Endpoint management & security standards

This page contains the standards, guidelines and requirements in support of the UW–‍Madison Endpoint Management and Security Policy, UW-526. It is designed to pair standards with centrally available campus tools.

Please note that this page represents UW–‍Madison’s default endpoint standards. Your unit may have their own endpoint standards.

How to consume this matrix

When reviewing this matrix the columns are cumulative, standards listed in the low risk column carryover and apply to the medium and high risk columns, as well. If a conflict exists between the standards metrics, the most secure metric prevails and should be followed.

Standard Resource Low risk Medium risk High risk
Device management BigFix or Workplace ONE Processes are used to intentionally manage devices and management expectations are communicated between users and IT staff. Endpoints are managed with automation and set to reapply configured settings. Configured settings are validated every 120 days. Validate the device compliance of configured settings at least once every 30 days.
Patch management BigFix or Workplace ONE OS major version(s) must be actively supported. All available OS and application patches are installed within 90 days of release. Note: Faster requirements may apply if vulnerabilities are present. See Vulnerability Management row for requirements. A documented and repeatable patching program exists. All available OS and application patches are installed within 45 days of release. Note: Faster requirements may apply if vulnerabilities are present. See Vulnerability Management row for requirements. All available OS and application patches are installed within 15 days of release. Note: Faster requirements may apply if vulnerabilities are present. See Vulnerability Management row for requirements.
Vulnerability management Qualys Vulnerabilities with a Common Vulnerability Scoring System (CVSS) rating exceeding 8.9 should be mitigated within 3 days. Vulnerabilities with a CVSS rating 7.0-8.9 must be remediated within 30 days. Vulnerabilities with a CVSS rating 4.0-6.9 must be remediated within 180 days. Vulnerabilities with a CVSS rating lower than 4.0 should be addressed within 365 days during normal maintenance cycles. Vulnerabilities with a CVSS rating exceeding 8.9 should be mitigated within 3 days. Vulnerabilities with a CVSS rating 7.0-8.9 must be remediated within 30 days. Vulnerabilities with a CVSS rating 4.0-6.9 must be remediated within 45 days. Vulnerabilities with a CVSS rating lower than 4.0 should be addressed within 365 days during normal maintenance cycles. Vulnerabilities with a CVSS rating exceeding 8.9 should be mitigated within 3 days. Vulnerabilities with a CVSS rating 7.0-8.9 must be remediated within 15 days. Vulnerabilities with a CVSS rating 4.0-6.9 must be remediated within 15 days. Vulnerabilities with a CVSS rating lower than 4.0 should be addressed within 365 days during normal maintenance cycles.
Application management BigFix or Workplace ONE Users are encouraged to consult with department IT staff regarding potential risks for applications. A list of installed applications or software can be produced. New applications or services must be reviewed by designated IT staff, or other designated staff as defined by the Risk Executive, prior to purchase or implementation. New applications or services must receive a documented review from designated IT staff, or other designated staff as defined by the Risk Executive, prior to purchase or implementation. Monitor for and remove unauthorized and deprecated applications.
Endpoint detection & response (EDR) Cisco Secure Endpoint (AMP) Real-time, continuous virus/malware monitoring is enabled and configured to take automatic action. Malware definitions are configured to update within 24 hours of becoming available. Endpoints must have centrally reporting EDR software installed and configured to send alerts to administrators.
Host-based firewall Windows: Group Policy or Workspace ONE Profile; macOS: Workspace ONE Profile Host firewall is enabled, continuously active, and configured in accordance with industry best practices. Dedicated remote access protocols such as RDP and SSH are disabled by default. Firewall policy and rule exceptions are documented and reviewed annually.
Physical protection Determine the minimum necessary physical protections that must be enforced to adequately protect the device(s).
Access management Campus Active Directory
CyberArk
LastPass
Set passwords in accordance with UW–‍Madison Password Standard. Configure the following:

  • Session reauthentication: once every 12 hours and after 30 minutes of inactivity
  • Account lockout threshold: 14 invalid attempts
  • Account lockout duration: 5 minutes
  • End user and/or Administrator access on endpoints must be implemented in accordance with the principle of least privilege.
Privileged accounts are only used to elevate access for administrator tasks as needed. Shared accounts are prohibited. Documented on and off-boarding processes exist. Accounts/access are centrally managed/controlled. Disable unused accounts. Accounts are centrally managed/controlled and reviewed/removed annually.
Storage encryption Windows: Bitlocker Management via Active Directory and Group Policy or via Workspace ONE; macOS: FileVault Management via Workspace ONE No minimum standard Storage device encryption is enforced on assets. AES-128 bit encryption or greater is required.
Event/log collection Elastic System default log settings are enabled. Retain logs for at least 30 days. Units must determine what events/logs are necessary to gather and review to remain in compliance with UWSA 1041 (see appendix A for specifics).
Backups Bucky Backup No minimum standard Perform and retain a scheduled backup of all sensitive data at least once every 60 days. Test and restore a backup at least once every 180 days. Perform and retain a scheduled backup of all high-risk data at least once every 28 days. Test and restore a backup at least once every 90 days. Maintain a written DR plan in accordance with UWSA 1037. Backup media must be securely stored, including, but not limited to, encryption, physical security, and disposal.
Regulated data-security controls Restricted data security management No minimum standard Implement controls and/or audits consistent with regulatory requirements applicable to your environment.
Restricted data discovery Spirion Consider PCI DSS, HIPAA, export control, and FERPA regulations as they are common requirements on campus.
Asset management Follow UW–‍Madison IT asset reporting guidelines. Scan for all forms of sensitive data at least every six months. Scan for and review scan results monthly.

These standards do not relieve UW–‍Madison or its employees, partners, consultants or vendors of further obligations that may be imposed by law, regulation or contract.

For additional information, including an implementation timeline and device risk definitions, see the implementation plan.

For additional feedback or questions reach out to us at itpolicy@cio.wisc.edu.