UW-Madison - IT - Endpoint Management and Security Policy Implementation Plan
The Endpoint Management and Security Policy Implementation Plan contains the supporting guidelines and procedures in support of the UW-Madison Endpoint Management and Security Policy providing the framework, guidelines, and requirements for endpoint management and security at UW-Madison.
Surrounding text in italics is not part of the official document.
Purpose
This implementation plan identifies the priorities and phases for meeting the goals of the campus Endpoint Management and Security Policy. This implementation plan will evolve through the development of the related policy standards and procedures. Based on the prioritization and use cases as described in this implementation plan, and as stated per the policy, “Divisions, departments, and units are responsible for creating, documenting, maintaining and implementing standards for managing endpoints that are specific to the risk and operations of their respective mission.”
Decision-Making Guidance
The following guidance has been developed to support university-wide implementation priorities. Divisions and units are best situated to evaluate and apply these priorities to their IT resources. The device priorities below are classified and grouped based on a two-pronged approach with emphasis placed on risk and the quantity of devices impacted. Divisional Risk Executives should be consulted to determine risk tolerance for their areas of responsibility. The University of Wisconsin System definition of risk is available at: https://www.wisconsin.edu/uw-policies/uw-system-administrative-policies/information-security-data-classification-and-protection/information-security-data-classification/
Device Priorities:
- High:
- Devices that store or access high-risk data.
- Devices that are critical to the operation and mission of the unit, for which service interruptions or security incidents would have a severe impact.
- Devices that require professional IT management due to policies, standards, regulations, or contractual requirements.
- Device types/use cases that represent a large number of similar endpoints and use cases, that can leverage common solutions for a high impact improvement in reliability and security.
- Medium:
- Devices that store or access medium-risk data.
- Devices that are used in routine operations, where an outage or security incident would have a moderate impact.
- Devices that represent an identifiable group that can be managed with a common solution.
- Devices that impact a smaller number of end users than those identified as High Priority.
- Low:
- Devices that do not store and/or access high-risk or medium-risk data.
- Devices that have low operational risk and are not required for time-critical processes or uses; an outage or security incident impacts a small number of end users.
- Devices that have other security protections that reduce the overall risk and need for active management, and do not have significant amounts of data at risk.
- Devices not be identified as High or Medium Priority and require individual configuration and management.
- Devices that have other protections, low risk, and have specific management requirements or restrictions.
- Non-traditional IT assets (e.g., embedded systems, specialized devices).
Timeline
Upon approval of the Implementation Plan, the timeline will begin. There are two parts to the implementation timeline. The first part of the timeline is drafting campus standards and supporting documents on how to implement and maintain the standards in a division, school, or unit. The standard will be published in the IT Policy Knowledge Base. The development of appropriate and feasible standards will take significant effort from IT staff across campus.
The second part of the implementation plan requires Divisional leadership to create or approve Endpoint Management and Security Procedures based on the identified standards and to monitor progress.
Policy Published on April 8, 2021
- Program Start:
- The CIO is responsible for outreach and consultation with IT leaders regarding the implementation of the policy.
- Collaborative outreach and consultation with divisional IT leadership by CIO and Program Leadership.
- The CIO, in consultation with campus and division leadership and IT leaders, establishes the start date for the implementation, taking into account other IT requirements, staff workload, available resources, and campus priorities.
- Standards, Procedure, and Training Development [2 months after Implementation Plan validation and program start date]. The CIO is accountable to ensure these items are addressed. The Office of Cybersecurity is responsible for coordinating campus standards and procedures. DoIT Communications and distributed IT will be consulted to complete these tasks.
- Establish procedures and governance for creating and updating endpoint standards.
- Identify and prioritize common use cases.
- Validate and publish Endpoint Management and Security Policy Standards for high, medium, and low priority use cases.
- Create, validate, and publish a procedure template to be updated, as deemed appropriate by the appointed governance group, based on new use cases.
- Ensure common standards, tools, procedures, reports, and training are available for managing endpoints at the campus and Divisional levels.
- Develop and manage a communications plan for distributing relevant information broadly to campus stakeholders, Divisional Deans and Directors.
- Divisional Deans and Directors have established responsibility in their Divisions for drafting and managing Endpoint Management Procedures.
- Divisions prioritize use cases as high, medium, and low. Ideally, high-risk devices will be reported as part of the IT Asset Reporting Policy and Procedures.
- Implementation Phases
- Goals and Metrics
Metrics and goals have been identified for each phase, to be accomplished by the end of the phase. - Phase One: [April 8, 2022 (Policy Effective Date) thru April 2023].
- Divisions identify staff and training requirements.
- High Priorities:
- 95% of Divisions have documented standards and procedures for high priority devices.
- 85% of Divisions are managing at least 75% of the Division’s high priority devices according to the documented standards and procedures.
- Medium Priorities:
- 75% of Divisions have documented standards and procedures for medium priority devices.
- 60% of Divisions are managing at least 50% of the Division’s medium priority devices according to the documented standards and procedures.
- Phase Two: [April 2023 - October 2023].
- High Priorities:
- 95% of Divisions are managing at least 90% of the high priority devices according to the documented standards and procedures.
- Medium Priorities:
- 95% of Divisions have documented procedures for medium priority devices.
- 80% of Divisions are managing at least 75% of the medium priority devices according to the documented standards and procedures.
- Low Priorities:
- 50% of Divisions have documented standards and procedures for the low priority devices.
- Divisions and units have established training for IT staff and other stakeholders on the endpoint management program and the standards and procedures for Low Priority Devices.
- Phase Three: [October 2023 - April 2024].
- High Priorities:
- 99% of Divisions are managing at least 95% of the high priority devices according to the documented standards and procedures.
- Medium Priorities:
- 90% of Divisions are managing at least 90% of the medium priority devices according to the documented standards and procedures.
- Low Priorities:
- 90% of Divisions have documented standards and procedures for the low priority devices.
- 90% of Divisions are managing at least 90% of the low priority devices according to the documented standards and procedures.
Program Reporting Metrics
The Vice Provost for Information Technology and Chief Information Officer is responsible for identifying and implementing processes and metrics to measure this implementation plan’s progress. Reporting elements should include the following.
- The number of Divisions reporting documented standards and procedures for High, Medium, and Low priorities.
- Where applicable, the number of departments and units reporting (per Division).
- The metrics specified in the implementation plan phases above.
- Identify the tools and number of enrolled devices for centrally provided tools (e.g., BigFix, Amp, Workspace ONE, Qualys) and identify the occurrences of abandoned licenses.
Stakeholder Metrics and Reports
The Vice Provost for Information Technology and Chief Information Officer is responsible for identifying which governance and/or stakeholder group(s) should provide input to the type of metrics and reports to be created and managed for divisional risk executives and other stakeholders. This effort includes creating a standard operating procedure for receiving additional requests or changes to existing reports.
Communications, Outreach and Training
The communications plan should address the multiple channels of communications to various audiences. Audiences include IT staff, divisional risk executives, those who manage or are responsible for IT staff, and end users.
Centrally provided services and tools require outreach and training programs. Divisions and units will need to identify training and communications for tools used and managed within their respective areas. Training should
assist IT professionals with endpoint management programs and services, including:
- Onboarding new IT staff with training and documentation regarding the centrally provided tools.
- Opportunities to gain increased proficiency with the tools.
- Review of training materials for effectiveness.
Contact
Please address questions or comments to itpolicy@cio.wisc.edu.