Recommendations for Endpoint Security Controls dependent upon the type of Data processed on the Endpoint.
This document is intended for use by IT support professionals, system administrators, information security staff, and anyone else who would be responsible for onboarding, securing, and offboarding endpoints. UW-Madison faculty and staff should consult with DoIT or their department IT staff on the best way to secure their endpoints with respect to the data processed and stored on those endpoints.
This document is intended to be used as a best practices guideline to secure and manage eligible UW-Madison endpoints based on data classification. It is not meant to be a comprehensive “one size fits all” solution to securing your endpoints, nor should it be used for mobile device management, to replace a comprehensive asset disposal procedure, or whole system lifecycle management.
The procedures within this matrix are also not to be considered permanent solutions. As the information security landscape shifts, and our shared toolset evolves, expect the contents and recommendations to change over time. Specific controls and processes that meet the guideline should be documented by the unit.
Endpoint: An endpoint is a computing device that communicates back and forth with a network, including but not limited to desktops, laptops, servers, and smartphones. Endpoint protection is critical to reduce threats to university networks. https://it.wisc.edu/it-projects/endpoint-management-security-project/
Baseline: This can refer to both public and internal data classifications.
Technical Controls: Items implemented, configured, and controlled through the use of tools and technology. For example, using VPN, encrypting with BitLocker, or firewall rules.
Operational Procedures: Items performed that provide oversight on what is happening in the system. Examples are creating and reviewing reports on system configurations or developing access and account procedures.
Administrative Procedures: Policies or directives created by management, leadership, or risk executives that individuals or units must follow within specific guidelines. Examples of this would be creating policies that define specific requirements for antivirus, access to elevated permissions, or security training.
When considering implementation of controls with corresponding standard tools, the baseline cell specifies the minimum control(s) required for that data and/or system classification. Refer to the Data Classification Policy (below) for more information on how to classify your data and systems. Users with specific types of restricted data (e.g. CUI, HIPAA) may have additional controls layered on top of the general restricted data controls in this table. Units using this matrix may need to implement compensating controls in certain cases. These controls should be documented and describe how they mitigate risk. Please consult the Office of Cybersecurity (firstname.lastname@example.org) if you have any questions or need assistance with classifying data or requirements for specific data types.
If a period length is not defined for a control (e.g., review reports on a periodic basis) the general expectation is a period of monthly for Restricted data and a period of once every six months for non-Restricted data.
This document has been built to describe controls in place on endpoints that deal with data of various types. If bring your own device (BYOD) assets are deemed acceptable by the Risk Executive (or delegate) of the division, BYOD assets must meet the same controls as described in the controls matrix. A Mobile Device Management (MDM) solution or equivalent management must be used to validate the controls on the endpoint for BYODs. The tools listed on the controls matrix page may or may not be available, but an equivalent control must be used.
Within a given requirement, if a cell is blank refer to the cell(s) above for guidance.
UW-Madison - IT - Data Classification Policy: https://kb.wisc.edu/itpolicy/page.php?id=59205
UW System Information Security: Data Classification Standard: https://www.wisconsin.edu/uw-policies/download/SYS-1031.A_Approved_Effective-June-7,-2020.pdf
Standard Tools Available
As appropriate for the system and your operational area, create and review reports and dashboard(s) demonstrating that system configurations remain compliant. Utilize notification methods for critical compliance gaps and remediate under normal cycles.
Require use of security controls as recommended and implemented by this matrix. Composition of controls should be aligned with unit risk tolerance level, regulatory requirements, data classification, and UW IT policies.
Require documentation of your processes, procedures, exceptions, and compensating controls. Lack of a centrally provided tool is a valid reason for exceptions.
Require logging of critical events, send logs to a centralized system, and analyze those logs. Retain those logs for at least 30 days, longer if required by regulatory or legal requirements.
Fulfill requirements using technical tools as made available by central campus providers or through other authorized agencies.
Examples include: Qualys Cloud Agent, WorkspaceOne, BigFix, Active Directory/Group Policy, CIS Benchmarks, Campus SIEM, departmental syslog server
Use the Campus Shared Policy Library for UW-Madison IT Policy Documents and the IT Policy KnowledgeBase for all IT Policy Related Documents: https://kb.wisc.edu/itpolicy/
Regent Policy Document 25-5 Information Technology: Information Security
UW System Policy 1035: IT Asset Management
UW-Madison Endpoint Management and Security Policy (Pending Final CIO Approval as of 3/25/2021)
UWSA - SYS 1042, Information Security: Threat and Vulnerability Management (Will be Effective 2/1/2022)
Automatic updates are turned on, where available.
Deploy a host based vulnerability monitoring agent on eligible devices. On ineligible devices, utilize network based scanning tools to identify potential vulnerabilities.
Generate and review a vulnerability report at least once per quarter (consider risk tolerance level of organization, data/system classification, and potential for loss). Document exceptions.
Remediate or mitigate appropriately identified vulnerabilities in accordance with the UW-Madison Risk Management Plan, section D.
At least once each quarter perform a scan from outside host and unit/campus firewalls to identify potential network vulnerabilities.
Create documentation that describes your unit’s risk tolerance, processes and procedures for your controls, with regards to review and remediation times, system patching, and related controls.
Qualys Vulnerability Management, Qualys Cloud Agent, Nmap, Shodan, Snort, Nessus, WorkspaceOne, MSL
Patch management tool is reporting to, and receiving and deploying patches from an upstream patch management system.
Develop vulnerability reports that are reviewed at a minimum on a quarterly basis. Develop notification and remediation procedures to respond and remediate urgent and critical and zero-day vulnerabilities (either from established reports or from CSOC notifications). Review report deltas and remediate remaining identified vulnerabilities.
Review vulnerability management reports and submit to relevant parties on a monthly basis.
Automatic updates to software and definitions are turned on where available.
Notification alerts are turned on.
Install anti-Virus/malware protection software and review/remediate alerts daily. Review/remediate alerts issued from Cybersecurity Operations Center (CSOC) on a daily basis. Valid alerts should be reported following the procedures in the Incident Reporting and Response policy.
Define and approve your level of risk tolerance with respect to the data that you process or store.
Require that all endpoints have a centrally managed A/V client managed or confirmed by authorized UW-Madison staff.
Cisco's Advanced Malware Protection (AMP), Trend Micro, Windows Defender
Anti-virus/malware software is enforceably installed, ideally via an endpoint management solution.
Review on a monthly basis that all endpoints processing restricted data have the antivirus client installed and that it is reporting to a central console.
Require annual audits of anti-virus/malware installations and configurations with respect to device asset inventory.
Report data is consumable by the Cybersecurity Operations Center (CSOC)
Host-based firewall is on and blocking all incoming traffic from unneeded ports/protocols
Review assets monthly to confirm that host-based firewalls are enabled and blocking unnecessary incoming traffic.
Host-based firewall provided with the OS
Host-based firewall rules are enforceably configured through a central console.
Ensure end-users cannot turn the host-based firewall off or edit rules.
Develop notification methods to alert Local IT if the firewall is turned off and to re-enable as soon as feasibly possible.
Active Directory/Group Policy
Workspace ONE, HCL BigFix
Require monitoring of host-based firewall controls as a critical compliance control for all assets. Review in accordance with your unit’s risk tolerance level.
Only assign elevated permissions to those accounts as required by their role(s). Follow principles of least privilege for access. If using a PAM tool, define a window of administrative access that closes automatically.
Normal activities are not done with an account that has elevated permissions.
Define criteria for which roles have elevated permissions, in accordance with your unit’s risk tolerance level.
Provide just-in-time training and awareness for new users who are assigned elevated permissions.
Require audits of access to elevated permissions in accordance with your unit’s risk tolerance level. Recommended monthly or as notified of changes.
Privileged Access Manager tools (ex. LAPS, MakeMeAdmin, CyberArk)
Develop access and account provisioning procedures to ensure that administrator access is a separate account, not accessible by the end user and employs MFA.
Require local IT Security contact to monitor administrator access controls as a critical compliance control and audit at least monthly for all assets and report to appropriate parties. Appropriate parties may include Principal Investigators (PIs) for the project and local IT Security management (if applicable).
Implement encryption for data at rest where possible.
Develop procedures to ensure asset hard drives used to store Sensitive and Restricted Data are encrypted.
Develop encryption key management procedures.
Evaluate encryption for data at rest in accordance with your unit’s risk tolerance level, particularly with mobile devices, laptops, and portable media. Consider the effectiveness of compensating controls in your evaluation and any regulatory or legal requirements for encryption type.
Encryption for data at rest may be provided by the OS tools (ex: Bitlocker, Filevault)
Endpoint management or firewall tools may offer additional verification of encryption. (ex. Bigfix, Workspace One, Qualys Policy Compliance, Palo Alto)
Mobile/Electronic device policy
Review compliance reports at least monthly to monitor that encryption is active for assets that do not have automatic alerts.
Develop procedures to track (sanitize and dispose) devices that contain Sensitive or Restricted data.
Require documentation of any exceptions from encryption for all data at rest. Include consideration of mobile devices, laptops, and portable media.
Documentation should include evaluation of the associated risk.
Implementation of encryption for data at rest is required.
Use of Portable devices should not be used to store restricted data. If the business use case requires the use portable devices, these devices should have equal or better encryption to laptops and desktops
Require documentation that all data at rest is encrypted. or has proper documentation and compensating controls to mitigate risk associated with storing non-encrypted data.
Implement encryption protocols for data in transit where possible.
Develop procedures to install VPN. Educate end users on how and when to use VPN to access Restricted and Sensitive Data via wireless networks and off campus networks.
Develop encryption key management procedures.
WiscVPN, SecureCRT, SecureFX, GlobalProtect
Some email clients may provide encryption through configuration
Example protocols may include SFTP or TLS (HTTPS)
Implement encryption protocols for data in transit. If it is not possible to utilize encrypted protocols, data must be encrypted before being sent.
Review compliance reports monthly to monitor that encryption is active.
Local IT Security contact will monitor to ensure VPN is installed and updated as a critical compliance control for all applicable assets. Review at least monthly unless automatic alerts are configured.
Require documentation of any exceptions from encryption for all data in transit. Documentation should include evaluation of the associated risk.
Encryption protocols must be used.
Develop a checklist document inclusive of all subcategories of this document that can be quickly reviewed as a second check for compliance in all subcategories. Include an area for references as necessary.
Review your unit’s overall CDM approach and baseline control recommendations at least annually.
Review operating system and application inventories for current or soon to be deprecated items.
Require audits of security controls implemented by this matrix. Auditing and composition of controls should be aligned with unit risk tolerance level, regulatory requirements, and data classification.
Incorporate an example baseline checklist document when available. This is a next step action item for the CDM team.
Security audits should include
a formal documented review of assets against all applicable rows of this document, additional regulatory or compliance requirements for the covered data, and should result in an action plan that is maintained.
Security audits/checklists should be archived and available for review by the risk executive or appropriate personnel.