APPENDIX TO POLICY
Device Firewall Standard
To ensure authorized access and to prevent unauthorized access to University information and IT resources, end-user devices, servers and other computing devices must be protected through the use of a device firewall.
Multi-user systems (e.g., server)
The following table defines the baseline security controls for device-based firewall on multi-user systems.
|DF.A.01||Firewall installed and operating||Required||Required||Required|
|DF.A.02||Documentation of firewall rules||Required||Recommended||Optional|
|DF.A.03||Periodic review of rulesets (suggested: semi-annual or annual)||Required||Recommended||Optional|
Single-user systems (e.g., desktop, laptop, mobile devices)
The following table defines the baseline security controls for device-based firewall on single-user systems.
|DF.B.01||Firewall installed and operating||Required||Required||Required|
|DF.B.02||Documentation of firewall rules||Recommended 1||Recommended||Optional|
|DF.B.03||Periodic review of rulesets (suggested: semi-annual or annual)||Recommended 1||Recommended||Optional|
1 This is required for systems in scope for credit card processing environment per PCI-DSS. This includes systems that support or store, process or transmit cardholder data.
This applies to IT resources owned or contracted by the University. This also applies to personally owned devices accessing, or authorized to store, University data designated as private-highly restricted or private-restricted .
This applies to University community members who use or manage University IT resources.
More information on Device Firewall