The University of Arizona
Home » Projects & Initiatives

Critical Device Identification

The Information Security Office has initiated a registration program to identify and assess the risks associated with critical devices throughout the University of Arizona. The primary goal of this program is to locate computers storing personal information that could be a target for identity theft, computers that provide critical functionality to the University, and servers with inbound Internet connectivity.

Why identify critical devices?
  • Legal and regulatory requirements for data protection
  • University audit requirements
  • Identification of staff contacts
  • Regular security scans and consultation
  • Improved network planning

Which computers must be registered?

Personally Identifiable Information Storage.  All computers storing Personally Identifiable Information (PII) must be registered. PII includes:

  • Social Security Numbers
  • credit card numbers
  • bank account information
  • driver's license numbers
  • student grades or disciplinary information
  • all FERPA non-directory information about students and former students, including home address and home telephone numbers, citizenship, and birth date
  • income tax withholdings
  • personnel records
  • relatives' names and addresses
  • student and employee identification numbers
  • donations
  • patient health information
  • human subject data
  • information the University has promised to keep confidential
  • account passwords or encryption keys used to protect access to PII

Critical Function Computers.  All computers must be registered if they provide critical functionality to the University and would cause significant loss if unavailable or compromised.  Examples include:

  • Server with life safety implications if unavailable or compromised
  • Server with University or unit-wide impact if unavailable or compromised
  • Domain Controller
  • Domain Name Server
  • Server with a large number of users
  • Server the loss of which could result in substantial financial liability (e.g., related to grants and contracts)
  • Server housing important application
  • Computer involved in credit card processing

Inbound Internet Connectivity.  All servers must be registered if they are available to the Internet for server-based requests. These include web, mail, DNS and database servers that are accessible to some or all of the Internet.

How will the Information Security Office use the information?

Server Baseline Reviews.  Once you have registered a server, you will be contacted to complete a baseline security review. A baseline security review evaluates your server configuration and processes in light of the University's established acceptable standards. The primary focus of the current baseline is appropriate protection for data and access control. You will receive the results and security recommendation based on priority. It is the expectation of the Information Security Office that the responsible administrators identified in the registration will plan and implement security recommendations in a reasonable timeframe. The template below will assist you with the review: 

Security Scans.  The Information Security Office will use information provided by registrants to perform periodic server security scans. The goal of the scans is to reduce the vulnerability of University computers and the network to hacking, denial of service and other security risks from both inside and outside the University.  Higher risks are given priority, but other computers are scanned upon request.  More info....

 

Ongoing Follow-up.  The Information Security Office will alter and adjust the University baseline standards in response to Internet attacks and hacking incidents and will require follow-up reviews. Additionally, the Information Security Office may follow up on the progress of security baseline reviews and the implementation of recommendations.

Critical Device Registration Form

To register your device, you must log in using your UA NetID and complete the Critical Device Identification form.

References: