Policy

Original Issuance Date: February 17, 2022

Effective Date: February 17, 2023

1.     Policy Purpose

The purpose of this policy is to provide structure for the deployment and management of endpoint protection systems and controls used to mitigate Information Security (IS) threats throughout the University of Wisconsin (UW) System.

2.     Responsible UW System Officer

Associate Vice President for Information Security

3.     Scope and Institutional Responsibilities

This policy applies to all UW System institutions, including UW System Administration.

This policy identifies the requirements for the installation and use of endpoint protection controls on all UW System owned or leased endpoints, irrespective of funding source and where technically feasible, that store or process data used to accomplish University research, teaching, learning, operations, or administration.

4.     Background

The President of the University of Wisconsin System is empowered to establish information security policies under Regent Policy Document 25-5, Information Technology: Information Security. The UW System is committed to a secure IT environment in support of its mission.

The endpoint protection requirements described within this policy are designed to help ensure satisfactory and consistent practices to address and mitigate persistent IS threats posed by the presence of malicious and/or undesirable software on UW System institution owned or leased endpoints.

5.     Definitions

Please see SYS 1000, Information Security: General Terms and Definitions, for a list of general terms and definitions. Terms and definitions found within this policy include:

  • Endpoint– Desktop computers, servers, laptops, or tablet computers with access to the internet.
  • Malware- Software or firmware intended to perform an unauthorized process that will have adverse impact on the confidentiality, integrity, or availability of any information system.

6.     Policy Statement

A. Required Endpoint Activities

Any UW owned or leased endpoints assigned an active IP address must:

I. Be protected against malware by host-based and institutionally managed malware protection software;

II. Maintain supported operating systems;

III. Limit operating system and application access rights to the minimal level necessary for the end user to perform their job duties; and

IV. Employ controls to prevent unauthorized physical and logical access.

7.     Related Documents

Regent Policy Document 25-3, Acceptable Use of Information Technology Resources
Regent Policy Document 25-5, Information Technology: Information Security

UW System Information Security Program

UW System Administrative Policy 1000, Information Security: General Terms and Definitions
UW System Administrative Procedure 1036.A, Information Security: Endpoint Protection Standard

8.     Policy History

First approved: February 17, 2022

9.     Scheduled Review

February 2027