UW–Madison Workstation Security Requirements
The Office of Cybersecurity's purpose of the IT security baseline is to:
- assess the current security practices of IT departments across campus
- identify tasks for departments to meet security standards set by the IT Security department
- implement the capability to monitor security metrics.
The IT security practice is intended to inform each unit of the necessary actions required to ensure that practical, basic security measures have been implemented that reduce the risk of unauthorized access to IT resources and data. The baseline requirements are intended to create a minimally acceptable security standard for all the IT departments on campus. The baseline will not ensure compliance with any particular federal or industry security standard (e.g., PCI-DSS, HIPAA, FERPA, FISMA). IT Security and Internal Audit will work with information technology units to implement a common set of IT practices that report results through IT Securitymonitored mechanisms and accomplish the following goals.
- Implement a common set of tools, processes, and procedures to reduce the risk of unauthorized access to information systems.
- Implement a common set of procedures so that intrusions are quickly detected and appropriate personnel are alerted in a timely manner.
- Monitor and verify security metrics to ensure units are operating at the minimally acceptable security baseline.
IT Security will work with departments to provide adequate training and tools on an as needed basis.
The UW–Madison IT Security Baseline Program in conjunction with the Secure End Point Configuration Matrix defines the minimal system security criteria. The unit’s departmental IT professionals will be required to provide compliance verification to the HIPAA Security Coordinator and the Office of Cybersecurity.
- UW–Madison IT Security Baseline Program includes “Users do not have local administrative privileges unless an exception is made by the department head, documented and reviewed annually.”
- Secure End Point Configuration Matrix includes “Administrator access: Remove end User permissions so they are not local admins”