Thanks for the comments. There has been a significant change to this standard from the original post. The changes to the new standard emphasize the requirements for UNM owned devices that access sensitive, protected data. We’ve shortened the security standard from a 200 page FBI document to a two page document vetted by Security. AN enterprise antivirus/antimalware that is managed is part of security requirements. If departments choose to use something else for computers accessed only by students, this standard doesn’t apply in that situation. The lifecycle of equipment is a recommendation not a must have. Operating systems will dictate hardware requirements as they go end of life.
As for AD authentication, yes there will be necessary hardware- such as dongals, to attach to the wired network. We are working the AD authentication through wireless so the hardware won’t be necessary at some point. Joining the colleges domain is the first level of security for those of us who have access to protected, confidential data. For those those situations that require equipment that communicates to an EOL operating syste and need to be attached to network – let’s talk. risk assessment for the potential of data loss would be assessed. As well as cost to upgrade equipment or related software would be part of that assessment.
The goal of this standard is to ensure we have appropriate security around different types of data. For compliance, that has yet to be determined. At a minimum, devices that do not meet the standard may be denied access to highly confidential, protected data.