Minimum Security Standards

The UC Electronic Information Security Policy was established to protect confidentiality; to maintain the integrity of all data created, received or collected by UC (Institutional Information); to meet legal and regulatory requirements; and to ensure timely, efficient and secure access to information technology resources (IT Resources).

The following Minimum Security Standards were derived from this policy and apply to all users and all devices connected to the UCI Network or accessing UCI Information. 

Minimum Security Standards: Endpoints

Examples of endpoints include desktops, laptops, tablets, and other mobile devices.

Any device connecting to the UCI network or accessing institutional information must follow these
Minimum Security Standards:


What to do


Install anti malware software running up-to-date definitions. UCI recommends Microsoft Defender for Windows.

Perform real-time protection and regular full scans.

Backup and Recovery

Make sure your institutional information is backed up incrementally daily and a full backup weekly. Test your backup recovery monthly.

Protect your backups based on the classification level of the information contained.

Host-Based Firewall

Run Host-based firewall software configured to block all inbound traffic that is not explicitly required for the intended use of the device.

Password/PIN Lock

Secure devices with a strong password, PIN, smart card or biometric lock.


Use automatic updating or connect to your IT department patching and upgrade service.

Apply supported security patches to all operating systems and applications as soon as possible. Critical and high-risk vulnerabilities must be patched within 14 days, other patches must be applied within 30 days.

Physical Security

Use physical security cables to protect against theft or loss of valuable information from your workplace or vehicle.

Lock devices in a cabinet at the end of the day/shift.

Portable Device Encryption

Device-level encryption is required for all portable devices.

Separation of Non-Privileged and Privileged Accounts

Use non-privileged user accounts. Only elevate to root or Administrator when necessary.

Session Timeout

Use lockout/screen-lock mechanisms or session timeout to block access after a defined period of inactivity (15 minutes).

Enable inactivity timeout on portable computing devices. Use TMOUT or another method to automatically logout on LINUX or UNIX.

Supported Operating Systems

Run a version of the operating system that is supported by the vendor. Make sure patches and updates are available: