Information Security Docs
Information Security Docs
Breadcrumbs

Kiosk Security Standard

1. Purpose

This standard was created to set minimum requirements for generally shared devices that need to be easily accessible for faculty, staff, students, and the general public.

These requirements adhere to current security best practices and were drafted in response to UTS-165, which is necessary to create a safe computing environment.

Compliance with this standard will increase the level of security for kiosks in order to better protect University Information Resources. These minimum requirements exist in addition to all other UTRGV policies and federal and state regulations governing the protection of UTRGV’s data.

2. Scope

This standard applies to:

a. All computing devices owned, leased, or managed by UTRGV that are generally shared and easily accessible by faculty, staff, students, and the general public.

This standard does not apply to:

a. UTRGV-owned, leased, or managed computers that fall within the regular UTRGV Computer Security Standard.

3. Audience

All employees, students, consultants, vendors, contractors, and other affiliated and non-affiliated persons who operate a computing device within the defined scope.

4. Authority

  • UTS 165

  • UTRGV AUP

5. Definitions

Computer
Includes, but is not limited to, all computing devices, physical or virtual, such as desktops, workstations, servers, laptops, tablets, and smart phones.

Kiosk
An interactive computing device that is easily accessible.

Personally Owned
Includes any computer which is not owned, leased, or managed by UTRGV.

Portable Computer
Includes any computer which is portable and typically runs on batteries, such as, but not limited to, laptops, tablets, and smart phones.

Software Firewall
Software that limits network traffic to and from a computer based on a security policy.

6. Standard Details

6.1 Requirements for All Computers

6.1.1 Security Updates and Patches

Operating system and application security updates and/or patches should be expediently installed.

6.1.1.1 Change Management

Configuration changes should be performed in a manner consistent with change management procedures.

6.1.2 Hostnames

Computer hostnames must adhere to the UTRGV Computer Naming Standard and include the asset property number at the end.

6.1.3 Domain Membership

6.1.3.1 UTRGV Domain

Kiosk computers must be joined to the UTRGV Domain under the Kiosk Group OU.

6.1.3.2 Domain Eligibility

Only UTRGV-owned, leased, or managed computers may be joined to the UTRGV domain.

6.1.4 Administrative Privileges

6.1.4.1 Built-In Local Administrator Account

The built-in local administrator account must be disabled and renamed.

6.1.4.2 LAPS Requirement

For UTRGV domain-joined computers, LAPS must be used to properly manage enabled local administrator accounts in order to enforce password policies, standards, and best practices.

6.1.4.3 Limited Use of Administrative Privileges

Logging on with administrative privileges should be limited to activities that require it and only for the duration of the activity.

6.1.4.4 Authorized Personnel

Administrative privileges are limited to certain employees who are responsible for providing administrative services, such as system maintenance and user support.

6.1.4.5 Approval Process

Requests for local administrative privileges will be granted following an approval process defined by the Information Security Office.

6.1.5 Unsupported Products

Products, including operating systems, that no longer receive security updates from the vendor, such as unsupported products, are not authorized.

6.1.6 Software Firewall

Kiosk computers must have a software firewall that is enabled and managed by UTRGV Computer Support Staff.

6.1.6.1 Malware Protection

Kiosk computers must have enabled malware protection, such as antivirus software, with up-to-date definitions.

Kiosk computers must be free of malware and must not use software in a manner that infringes on copyright laws.

6.1.7 Physical Security

All kiosk computers must be physically secured.

6.1.8 Encryption and Password Protection

Kiosk computers must be encrypted and password protected using methods approved by the UTRGV Information Security Office.

6.1.8.1 Full Disk Encryption

The use of full disk encryption is required.

6.1.8.2 Default and Generic Accounts

Default and generic usernames and passwords should be changed or disabled.

6.1.9 Auto Logon

The computer must be set for auto logon.

6.1.9.1 Password Sharing

The password should not be shared outside IT.

6.1.9.2 Kiosk Account

The UTRGV kiosk account, SVR_KIOSK, should be used for auto login.

6.1.10 Screen Lockout

6.1.10.1 Screen Lockout Requirement

Screen lockout is not required.

6.1.11 Return to Preconfigured State

The device or computer should be capable of returning to a preconfigured state.

6.1.11.1 User Information Retention

The system must be configured such that no information is permanently saved on the system upon system restart or user log-out.

6.1.11.2 Standard Image Reset

Kiosks should be configured to reset to a standard image after a reasonable amount of time when not in use.

6.1.12 Computer Backups

6.1.12.1 Backup Responsibility

Computer backups are the responsibility of the computer operator or primary user.

6.1.13 Auditing Tools

Computers must have auditing tools installed that allow the Information Security Office to validate that the computer is compliant with UTRGV, UT System, state, and federal policies and standards.

7. Roles and Responsibilities

7.1 Resource Owner

Ensures that any kiosk which they own or operate meets all requirements of this security standard. Resource owners should engage with UTRGV Computer Support Staff for guidance and compliance with this standard.

7.2 UTRGV Computer Support Staff

Ensure that all computers are configured to support the requirements defined in this standard.

7.3 Information Security Office

Define and maintain this standard to a level that can define the necessary configurations and security practices to protect UTRGV information resources and ensure compliance with all UT System, state, and federal policies and standards.

8. Non-Compliance and Exceptions

8.1 Administrator Access Exceptions

For individuals with administrator access, if any of the requirements contained within this standard cannot be met on applicable information resources they use or support, the Security Exception Process must be followed to address any associated risk.

8.2 Loss of Access

Machines defined as kiosks by the Information Security Office which do not adhere to this standard may lose access to UTRGV resources.

8.3 Disciplinary Action

Non-compliance with this standard may result in notification of supervisors and may be subject to disciplinary action in accordance with applicable UTRGV rules and policies.

  • UTS 165

  • UTRGV AUP

  • UTRGV Data Classification Standard

  • UTRGV Computer Naming Standard

  • UTRGV Security Exception Standard

  • NIST 800-53 Revision 4

  • Center for Internet Security Critical Security Controls Version 6

Appendix I. Examples

Examples include:

  • Kiosk machines used for non-affiliated students

  • Sign-in tablets, including:

    • Sign-in stations for prospective or current employees

    • iPads where international current or future students can sign in when visiting the International Admissions and Student Services Office

    • Tablets in the UTRGV Student Food Pantry where users can sign in