BSD Endpoint Continuous Security Assurance (BigFix)
BigFix is a Continuous Security Assurance service for BSD IT Assets (i.e. laptops, desktops, and servers). This service enables local technical support staff to ensure devices meet organizational security requirements. Only local technical staff authorized by the department can use this service.
The Continuous Security Assurance provides the following benefits:
- It allows local technical support staff to ensure compliance with University’s and divisional cyber security policies (e.g. encryption etc.)
- Systems and Communication Policy → Protection of Information at Rest (SC-28 CM)
- It allows local technical support staff to install critical security patches on computers as soon as they’re made available by Microsoft and Apple. Please make sure to test the security patches following your departments patching policy before you deploy them into production.
BigFix is a “client-based” service. For a Windows, Mac or Linux computer to participate in the BigFix service, you need to install a small client program available for download on this page. The BigFix software on the computer then communicates with BSD’s BigFix server with system status updates. This information is necessary to verify encryption and associate the computer to the owner. BigFix does not collect any personal data (email, calendar events, contacts, personal files, etc) from computers. Certain basic inventory information about the computer—such as the presence or absence of critical security updates, IP address, operating system, and some hardware data—is collected. A complete list of collected information is always available. Computer used for BSD science, academics and administration related business should be setup with the BigFix client software.
- BigFix Client Installation Guide for Linux, Mac, and Windows
- BigFix Guides (This is only open to UChicago users with a Box account)
- BigFix Retrieved Properties List (a list of the information retrieved by BigFix from BSD computers)
- BigFix Forum (IBM BigFix public forum)
Q: Why is BSD requiring the installation of BigFix on all desktops and laptops on the network?
A: Having visibility into devices’ security configuration is critical to protecting BSD data and computing resources. This will provide the BSD ISO with an accurate inventory of what devices are on the network and their security configuration status. Insecure devices are both a security and compliance risk to the organization.
Q: What to expect after installing BigFix?
A: The BigFix icon will appear on the System Tray (Windows) or Menu Bar (Mac OS X. The BigFix Client will run in the background and report the initial status of your system to the BigFix Server. BigFix will run in the background, consuming minimal CPU resources, periodically checking in with the server to provide ongoing updates of the system status as well as check for new tasks.
Q: What data does BigFix collect from personal computers? Why is collecting this information necessary?
A: BigFix collects user name and system configuration data such as operating system, CPU, RAM, hard drive space. No personal data or information, such as browser history or files in the hard drive, is collected. All system information retrieved by BigFix is treated as confidential by BSD IT staff. This information is necessary to verify encryption and associate the computer to the owner.
Q: Who has access to the administrator controls for BigFix system?
A: Designated BSD IT Staff has access to the administrator controls for BigFix. All access to BigFix, and actions performed within, are logged and regularly audited.
Q: What processes are in place to prevent unauthorized use of the BigFix system both from internal and external users?
A: In accordance with the University’s Acceptable Use Policy, administrator rights are limited to professional IT staff that follow industry best practices for system administration, including accessing the minimum amount of data to do their work. The BigFix system is housed in the Data Center with restricted physical access and continuous monitoring. Regular patches are applied to ensure system integrity. Administrator access logs are reviewed regularly to ensure appropriate access.
Q: Since I own and administer my computer, which is used only occasionally for BSD business, I can’t cede total control of my computer to a BSD IT administrator.
A: BigFix will not take away any rights/privileges from yours or any other local accounts. You can still install whatever you need without asking permission. It will just grant BSD admins the ability to check for encryption/antivirus software.
Q: Does BigFix prevent me from installing system software updates before they are “officially” approved by BSD IT? I routinely install system security and version updates, and do not want to be told by BigFix that I can’t install an update.
A: No – you can still install any new software or updates – it won’t prevent that.
Q: Does BigFix require an BSD IT’s administrator’s approval to install non-BSD-related software (e.g., personal finance, photography, network, printer, music, game, etc., software)?>
A: No, no approval needed.