you may download and install the software on your own. Be aware that one of the Secure Computing standards requires that any software you install is current, regularly updated, and supported by the vendor. Third-party software is just as susceptible to targeted security vulnerabilities as the underlying operating system, so it’s important to remember that you are taking on the responsibility to ensure that the software you install is kept up-to-date.

If we have existing computers that do not comply with the standards, will we have to buy new computers?

OIT is working on ways to ensure qualified computers can be brought into compliance, rather than replacing them. However, if existing computers are unable to be upgraded, new computers may be required.

I am receiving an error when trying to set up my new computer, how do I solve the issue?

During the initial setup of your Dell computer, you will be prompted to enter your IdentiKey username and password. If you enter your Identikey username of password incorrectly, you will get an error message indicating as such. If you receive any other error message within 30 seconds or so of entering your IdentiKey, the problem is likely that you do not have the appropriate Office 365 license assigned to you.

Check the status by having the computer's primary fill out the Office 365 Apps License form (on-campus or VPN connection required). Completing this form will either notify that a license already exists for the user or a ticket will be created to assign the license (should take no more than one business day). For assistance with licensing or any other issues contact the IT Service Center at oithelp@colorado.edu or 303-735–4357 to get help.

What if my existing computer is too old to comply with the standards?

If a computer is unable to run an operating system that is currently supported, the computer must be replaced. Learn more about purchasing a new Windows or new macOS computer.

What is the benefit of purchasing new computers through Marketplace?

Purchasing new computers through CU Marketplace is the "Easy Button." The computer will arrive pre-configured to automatically apply settings and software needed to ensure compliance with the Secure Computing standards. You may also find the initial setup of the computer to be more simple and faster than in the past, as the individual installation of standard software and configurations are no longer needed. The setup is flexible enough to be completed from your home, campus, a coffee shop, hotel, or a beach. Anywhere you can connect to the internet will support a Secure Computer.

What if the higher-end and specialty computers I need are not available through the CU Marketplace?

You may need to work with Dell to use a custom quote for your order. You can use the Dell purchasing page in the CU Marketplace to access a list of Dell contacts that can help you with your order.

What if the computers available on the CU Marketplace don't meet my business needs?

If you decide you need to purchase a computer from an alternative vendor, you will still be required to meet the Secure Computing standards. It may be possible for you to work with OIT to manually enroll the non-Dell Windows computer in the Secure Computing program. Contact the IT Service Center to submit a support request.

Are Secure Computers backed up centrally?

All Secure Computing computers back up any data stored on the Desktop and in Documents to your OneDrive. Data stored outside these locations are not backed up. It is recommended that all data be stored in these specific folder locations. Alternatively, you can also use the OneDrive application to store and access files in OneDrive.

What should I do with my Secure Computer at the end of its lifecycle?

University of Colorado policy states that all computing devices purchased with university funds (included grants) are considered the property of the university and must be returned and disposed of through Property Services. Learn more under Disposal of Electronics on the Property Services website.

Existing Computers FAQ

Why must endpoint detection and response (EDR) software be installed on all computers?

EDR is the single-most critical security tool that protects CU’s data in real-time. If you are used to having antivirus software on your computer, this is the latest evolution that builds on those older capabilities to add on response functionality that stops an attack before it can cause major disruption or damage to other systems. Having this tool installed on all of our computers ensures consistent and fast incident response.

Why is June 30, 2024, the deadline for installing EDR?

The standard requiring EDR was published in July 2022 and the campus has been slowly rolling the software out to machines managed by Dedicated Desktop Support (DDS), departmental IT Professionals (ITPs), and on all newly purchased Macs and Dells purchased through Marketplace. Campus leadership established the June 30, 2024 deadline as a target for all machines that have not yet installed EDR to ensure we have full protection.

Can OIT help me install EDR software?

Yes. Self-service instructions for EDR installation are posted on OIT's website. In addition, faculty and staff who do not have dedicated IT staffing may request assistance through the IT Service Center by calling 303-735-4357 or oithelp@colorado.edu. Alternatively, you may schedule an appointment with Buff Techs Desktop Support.

Can I request an exception to the EDR requirement?

Yes. Exceptions will be granted on an individual request basis and, if a compelling business reason exists, must be approved by the Provost and Executive COO in consultation with the Sr. AVC/CIO. Visit the Computer Standard Exception Process page for a detailed description of the process, as well as the necessary forms to fill out.

Is there a cost for EDR software?

Microsoft Defender for Endpoint, which is the EDR solution for computers, is covered by CU's Microsoft licensing agreement. There is no cost to departments for using the Defender software. CrowdStrike EDR may be used on Linux computers, though continued central funding for this software is not guaranteed.

What if my computer is too old to run EDR?

If a computer is unable to run any software required by the standards, the computer must be replaced. Learn more about purchasing a new Windows or new macOS computer.

How do I get a new computer?

The CU Marketplace is the recommended place to acquire a computer. Dell and Mac computers purchased through the Marketplace are preconfigured to meet the Secure Computing Standards.

Who pays for a new computer?

Departments are responsible for budgeting for device renewal and replacement for all their machines on a recurring schedule, usually every 3–4 years. They will need to cover the cost of purchasing new computers just as they currently do. Note that faculty are eligible for a subsidy of $1,200 for a new computer every fourth year through the Faculty Computer Purchase Program. Learn more about the FCPP.

How do I know if my computer is meeting the Secure Computing Standards?

If you're unsure if your device is enrolled in Secure Computing, you should follow the instructions on the Secure Computing Self Service Software page to see if you have access to the Software Center.

How will OIT know if my computer adheres to the Secure Computing Standards?

Many of the requirements rely on OIT-supported and approved applications and OIT will be reporting on the enrollment into these services. Enrolling your machine in the Secure Computing framework is the smoothest way to ensure all these applications are configured correctly and your machine will show up in OIT's inventory as fully compliant.

How will my privacy be protected when my device is enrolled in the Secure Computing program?

Because these products look for suspicious applications and programs, they record details about processes and programs that are run on the computer, as well as the names of files being accessed. The tools analyze connections to and from the internet, including addresses (Internet Protocol addresses and full URLs matching the host name) visited or involved in the connections, but the contents of the connections (web pages, application data, etc.) are not accessed or recorded. Per the Acceptable Use of CU Boulder's IT Resources Policy, individual content may be accessed through automated information security systems for the purposes of detecting and responding to threats to campus information resources.

My computer is managed by OIT's Dedicated Desktop Support (DDS). Do I have to do anything to make my computer compliant with the standards?

Not at this time. Computers managed by DDS already have most of the necessary software to be compliant with the Secure Computing standards. The requirement for backing file storage up in OneDrive may need manual intervention, so DDS technicians are still working through machines to ensure full compliance. DDS technicians will be reviewing all machines and following up with any individuals who will need to modify or replace their system in the coming months to meet the standard in October 2025.

Do all my university-purchased computers have to meet the Secure Computing Standards?

Yes, all university-purchased computers must meet the Secure Computing Standards by October 2025. At this time, laptops, desktops, tablets or mobile phones must adhere to the Secure Computing Standard for Computers. This does not include printers, removable storage, or Internet of Things (IoT) devices and sensors.

My computer was given to me by another CU employee. Does that computer need to meet the Secure Computing Standards?

Yes, all university-purchased computers will need to meet the Secure Computing Standards by October 2025.

I purchased my computer with a research grant. Does it need to meet the Secure Computing Standards?

Yes. All computers purchased with University funds used by faculty, staff, students, Persons of Interest (POIs) and sponsored affiliates to access information technology resources must meet these standards. If a computer is managed by the granting agency and exceeds the requirements identified within this Standard then it may be exempt from some of CU's requirements, as it must meet whichever controls are more stringent.