Information Security: Endpoint Protection Standard
The purpose of this procedure is to provide a formal structure for the deployment and management of endpoint protection systems and controls used to mitigate Information Security (IS) threats throughout the University of Wisconsin (UW) System.
2. Responsible UW System Officer
Associate Vice President for Information Security
3. Definitions
Please see SYS 1000, Information Security: General Terms and Definitions, for a list of general terms and definitions.
4. Procedures
A. Standards
I. Endpoint Malware Protection Requirements
- All file systems must be scanned periodically for malware. Anti-malware software must be actively running in a mode which automatically takes corrective action when possible and must not be capable of being disabled temporarily or permanently by end users.
- All endpoint protection software must be actively managed, including ensuring the latest versions of the endpoint protection software are periodically updated and associated definition files are updated within 24 hours of release.
- Any endpoint which has been found to be actively infected with malicious and/or unauthorized software which cannot be neutralized by the endpoint’s malware protection software must be isolated from the rest of the network until appropriately triaged.
II. Operating Systems
Endpoints with Operating Systems that have reached the end-of-life support shall not be permitted to connect to the UW’s networks. Special-purpose endpoints that cannot be updated to supported Operating Systems may be permitted by the institutional IS Designee to connect to UW’s networks if sufficient controls are implemented to segregate the system(s) from the rest of the network.
III. Principle of Least Privilege
End user and/or Administrator access on endpoints must be implemented in accordance with the principle of least privilege. Administrator access on workstations shall only be provided to end users that need such access to perform their job functions.
IV. Unattended Endpoints
- Endpoints must activate a screen lock after 15 minutes of inactivity. Special-purpose endpoints designed for controlling laboratory instrumentation, endpoints designated for public access, or digital signage are exempt from screen lock if sufficient controls are in place to prevent unauthorized access.
V. Endpoint Configuration Items
To the extent possible, all endpoints must:
- Have their host firewall enabled.
- Have remote access protocols such as RDP and SSH disabled by default. Protocols may be enabled as needed if sufficient controls are in place to prevent unauthorized access.
- Have macros disabled by default within all installed software applications and/or productivity suites. Macros may be enabled for trusted documents as needed.
5. Related Documents
6. History
First approved: February 17, 2022