Personal Computer (PC) Operating System Standard
April 7, 2015
This standard establishes the minimum expected operating system requirements for personal/client computers (non-Server computers) purchased and used by state agencies.
PC/Client computing devices comprise the largest set of individual computing devices employed by the State IT Enterprise. PC/Client computers support numerous information technology and automation tasks, both independently and in conjunction with Server-class computing devices. Creating and adopting an operating system standard supports security, procurement, and operational computing objectives that protect State data, promote technology integration, streamline asset purchasing, and optimize support models and standards.
This standard sets the minimum requirements for PC/Client operating systems, procured through normal processes and channels, intended for use in State government. This standard applies to all agencies as defined by Iowa Code Chapter 8A, Section 101. Non-participating agencies are encouraged to follow the guidelines in this and other enterprise security standards.
- PC/Client Computing Devices: Desktop, Laptop, and Workstation-class computers that are capable of running an operating system that allows both non-networked computing task capabilities, as well as network-based, client-server computing task capability.
This standard will be reviewed at least every two years and updated as needed.
Elements of the Standard
The following elements apply to PC/Client Operating Systems:
- Policy: The enterprise policy is a PC/Client computing operating system based on a supported Microsoft Windows Operating System.
- Approval: Use of any other PC/Client operating system(s) (Non-Standard OS) must be approved in writing by the OCIO or designee.
- Compliance: Agencies shall require that all PC/Client computing devices with a Non-Standard OS meet all relevant Enterprise Security Standards.
- Security Updates: All PC/Client operating systems in use shall install and employ critical security updates for active exploits.
- Incidents: Agencies shall have a documented incident response procedure and report security incidents involving operating system use to the Agency and State of Iowa - Information Security Office within 24 hours of discovery.
This standard shall be effective the date of the Director’s signature.
This standard shall be enforced pursuant to Iowa Code 8B.21.
A waiver may be submitted to the State’s Chief Information Officer as defined in Iowa Code 8B.21.5.