Device Management

Processes are used to intentionally manage devices and management expectations are communicated between users and IT staff. 

Endpoints are managed with automation and set to reapply configured settings. Configured settings are validated every 120 days. 

Validate the device compliance of configured settings at least once every 30 days. 

Device Management - Examples

Automated update mechanisms are enabled when available. 

Installed software and system updates are controlled via BigFix/SCCM/Workspace One/Puppet or similar product.

Configuration assessment tools such as Qualys or CIS benchmarks are used.

Automation should be used to set and reapply configured settings. 

Installed software and system updates are controlled via BigFix/SCCM/Workspace One/Puppet or similar product and device compliance is reviewed every 30 days. 

Patch Management - Applies to all OS major versions, patches, and application patches. Does not replace the metrics and timelines listed in the vulnerability management standard when a patch is used to remediate a vulnerability. See Vulnerability Management

OS major version(s) must be actively supported. All available OS and application patches are installed within 90 days of release. Note: Faster requirements may apply if vulnerabilities are present. See Vulnerability Management row for requirements. 

A documented and repeatable patching program exists. All available OS and application patches are installed within 45 days of release.

Note: Faster requirements may apply if vulnerabilities are present. See Vulnerability Management row for requirements. 

All available OS and application patches are installed within 15 days of release.

Note: Faster requirements may apply if vulnerabilities are present. See Vulnerability Management row for requirements. 

Patch Management - Examples

Automatic updates are turned on where available.

Windows 7 is not allowed because it is no longer supported by Microsoft. 

Enroll macOS devices in WS1 to manage OS and application updates and document how they are applied within 45 days of release.

Utilize Bigfix, SCCM, WS1, or WSUS for windows and application updates and document how they are applied within 45 days of release. 

Utilize a dev and production patching environment to test updates before applying them within 15 days of release. 

Vulnerability Management

Vulnerabilities with a Common Vulnerability Scoring System (CVSS) rating exceeding 8.9 should be mitigated within 3 days.

Vulnerabilities with a Common Vulnerability Scoring System (CVSS) rating between 7.0 – 8.9 must be remediated within 30 days.

Vulnerabilities with a Common Vulnerability Scoring System (CVSS) rating between 4.0 – 6.9 must be remediated within 180 days.

Vulnerabilities with a Common Vulnerability Scoring System (CVSS) rating lower than 4.0 should be addressed within 365 days during normal maintenance cycles. 

Vulnerabilities with a Common Vulnerability Scoring System (CVSS) rating exceeding 8.9 should be mitigated within 3 days.

Vulnerabilities with a Common Vulnerability Scoring System (CVSS) rating between 7.0 – 8.9 must be remediated within 30 days.

Vulnerabilities with a Common Vulnerability Scoring System (CVSS) rating between 4.0 – 6.9 must be remediated within 45 days.

Vulnerabilities with a Common Vulnerability Scoring System (CVSS) rating lower than 4.0 should be addressed within 365 days during normal maintenance cycles. 

Vulnerabilities with a Common Vulnerability Scoring System (CVSS) rating exceeding 8.9 should be mitigated within 3 days. 

Vulnerabilities with a Common Vulnerability Scoring System (CVSS) rating between 7.0 – 8.9 must be remediated within 15 days.

Vulnerabilities with a Common Vulnerability Scoring System (CVSS) rating between 4.0 – 6.9 must be remediated within 15 days.

Vulnerabilities with a Common Vulnerability Scoring System (CVSS) rating lower than 4.0 should be addressed within 365 days during normal maintenance cycles.

Vulnerability Management - Examples

The log4j vulnerability (https://nvd.nist.gov/vuln/detail/CVE-2021-44228) could be mitigated by disabling the log4j lookup on affected endpoints.

The Windows PrintNightmare Vulnerability (https://nvd.nist.gov/vuln/detail/CVE-2021-34527) could be mitigated by disabling the Windows Print Spooler or by installing the applicable Windows security update from Microsoft. 

Application Management - This standard is relating to an application control process and the nature is to review/control what's being installed and if it should be.

Users are encouraged to consult with department IT staff regarding potential risks for applications. 

A list of installed applications or software can be produced.

New applications or services must be reviewed by designated IT staff, or other designated staff as defined by the Risk Executive, prior to purchase or implementation. 

New applications or services must receive a documented review from designated IT staff, or other designated staff as defined by the Risk Executive, prior to purchase or implementation. Monitor for and remove unauthorized and deprecated applications. 

Application Management - Examples

Local IT staff encourages users to reach out before purchasing or downloading an application to their department laptop. 

Implementing WS1 to view installed applications on endpoints and provide an app catalog where available apps have been added by IT staff. 

A PI wants to use a never-before-seen tool to process research data.

Use BigFix baselines to monitor for and automatically remove unauthorized or deprecated applications. 

Endpoint Detection & Response (EDR)

Real-time, continuous virus/malware monitoring is enabled and configured to take automatic action. Malware definitions are configured to update within 24 hours of becoming available. 

Endpoints must have centrally reporting EDR software installed and configured to send alerts to administrators. 

EDR - Examples

Windows Defender is enabled and definitions are automatically updated via Windows Update.

Non-UW owned macOS devices have Trend Micro installed in a continuous protection mode with automatic updates enabled. 

Cisco Secure Endpoint is installed in protect mode on UW-Madison owned or leased IT assets. Administrators are encouraged to subscribe to events as referenced in this KB: https://kb.wisc.edu/internal/page.php?id=89843 

Host Based Firewall - This applies to an endpoint's host firewall configuration and not the Palo Alto or other enterprise network firewalls.

Host firewall is enabled, continuously active, and configured in accordance with industry best practices. Dedicated remote access protocols such as RDP and SSH are disabled by default. 

Firewall policy and rule exceptions are documented and reviewed annually. 

Host Based Firewall - Examples

Enable Windows Defender or macOS firewall with default settings. 

Annually review host firewall configuration and exceptions to identify obsolete rules and remove any unnecessary exceptions. 

Physical Protection

Determine the minimum necessary physical protections that must be enforced to adequately protect the device(s).

Server hardware is placed in a designated and secure location that is not publicly accessible. 

Physical Protection - Examples

Lock down monitors and CPUs in labs or where applicable.

Physical restraint on non-mobile devices, privacy protectors for displays in public areas, USB ports disabled on devices assigned to a public space. 

Don't leave laptops/portable devices unattended. Place servers in secured data centers with keycard access when possible.

Access Management

Set passwords in accordance with UW-Madison Password Standard.

Configure the following:

Session reauthentication: once every 12 hours and after 30 minutes of inactivity.

Account lockout threshold: 14 invalid attempts.

Account lockout duration: 5 minutes.

End user and/or Administrator access on endpoints must be implemented in accordance with the principle of least privilege.

Privileged accounts are only used to elevate access for administrator tasks as needed.

Shared accounts are prohibited.

Documented on and off-boarding processes exist.

Accounts/access are centrally managed/controlled.

Disable unused accounts. 

Accounts are centrally managed/controlled and reviewed/removed annually. 

Storage Encryption

No Minimum Standard 

Storage device encryption is enforced on assets. AES-128 bit encryption or greater is required. 

Event/Log Collection

System default log settings are enabled. 

Retain logs for at least 30 days. 

Units must determine what events/logs are necessary to gather and review to remain in compliance with UWSA 1041. See UWSA 1041 (appendix A for specifics)

Event/Log Collection - Examples

Ensure default system logging is configured and enabled. Most systems do this by default. Examples: log all access attempts on Linux computers, log all Windows Application, Security and System events in Windows event logs.

Send the logs into a central repository. 

Require logging of critical events, send logs to a centralized system, and analyze those logs.

Backups

No Minimum Standard

Perform and retain a scheduled backup of all sensitive data at least once every 60 days. Test and restore a backup at least once every 180 days.

Perform and retain a scheduled backup of all high-risk data at least once every 28 days. Test and restore a backup at least once every 90 days. Maintain a written DR plan in accordance with UWSA 1037. Backup media must be securely stored, including, but not limited to, encryption, physical security, and disposal.

Regulated Data Security Controls

No Minimum Standard

Implement controls and/or audits consistent with regulatory requirements applicable to your environment.

Regulated Data Security Controls - Examples

Consider PCI DSS, HIPAA, Export Control, and FERPA regulations as they are common requirements on campus.

Restricted Data Discovery

Scan for all forms of sensitive data at least every six months.

Scan for and review scan results monthly.