Secure Computing - Information for IT Professionals

All campus IT Professionals have a responsibility to incorporate IT security safeguards into the IT services and products provided to the University community. IT professionals should be familiar with the Secure Computing standards and, where appropriate, determine how best to apply these standards to the configuration and management of endpoints and servers in consideration of end users and specific departmental needs. Frequently, IT Professionals are the direct point of contact for IT requests and issues, and therefore in the unique position of sharing security best practices and helping others understand how to implement these in the course of their job duties. Foundational training is provided to IT Professionals in support of this important role.

The Secure Computing standards do apply to research institutes. Some institutes already adhere to stricter data protections imposed by external partners; in those cases, the more stringent requirements should be followed. In a future phase, all departments who opt to meet the standards outside of the framework offered by OIT will have to self-attest their compliant posture.

Understanding that all university-owned devices will not be in compliance with these standards immediately, a slow approach is being taken to enforcement. In the near term, OIT will be generating reports for campus leadership and IT Professionals showing progress in their areas and highlighting areas for improvement, which could include machines with out-of-date software or those lacking an endpoint detection and response software.

CU Boulder’s Microsoft A5 agreement provides the appropriate licenses needed to ensure the Secure Computing standards on desktops and laptops. OIT is subsidizing licenses for the EDR (Endpoint Detection and Response) solutions for servers through FY24, but will likely require departments to pay for their EDR licenses beginning in FY25. The Jamf endpoint management for Apple computers, along with those needed by the Windows 3rd-party application patching utility, require licenses that are being purchased by OIT on behalf of departments through FY24. OIT will provide more information to departments about financial costs related to the components of Secure Computing as soon as we can.

This is not a required field. However, the department abbreviation helps make sure that computers ordered for specific departments will work with custom computer deployment workflows that have been provided by the department. If this field is left blank, the Dell machine will run through the default Secure Computing workflow when the customer first logs into the computer.

Please reach out to the IT Service Center at oithelp@colorado.edu and OIT’s Endpoint Management Services team will reach out to you.

Yes, IT Professionals have access to a set of tools to deploy the framework on existing computers. IT Professionals should note that existing computers must be reset or re-imaged as part of the process of enrolling them in the program. Additionally, OIT is working on a streamlined approach that will allow end users to enroll their existing campus computer in the Secure Computing program. More information on this enrollment method will be provided as it becomes available.

While the standard applies to all university-owned devices, the project has not yet created an implementation strategy for phones and tablets and the recommended tools may not be supported by these device types. Components of the standard should be applied, including: up-to-date operating system and software, whole disk encryption, and cloud backups. A future phase of the project will consider a more robust tool suite to secure technologies other than computers and servers.

Yes, exceptions may be requested for unsupported and end-of-life software. Where adequate compensating controls are in place and sufficient business justification exists, these exceptions may be approved.

Yes, the Secure Computing standard applies to virtual desktops.

In most cases, yes. While the Secure Computing standard requires systems to run the Configuration Manager client, many endpoint management tools will work in parallel with Configuration Manager. It’s important that you test the two tools side-by-side to check for compatibility issues.

Yes, your computers must still adhere to the Secure Computing standard. If you are unable to meet the requirements, you will need to request an exception to the standard. Visit the Computer Standard Exception Process page for a detailed description of the process as well as the necessary forms to fill out.

No. BitLocker technology, combined with TPM chips, have come a long way. The Secure Computing framework escrows the backup copy of the encryption keys used for a specific computer. If there is a compelling business reason why BitLocker cannot be used, you may consider seeking an exception. Visit the Computer Standard Exception Process page for a detailed description of the process as well as the necessary forms to fill out.

Yes, the primary user who initially logged into the computer during the initial setup process is configured as a local administrator on the computer. As a result, if your customer needs help with a task that requires administrative access, they will need to work alongside you during that task so they are able to enter their password when it is needed.

Yes, we recommend that you walk through a few automatic setups with your customers to be sure the new process goes smoothly and so you can provide feedback to OIT. You will continue to help customers with additional departmental applications and settings.

Yes, but it is the responsibility of the IT Professional making these changes to ensure that the customized deployment still meets all the requirements of the Secure Computing standard. To get started with a custom deployment for your department, please send your request to the IT Service Center at oithelp@colorado.edu and OIT’s Endpoint Management Services team will reach out to you.

Yes, when making customizations to these computers in your Active Directory OU, Jamf or Configuration Manager, it is possible to change something that would cause your computers to no longer be compliant with the standard. It is the responsibility of the IT Professional making these changes to ensure that they do not impact the ability of the computer to meet all the requirements of the Secure Computing policy.

In the event that a departmental customization is causing unintended behavior with a computer in a department, OIT will ask the IT Professional to build an additional computer that is enrolled in the default framework only to confirm the problem is being caused by a departmental customization rather than default framework itself. Once confirmed that the issue is being caused by a departmental customization, it will be the IT Professional’s responsibility to review their customizations to isolate and fix the issue.