UW-Madison - IT - Endpoint Management and Security Policy Standards

The Endpoint Management and Security Policy Standards contain the supporting standards, guidelines and requirements in support of the UW-Madison Endpoint Management and Security Policy at UW-Madison.



Risk categories for endpoint management
Standard - Risk Category Low-Risk Mid-Risk High-Risk
Device Management Processes are used to intentionally manage devices and management expectations are communicated between users and IT staff. Endpoints are managed with automation and set to reapply configured settings. Configured settings are validated every 120 days. 

Validate the device compliance of configured settings at least once every 30 days. 

Device Management - Examples Automated update mechanisms are enabled when available. 

Installed software and system updates are controlled via BigFix/SCCM/Workspace One/Puppet or similar product.

Configuration assessment tools such as Qualys or CIS benchmarks are used.

Automation should be used to set and reapply configured settings.

Installed software and system updates are controlled via BigFix/SCCM/Workspace One/Puppet or similar product and device compliance is reviewed every 30 days. 
Patch Management - Applies to all OS major versions, patches, and application patches. Does not replace the metrics and timelines listed in the vulnerability management standard when a patch is used to remediate a vulnerability. See Vulnerability Management OS major version(s) must be actively supported. All available OS and application patches are installed within 90 days of release. Note: Faster requirements may apply if vulnerabilities are present. See Vulnerability Management row for requirements. 

A documented and repeatable patching program exists. All available OS and application patches are installed within 45 days of release.

Note: Faster requirements may apply if vulnerabilities are present. See Vulnerability Management row for requirements. 

All available OS and application patches are installed within 15 days of release.

Note: Faster requirements may apply if vulnerabilities are present. See Vulnerability Management row for requirements. 

Patch Management - Examples

Automatic updates are turned on where available.

Windows 7 is not allowed because it is no longer supported by Microsoft. 

Enroll macOS devices in WS1 to manage OS and application updates and document how they are applied within 45 days of release.

Utilize Bigfix, SCCM, WS1, or WSUS for windows and application updates and document how they are applied within 45 days of release. 

Utilize a dev and production patching environment to test updates before applying them within 15 days of release. 

Vulnerability Management

Vulnerabilities with a Common Vulnerability Scoring System (CVSS) rating exceeding 8.9 should be mitigated within 3 days.

Vulnerabilities with a Common Vulnerability Scoring System (CVSS) rating between 7.0 – 8.9 must be remediated within 30 days.

Vulnerabilities with a Common Vulnerability Scoring System (CVSS) rating between 4.0 – 6.9 must be remediated within 180 days.

Vulnerabilities with a Common Vulnerability Scoring System (CVSS) rating lower than 4.0 should be addressed within 365 days during normal maintenance cycles. 

Vulnerabilities with a Common Vulnerability Scoring System (CVSS) rating exceeding 8.9 should be mitigated within 3 days.

Vulnerabilities with a Common Vulnerability Scoring System (CVSS) rating between 7.0 – 8.9 must be remediated within 30 days.

Vulnerabilities with a Common Vulnerability Scoring System (CVSS) rating between 4.0 – 6.9 must be remediated within 45 days.

Vulnerabilities with a Common Vulnerability Scoring System (CVSS) rating lower than 4.0 should be addressed within 365 days during normal maintenance cycles. 

Vulnerabilities with a Common Vulnerability Scoring System (CVSS) rating exceeding 8.9 should be mitigated within 3 days. 

Vulnerabilities with a Common Vulnerability Scoring System (CVSS) rating between 7.0 – 8.9 must be remediated within 15 days.

Vulnerabilities with a Common Vulnerability Scoring System (CVSS) rating between 4.0 – 6.9 must be remediated within 15 days.

Vulnerabilities with a Common Vulnerability Scoring System (CVSS) rating lower than 4.0 should be addressed within 365 days during normal maintenance cycles.

Vulnerability Management - Examples

The log4j vulnerability (https://nvd.nist.gov/vuln/detail/CVE-2021-44228) could be mitigated by disabling the log4j lookup on affected endpoints.

The Windows PrintNightmare Vulnerability (https://nvd.nist.gov/vuln/detail/CVE-2021-34527) could be mitigated by disabling the Windows Print Spooler or by installing the applicable Windows security update from Microsoft. 

Application Management - This standard is relating to an application control process and the nature is to review/control what's being installed and if it should be.

Users are encouraged to consult with department IT staff regarding potential risks for applications. 

A list of installed applications or software can be produced.

New applications or services must be reviewed by designated IT staff, or other designated staff as defined by the Risk Executive, prior to purchase or implementation. 

New applications or services must receive a documented review from designated IT staff, or other designated staff as defined by the Risk Executive, prior to purchase or implementation. Monitor for and remove unauthorized and deprecated applications. 

Application Management - Examples

Local IT staff encourages users to reach out before purchasing or downloading an application to their department laptop. 

Implementing WS1 to view installed applications on endpoints and provide an app catalog where available apps have been added by IT staff.

A PI wants to use a never-before-seen tool to process research data.

Use BigFix baselines to monitor for and automatically remove unauthorized or deprecated applications. 

Endpoint Detection & Response (EDR)

Real-time, continuous virus/malware monitoring is enabled and configured to take automatic action. Malware definitions are configured to update within 24 hours of becoming available. 

Endpoints must have centrally reporting EDR software installed and configured to send alerts to administrators.

Physical Protection

Determine the minimum necessary physical protections that must be enforced to adequately protect the device(s).

Server hardware is placed in a designated and secure location that is not publicly accessible.

Physical Protection - Examples

Lock down monitors and CPUs in labs or where applicable.

Physical restraint on non-mobile devices, privacy protectors for displays in public areas, USB ports disabled on devices assigned to a public space. 

Don't leave laptops/portable devices unattended. Place servers in secured data centers with keycard access when possible.

Access Management

Set passwords in accordance with UW-Madison Password Standard.

Configure the following:

Session reauthentication: once every 12 hours and after 30 minutes of inactivity.

Account lockout threshold: 14 invalid attempts.

Account lockout duration: 5 minutes.

End user and/or Administrator access on endpoints must be implemented in accordance with the principle of least privilege.

Privileged accounts are only used to elevate access for administrator tasks as needed.

Shared accounts are prohibited.

Documented on and off-boarding processes exist.

Accounts/access are centrally managed/controlled.

Disable unused accounts. 

Accounts are centrally managed/controlled and reviewed/removed annually. 

Storage Encryption

No Minimum Standard 

Storage device encryption is enforced on assets. AES-128 bit encryption or greater is required.

Event/Log Collection

System default log settings are enabled.

Retain logs for at least 30 days. 

Units must determine what events/logs are necessary to gather and review to remain in compliance with UWSA 1041. See UWSA 1041 (appendix A for specifics)

Event/Log Collection - Examples

Ensure default system logging is configured and enabled. Most systems do this by default. Examples: log all access attempts on Linux computers, log all Windows Application, Security and System events in Windows event logs.

Send the logs into a central repository. 

Require logging of critical events, send logs to a centralized system, and analyze those logs.

Backups

No Minimum Standard

Perform and retain a scheduled backup of all sensitive data at least once every 60 days. Test and restore a backup at least once every 180 days.

Perform and retain a scheduled backup of all high-risk data at least once every 28 days. Test and restore a backup at least once every 90 days. Maintain a written DR plan in accordance with UWSA 1037. Backup media must be securely stored, including, but not limited to, encryption, physical security, and disposal.

Regulated Data Security Controls

No Minimum Standard

Implement controls and/or audits consistent with regulatory requirements applicable to your environment.

Regulated Data Security Controls - Examples

Consider PCI DSS, HIPAA, Export Control, and FERPA regulations as they are common requirements on campus.

Restricted Data Discovery

Scan for all forms of sensitive data at least every six months.

Scan for and review scan results monthly. 

Per section III of the UW-Madison Endpoint Management and Security Policy, departments and divisions are responsible for, “Creating, documenting, maintaining and implementing standards." 

These standards are intended to be used as a common recommendation for a large majority of devices. Departments and divisions are encouraged to use this standard as their own, or as a baseline document to develop their own standards for devices that may require special configuration. Any additional standards must be documented in the department or division standard as required by the policy.

When reviewing these standards, the columns are cumulative, standards listed in column B carryover and apply to columns C and D etc.,

If a conflict exists between the standards metrics, the most secure metric prevails and should be followed.

These standards do not relieve UW-Madison or its employees, partners, consultants, or vendors of further obligations that may be imposed by law, regulation or contract.

For additional information, including an implementation timeline and device risk definitions, see the UW-Madison Endpoint Management and Security Policy Implementation Plan

Contact

Please address questions or comments to itpolicy@cio.wisc.edu.




Keywords:
endpoint management standards 
Doc ID:
119500
Owned by:
Heather J. in IT Policy
Created:
2022-07-11
Updated:
2024-11-04
Sites:
IT Policy