Office of Enterprise Technology Services Policy No. 508.01
Secure Device Standards
Effective Date: December 1, 2017
Revision No./Date: September 18, 2018

CategoryMinimum StandardComments
Operating SystemsOperating systems must have mainstream support by the vendorThis is typically the current or immediately prior generation, i.e., “N-1” (e.g., Windows 8 and 10)
Operating system and application updatesEnabledWhen manual updates are required, reasonable effort should be made to stay current
Device management platform compatibilityMicrosoft Intune (if supported)Mobile device management software with enabled remote location and erase services
Device passwordsDesktop/Laptop: 10 characters

Mobile device: 6 characters

All passwords must be unique
Device biometric securityAcceptable (provided the overriding device password meets standard above)Examples of biometrics include thumbprint and facial recognition
Multi-factor authentication (MFA)Enabled for remote accessAlso known as 2-factor authentication and login verification
Host-based firewallEnabled on the endpoint (if supported)Also known as a personal firewall
Screen lockManual and auto screen lock functionality enabled (users must manually lock device screen when intentionally leaving the device unattended, in addition to enabling auto screen lock timer)

Desktop/Laptop: Auto lock after 15 minutes

Mobile device: Auto lock after 5 minutes
Device shall require reentry of password or biometrics after specified time
Full-Device/Disk encryptionAES 128-bit or higher (if supported)Effective immediately for existing devices, if supported, and all NEW devices, without exception

Effective July 1, 2018, for all devices
Device endpoint protectionAnti-Malware/Virus enabled and updating regularly (excluding Apple iOS)
“Jailbroken” or “rooted” devicesProhibited Jailbreaking or rooting refers to mechanisms that involve overriding manufacturer controls and permissions

Download this Standard as a PDF