Original Issuance Date: February 17, 2022
Effective Date: February 17, 2023
1. Policy Purpose
The purpose of this policy is to provide structure for the deployment and management of endpoint protection systems and controls used to mitigate Information Security (IS) threats throughout the University of Wisconsin (UW) System.
2. Responsible UW System Officer
Associate Vice President for Information Security
3. Scope and Institutional Responsibilities
This policy applies to all UW System institutions, including UW System Administration.
This policy identifies the requirements for the installation and use of endpoint protection controls on all UW System owned or leased endpoints, irrespective of funding source and where technically feasible, that store or process data used to accomplish University research, teaching, learning, operations, or administration.
The President of the University of Wisconsin System is empowered to establish information security policies under Regent Policy Document 25-5, Information Technology: Information Security. The UW System is committed to a secure IT environment in support of its mission.
The endpoint protection requirements described within this policy are designed to help ensure satisfactory and consistent practices to address and mitigate persistent IS threats posed by the presence of malicious and/or undesirable software on UW System institution owned or leased endpoints.
Please see SYS 1000, Information Security: General Terms and Definitions, for a list of general terms and definitions. Terms and definitions found within this policy include:
- Endpoint– Desktop computers, servers, laptops, or tablet computers with access to the internet.
- Malware- Software or firmware intended to perform an unauthorized process that will have adverse impact on the confidentiality, integrity, or availability of any information system.
6. Policy Statement
A. Required Endpoint Activities
Any UW owned or leased endpoints assigned an active IP address must:
I. Be protected against malware by host-based and institutionally managed malware protection software;
II. Maintain supported operating systems;
III. Limit operating system and application access rights to the minimal level necessary for the end user to perform their job duties; and
IV. Employ controls to prevent unauthorized physical and logical access.
7. Related Documents
8. Policy History
First approved: February 17, 2022
9. Scheduled Review