Endpoint Security Administration

Standard number: DS-23
Date issued: 12/4/2024
Date last reviewed: N/A
Date of next review: 12/1/2026
Version: 1.0
Approval authority: Vice President for Information Technology and CIO
Responsible office: ITS Information Assurance

This standard supports and supplements the Information Security (SPG 601.27) policy. It will be periodically reviewed and updated as necessary in response to emerging threats, changes in legal and regulatory requirements, and technological advances.

I. Overview

Securing university-owned systems connected to the U-M network is a critical element in protecting IT resources and data. A number of IT standards that support and supplement the Information Security (SPG 601.27) policy specify requirements related to protecting these systems, such as network security, security logging, vulnerability management, and access control.

This standard focuses on broad security measures for all university-owned systems. It addresses:

• Implementation of an enterprise enhanced endpoint protection service.
• Implementation of least functionality necessary for university-owned systems to operate and meet business needs.
• Maintenance of up-to-date inventory of university-owned systems.

The standard is accompanied by comprehensive endpoint protection guidance for university units and departments that encompasses all relevant IT standards.

Any exceptions to this standard require approval by VPIT-CIO or designee.

II. Scope

This standard applies to the Ann Arbor campus, UM-Dearborn, UM-Flint, and Michigan Medicine.

It further applies to all university-owned systems, whether or not they are located on one of the university’s campuses and regardless of the sensitivity level of institutional data they create, process, maintain, transmit, or store.

III. Definitions

University-owned Systems

All endpoints and devices, servers, and institutional IT resources that are funded, owned, licensed by, or under the direct control of the university, whether locally or with a cloud provider. This includes research devices purchased with U-M general, research, or other funds, including faculty start-up funds and grant funding.

Enterprise Enhanced Endpoint Protection Service

Enhanced endpoint protection platforms remove or contain suspicious activity, improve threat investigations, and speed response times to malicious activity. Information and Technology Services (ITS) maintains a contract for an enhanced endpoint protection platform and provides an enterprise enhanced endpoint protection service to all U-M units.

Least Functionality

The principle of least functionality maintains that systems are configured to provide only essential capabilities and to prohibit or restrict the use of non-essential functions, such as ports, protocols, and/or services that are not integral to the operation of that system.

U-M Service Provider

U-M departments who manage devices, systems, and services on behalf of university units.

University Unit

U-M school, college, department, or research group that provisions and manages university-owned systems.

Device Custodian

An individual with administrator access to university-owned systems.

IV. Standard

All U-M units must follow these requirements for securing UM-owned systems:

• Install the enterprise enhanced endpoint protection service on all UM-owned systems.
• Configure systems with least functionality necessary to operate and meet business needs.
• Specifically prohibit or restrict the use of functions, ports, protocols, and/or services that are not required for the business function of the system.
• Block unnecessary ports, protocols, and services from internet exposure, unless there is a compelling business need for internet connectivity.
• Identify and disable any functions, ports, protocols, and services that are deemed to be unnecessary, unauthorized, and/or non-secure on a routine basis or as instructed by ITS Information Assurance.
• Maintain an up-to-date inventory of university-owned systems.

Exception Process for enterprise Enhanced Endpoint Protection

In limited situations, some systems may not be compatible with enhanced endpoint protection, or may have conflicts that prevent the installation of the enterprise enhanced endpoint protection service. These situations must be documented by units and reviewed by IA.

Requests for exceptions will only be approved when it has been demonstrated that enhanced endpoint protection is incompatible with the specific system or use case, and when there are other mitigating controls in place.

Follow the endpoint protection guidance on Safe Computing for details on how to document and submit requests for exceptions. 

Privacy Considerations

Information available in the enterprise enhanced endpoint protection service must be limited to only what is needed to administer the service and identify and halt malicious activity. Access to that data can be granted only to those who need it for their U-M work and in accordance with U-M policies, including Privacy and the Need to Monitor and Access Records (SPG 601.11).

V. Roles and Responsibilities

ITS Information Assurance (IA)

• Provide guidance on security measures that ensure least functionality during the lifecycle of UM-owned systems.
• Administer the enterprise enhanced endpoint protection service and coordinate with the third-party vendor.
• Provide appropriate training and communication to unit IT staff that engage in unit-level administration of the enterprise enhanced endpoint protection service.
• Review and make decisions on requests for exception submitted by university units.

U-M Service Providers

• Take responsibility for deploying the enterprise enhanced endpoint protection service on university-owned managed systems under their control.
• Install operating system images and patches that ensure least functionality during the lifecycle of UM-owned systems.
• Support university units in the maintenance of inventory of university-owned systems.

University Units

• Take responsibility for implementing and monitoring security measures that ensure least functionality during the lifecycle of UM-owned systems in their unit.
• Take responsibility for ensuring that the enterprise enhanced protection service is deployed on university-owned systems that are funded, owned, licensed by, or under the direct control of the unit.
• Have plans and processes in place to support deployment of the enterprise enhanced endpoint protection service on an ongoing basis.
• Periodically review and ensure that all systems that are not managed by a U-M service provider are properly reporting into the enterprise enhanced endpoint protection service.
• Unit staff who have an IT security role are responsible for reviewing reporting and taking action as needed in response to threat detections in the enterprise enhanced endpoint protection service. 
• Respond to escalations from IA.
• Establish and maintain an inventory of university systems funded, owned, licensed by, or under the direct control of the unit.
• Document exceptions to this standard and submit them for review by IA.

Device Custodians

• Work with your university unit to ensure your device/system is included in the unit's inventory of university-owned systems.
• Take responsibility for implementing and monitoring security measures that ensure least functionality of the UM-owned system they administer.
• Work with your university unit to ensure that the enterprise enhanced endpoint protection is deployed on the UM-owned system they administer.
• Periodically review and ensure that all systems that are not managed by a U-M service provider are properly reporting into the enterprise enhanced endpoint protection service.
• Respond to escalations from your university unit or IA.
• Work with your university unit to document exceptions to this standard and submit them for review by IA.

VI. Violations and Sanctions

Violations of this standard may result in disciplinary action up to and including suspension or revocation of computer accounts and access to networks, non-reappointment, discharge, dismissal, and/or legal action. In addition, the connectivity of machines and servers to the U-M network that do not comply with this Standard may be limited or disconnected. IA reserves the right to implement security measures specified in this standard on any UM-owned system.

Discipline (SPG 201.12) provides for staff member disciplinary procedures and sanctions. Violations of this policy by faculty may result in appropriate sanction or disciplinary action consistent with applicable university procedures. If dismissal or demotion of qualified faculty is proposed, the matter will be addressed in accordance with the procedures set forth in Regents Bylaw 5.09. In addition to U-M disciplinary actions, individuals may be personally subject to criminal or civil prosecution and sanctions if they engage in unlawful behavior related to applicable federal and state laws.

Any U-M department or unit found to have violated this standard may be held accountable for the financial penalties, legal fees, and other remediation costs associated with a resulting information security incident and other regulatory non-compliance.

VII. Implementation

ITS Information Assurance is responsible for the implementation, maintenance, and interpretation of this standard.

VIII. References

• Information Security (SPG 601.27)
• Privacy and the Need to Monitor and Access Records (SPG 601.11)
• CrowdStrike Falcon for Units
• Comprehensive Endpoint Protection Guidance