College of Engineering Computing Policies and Standards

University leadership has crafted and will maintain administrative policies, guidelines, and standards to provide base-level guidance, specifically Policy AD95 - Information Assurance and IT Security and Policy AD96 - Acceptable Use of University Information Resources, for all IT related issues.

The College of Engineering adheres to this institution-wide security program designed to ensure the confidentiality, integrity, and availability of the Pennsylvania State University’s (“Penn State“ or “the University”) information assets from unauthorized access, loss, alteration, or damage while supporting the open, information-sharing needs of our academic culture.

The College of Engineering is permitted to enhance the language of the standards in order to best clarify the college’s security position. The College of Engineering Security Committee has reviewed the standards and provided the following additions.

College of Engineering Technology Procurement Policy

Review the policy regarding purchases of technology or contracted services of computers, computing peripherals, and software from vendors outside the University.

Access, Authentication, and Authorization Management

Least User Privilege

• All computers must be operated in Least User Privilege mode for normal logon. All Least User Privilege accounts must not have administrative rights, regardless of the presence of native user access control management on the system.
• Users demonstrating a valid business need for elevated privileges will be delegated the necessary capability either via the use of native, or approved third party, privilege management solution. If this approach proves to be inadequate, a separate "facadmin" account may be granted.
• University-owned computer(s) must be administered by a professional information technology staff person.
• Unless granted an exception, all systems must use the University's Enterprise Active Directory (EAD) as their primary authentication source.

VPN/Remote Access

• All remote or wireless systems must use the college approved VPN with multi-factor authentication (MFA) to access resources inside of the college's network.
• All remote access must be done via an encrypted and approved remote access application.

Access Control and Authorization

• In order to adhere to the standard's Session Termination requirement, all College of Engineering systems must be configured with an approved enterprise control (e.g., GPO, Jamf, etc.) to ensure systems automatically lock when idle.

Network Security

Unless otherwise excepted, all systems connected with the College of Engineering's network infrastructure must do so using an assigned DHCP IP address via the college's network infrastructure. In most cases this will require the system's MAC address to be preregistered with local IT.

Physical Security

AD95 encourages that all laptops employ disk level encryption to prevent data exposure in the event the laptop is lost or stolen and requires it on level 3 and 4 systems.  The College of Engineering has already experienced such data loss and has adopted the recommendation as a standard requirement for all College owned laptops.

As per the U.S. Department of State—Bureau of Consular Affairs, all persons traveling to countries listed as Level 3 (as classified by the U.S. Department of State) or higher must use a loaner laptop that contains no data classified higher than “Low” as determined by the Penn State Information Classification Tool. Persons traveling to countries listed at Level 2 are highly encouraged to use a loaner laptop.

Requests for Exception to Information Security policy

Requests for exceptions to the college standards must go through the College of Engineering IT Security Liaisons.

Vulnerability Management

Unless otherwise excepted, systems must be running all college-required desktop/patch management, logging, anti-virus, and other security-related software. All operating systems must be fully supported (not categorized as “End-of-Life”) by their respective developers.

Windows must be Enterprise Edition to support all possible security/management options.

All firewall exception requests must be made by a department’s professional information technology staff person to the College IT Security liaisons.