Validate the device compliance of configured settings at least once every 30 days. 

Installed software and system updates are controlled via BigFix/SCCM/Workspace One/Puppet or similar product.

Configuration assessment tools such as Qualys or CIS benchmarks are used.

Automation should be used to set and reapply configured settings.

A documented and repeatable patching program exists. All available OS and application patches are installed within 45 days of release.

Note: Faster requirements may apply if vulnerabilities are present. See Vulnerability Management row for requirements. 

All available OS and application patches are installed within 15 days of release.

Note: Faster requirements may apply if vulnerabilities are present. See Vulnerability Management row for requirements. 

Automatic updates are turned on where available.

Windows 7 is not allowed because it is no longer supported by Microsoft. 

Enroll macOS devices in WS1 to manage OS and application updates and document how they are applied within 45 days of release.

Utilize Bigfix, SCCM, WS1, or WSUS for windows and application updates and document how they are applied within 45 days of release. 

Utilize a dev and production patching environment to test updates before applying them within 15 days of release. 

Vulnerabilities with a Common Vulnerability Scoring System (CVSS) rating exceeding 8.9 should be mitigated within 3 days.

Vulnerabilities with a Common Vulnerability Scoring System (CVSS) rating between 7.0 – 8.9 must be remediated within 30 days.

Vulnerabilities with a Common Vulnerability Scoring System (CVSS) rating between 4.0 – 6.9 must be remediated within 180 days.

Vulnerabilities with a Common Vulnerability Scoring System (CVSS) rating lower than 4.0 should be addressed within 365 days during normal maintenance cycles. 

Vulnerabilities with a Common Vulnerability Scoring System (CVSS) rating exceeding 8.9 should be mitigated within 3 days.

Vulnerabilities with a Common Vulnerability Scoring System (CVSS) rating between 7.0 – 8.9 must be remediated within 30 days.

Vulnerabilities with a Common Vulnerability Scoring System (CVSS) rating between 4.0 – 6.9 must be remediated within 45 days.

Vulnerabilities with a Common Vulnerability Scoring System (CVSS) rating lower than 4.0 should be addressed within 365 days during normal maintenance cycles. 

Vulnerabilities with a Common Vulnerability Scoring System (CVSS) rating exceeding 8.9 should be mitigated within 3 days. 

Vulnerabilities with a Common Vulnerability Scoring System (CVSS) rating between 7.0 – 8.9 must be remediated within 15 days.

Vulnerabilities with a Common Vulnerability Scoring System (CVSS) rating between 4.0 – 6.9 must be remediated within 15 days.

Vulnerabilities with a Common Vulnerability Scoring System (CVSS) rating lower than 4.0 should be addressed within 365 days during normal maintenance cycles.

The log4j vulnerability (https://nvd.nist.gov/vuln/detail/CVE-2021-44228) could be mitigated by disabling the log4j lookup on affected endpoints.

The Windows PrintNightmare Vulnerability (https://nvd.nist.gov/vuln/detail/CVE-2021-34527) could be mitigated by disabling the Windows Print Spooler or by installing the applicable Windows security update from Microsoft. 

Users are encouraged to consult with department IT staff regarding potential risks for applications. 

A list of installed applications or software can be produced.

New applications or services must be reviewed by designated IT staff, or other designated staff as defined by the Risk Executive, prior to purchase or implementation. 

New applications or services must receive a documented review from designated IT staff, or other designated staff as defined by the Risk Executive, prior to purchase or implementation. Monitor for and remove unauthorized and deprecated applications. 

Local IT staff encourages users to reach out before purchasing or downloading an application to their department laptop. 

Implementing WS1 to view installed applications on endpoints and provide an app catalog where available apps have been added by IT staff.

A PI wants to use a never-before-seen tool to process research data.

Use BigFix baselines to monitor for and automatically remove unauthorized or deprecated applications. 

Real-time, continuous virus/malware monitoring is enabled and configured to take automatic action. Malware definitions are configured to update within 24 hours of becoming available. 

Endpoints must have centrally reporting EDR software installed and configured to send alerts to administrators.

Determine the minimum necessary physical protections that must be enforced to adequately protect the device(s).

Server hardware is placed in a designated and secure location that is not publicly accessible.

Lock down monitors and CPUs in labs or where applicable.

Physical restraint on non-mobile devices, privacy protectors for displays in public areas, USB ports disabled on devices assigned to a public space. 

Don't leave laptops/portable devices unattended. Place servers in secured data centers with keycard access when possible.

Set passwords in accordance with UW-Madison Password Standard.

Configure the following:

Session reauthentication: once every 12 hours and after 30 minutes of inactivity.

Account lockout threshold: 14 invalid attempts.

Account lockout duration: 5 minutes.

End user and/or Administrator access on endpoints must be implemented in accordance with the principle of least privilege.

Privileged accounts are only used to elevate access for administrator tasks as needed.

Shared accounts are prohibited.

Documented on and off-boarding processes exist.

Accounts/access are centrally managed/controlled.

Disable unused accounts. 

Accounts are centrally managed/controlled and reviewed/removed annually. 

No Minimum Standard 

Storage device encryption is enforced on assets. AES-128 bit encryption or greater is required.

System default log settings are enabled.

Retain logs for at least 30 days. 

Units must determine what events/logs are necessary to gather and review to remain in compliance with UWSA 1041. See UWSA 1041 (appendix A for specifics)

Ensure default system logging is configured and enabled. Most systems do this by default. Examples: log all access attempts on Linux computers, log all Windows Application, Security and System events in Windows event logs.

Send the logs into a central repository. 

Require logging of critical events, send logs to a centralized system, and analyze those logs.

No Minimum Standard

Perform and retain a scheduled backup of all sensitive data at least once every 60 days. Test and restore a backup at least once every 180 days.

Perform and retain a scheduled backup of all high-risk data at least once every 28 days. Test and restore a backup at least once every 90 days. Maintain a written DR plan in accordance with UWSA 1037. Backup media must be securely stored, including, but not limited to, encryption, physical security, and disposal.

No Minimum Standard

Implement controls and/or audits consistent with regulatory requirements applicable to your environment.

Consider PCI DSS, HIPAA, Export Control, and FERPA regulations as they are common requirements on campus.

Scan for all forms of sensitive data at least every six months.

Scan for and review scan results monthly.