Regulatory Controls Requiring EDR Capabilities


Purpose 

This document explains why Endpoint Detection and Response (EDR) tools are important for the University of Washington and how they help the University meet its legal, regulatory, and policy obligations. Because UW work with many types of sensitive information such as student records, research data, health information, and financial data, various laws and standards require the University to monitor systems, detect potential security issues, and respond quickly to threats. 

EDR technology supports these responsibilities by helping UW spot unusual or risky activity on installed machines, investigate potential problems, and take action to protect University data. This document brings together the major requirements from federal, state, industry, and UW policies and standards to show how EDR contributes to meeting them. It is intended to provide a clear, high-level understanding for audiences across campus. 

NIST Cybersecurity Framework (CSF) 2.0 

Core Functions Supporting EDR Requirements: 

  • DE.CM-1: Networks and network services are monitored to find potentially adverse events 
  • DE.CM-3: Personnel activity and technology usage are monitored to find potentially adverse events 
  • DE.CM-9: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events 
  • DE.AE-2: Potentially adverse events are analyzed to better understand associated activities 
  • DE.AE-3: Event data are collected and correlated from multiple sources 
  • RS.AN-3: Analysis is performed to establish what has taken place during an incident and the root cause 

 

NIST Special Publications 

NIST SP 800-53 (Security Controls for Federal Information Systems) 

  • AU-3: Audit Record Content - Requires detailed logging of security events 
  • AU-6: Audit Review, Analysis, and Reporting - Mandates analysis of audit records 
  • AU-12: Audit Generation - Requires automated audit capability 
  • CA-7: Continuous Monitoring – Requires continuous monitoring 
  • IR-4: Incident Handling - Mandates incident detection and response capabilities 
  • IR-5: Incident Monitoring - Requires continuous monitoring for incidents
  • RA-5: Vulnerability Monitoring and Scanning – Requires monitoring and scanning for vulnerabilities 
  • SI-3: Malicious Code Protection - Requires real-time malware detection and response 
  • SI-4: Information System Monitoring - Mandates comprehensive system monitoring 

NIST SP 800-137 (Information Security Continuous Monitoring) 

  • Requires continuous monitoring of security controls and organizational risk 
  • Mandates automated tools for real-time security status awareness 
  • Requires correlation of security information from multiple sources 

NIST SP 800-171 (Protecting CUI in Nonfederal Systems and Organizations) 

  • Audit and Accountability (AU) 
  • Incident Response (IR) 
  • System and Information Integrity (SI) 
  • Access Control (AC) 
  • Configuration Management (CM) 
  • Security Assessment (CA) 
  • System and Communications Protection (SC) 

Payment Card Industry Data Security Standard (PCI DSS) 

Requirements Supporting EDR: 

  • Requirement 10: Log and monitor all access to network resources and cardholder data 
  • Requirement 11: Regularly test security systems and processes 
  • Requirement 12.10.1: Implement an incident response plan with real-time alerting 
  • Requirement 6.4.3: All payment software must be monitored for tampering 
      • Requirement 11.4: Use intrusion-detection and/or intrusion-prevention techniques 

 

Gramm-Leach-Bliley Act (GLBA) Safeguards Rule 

Specific Requirements: 

  • §314.4(c)(3): Detecting, preventing, and responding to attacks, intrusions, or other systems failures 
  • §314.4(c)(4): Monitoring information systems to identify unauthorized access 
  • §314.4(c)(5): Encrypting customer information in transit and at rest 
  • §314.4(c)(6): Implementing secure development practices 
  • §314.4(c)(7): Implementing multi-factor authentication 
  • §314.4(c)(8): Maintaining an inventory of data systems and regular monitoring  

Health Insurance Portability and Accountability Act (HIPAA) 

Security Rule Requirements: 

  • §164.308(a)(1): Assigned security responsibility with continuous monitoring 
  • §164.308(a)(6): Information access management with audit trails 
  • §164.312(b): Audit controls for electronic protected health information 
  • §164.312(c): Integrity controls to protect ePHI from alteration or destruction 
  • §164.312(d): Person or entity authentication for system access 
  • §164.312(e): Transmission security for ePHI over electronic networks 

Privacy Rule Requirements: 

  • §164.530(c): Safeguards.  
    • A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information. 

Federal Information Security Management Act (FISMA) 

Continuous Monitoring Requirements: 

  • 44 U.S.C. § 3544: Requires continuous monitoring of information security controls 
  • OMB Circular A-130: Mandates real-time security monitoring and incident response 
  • FISMA Moderate/High Systems: Require automated security monitoring tools 

Federal Educational Rights and Privacy Act (FERPA) 

While FERPA does not require educational institutions to adopt specific security controls, the Department of Education (DOE) has issued guidance informing educational institutions that they should take “appropriate steps to safeguard student records,” because breaches involving education records can lead to a violation of FERPA.  

The DOE also has published a Data Security Checklist that includes the following: 

  • Provide a layered defense – including employing a “Defense in Depth” architecture that uses a wide spectrum of tools arrayed in a complementary fashion.  
  • Secure configurations – including continuous scanning to ensure system components remain in a secure state is a critical capability that will enhance data security protection.  
  • Firewalls and Intrusion Detection/Prevention Systems (IDPS). 

Automated vulnerability scanning. 

While published DOE guidance does not have the force of law, they are important tools educational institutions look to when determining their obligations under FERPA.  

EU and UK General Data Protection Regulation (GDPR) 

While both the EU and UK GDPR apply to the UW in very limited circumstances, to the extent they do apply, entities subject to the GDPR are subject to the following general security of data processing requirement: 

  • Article 32 – Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, both the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including as appropriate: 
    • The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services. 

 

State-Level Regulations 

Washington State Cybersecurity Requirements 

RCW 43.105.450 - Office of Cybersecurity 

  • State Agency Information Technology Security: Requires state agencies to implement comprehensive cybersecurity programs 
  • Continuous Monitoring: Mandates ongoing monitoring of information systems for security threats 
  • Incident Detection: Requires implementation of systems to detect cybersecurity incidents 

RCW 19.255.010 - Personal Information Security Breaches 

  • Breach Detection: Requires reasonable security measures to detect unauthorized access to personal information 
  • Notification Requirements: Mandates timely notification of security breaches affecting personal information 
    • Monitoring Systems: Requires implementation of systems to monitor for unauthorized access 

RCW 19.373.050 - My Health My Data Act 

  • Data security practices: Requires regulated entities to establish, implement, and maintain administrative, technical, and physical data security practices that, at a minimum, satisfy reasonable standard of care within the regulated entity's industry to protect the confidentiality, integrity, and accessibility of consumer health data appropriate to the volume and nature of the consumer health data at issue. 

RCW 70.02.150 – Medical Records – Health Care Information Access and Disclosure 

Security safeguards: Requires health care providers to effect reasonable safeguards for the security of all health care information they maintain. 

 
 

Washington State IT Security Policies and Standards 

SEC-04-09-S Endpoint Detection and Response Standard 

  • Mandatory EDR Deployment: Agencies must deploy an Endpoint Detection and Response (EDR) solution on state-issued endpoints 
  • SIEM Integration: EDR solutions must be configured to report into the Enterprise Security Information and Event Management (SIEM) service where possible 
  • Agent Maintenance: Agencies must keep EDR agents and components up to date (N-1 version) on state-issued endpoints 
  • Configuration Documentation: Agencies must document and standardize the deployed EDR's configuration following industry standards and manufacturer's best practices 
  • Anti-Malware Protection: EDR must provide anti-malware protection and address malware prevention, detection, and removal 
  • Detection Controls: Agencies must implement detection, prevention, and recovery controls to protect against malicious code 
  • Traffic Examination: Agencies must examine file transfers, email, and web browser-based traffic for malicious and inappropriate content 
  • Non-State Device Requirements: Must set requirements for malware protection for non-state issued endpoints used for work purposes 

SEC-09-01-S Security Logging Standard 

  • Mandatory Security Logging: Agencies must configure their information technology systems and networks to generate security logs 
  • System Coverage: Must configure logging for security software, antivirus software, firewalls, intrusion detection and prevention systems, operating systems and servers, workstations, network equipment, and applications 
  • Log Data Requirements: Each log entry must include Account/User ID, Port Number, Type of event, Success or failure of the event, Date and time of the event (timestamp), and Source and Destination IP addresses 
  • Real-Time Alerting: Agencies must configure security log generation processes to notify agency security administrators in the event of a log generation error with alerts that are auditable and as close to real time as possible 
  • Log Protection: Agencies must protect agency security logs from unauthorized access, modification, and deletion 
  • Retention Requirements: Agencies must retain security logs for at least one year with provisions for longer retention due to CJIS and HIPAA requirements 

SEC-09 IT Security Audit and Accountability Policy 

  • Audit Trail Requirements: Mandates comprehensive audit trails for all security-related activities 
  • Accountability Mechanisms: Requires implementation of systems to ensure accountability for security actions 
  • Review and Analysis: Mandates regular review and analysis of audit logs and security events 

SEC-10 IT Security Incident Response Policy 

  • Incident Response Program: Requires establishment of formal incident response programs 
  • Detection and Analysis: Mandates capabilities for incident detection, analysis, and response 
  • Coordination Requirements: Requires coordination with appropriate authorities during security incidents 

SEC-11 Information Security Risk Management Policy 

  • Continuous Risk Assessment: Requires ongoing assessment of information security risks 
  • Risk Mitigation: Mandates implementation of controls to mitigate identified risks 
  • Monitoring and Review: Requires continuous monitoring and periodic review of risk management processes 

Washington State Cybersecurity Program Policy (SEC-01) 

  • Cybersecurity Program Requirements: Agencies must establish cybersecurity programs aligned with state standards 
  • Annual Reviews: Requires annual cybersecurity program reviews and assessments 
  • Controls Implementation: Mandates development of controls to protect confidentiality, integrity, and availability of data 
  • Compliance Attestation: Requires annual attestation of compliance with cybersecurity requirements 
  • Operational Continuity: Mandates measures to maintain operational continuity during cybersecurity incidents 
  • Risk Management: Requires continuous risk assessment and mitigation strategiesShape 

UW Administrative Policy Statement 
APS 2.6 Information Security Controls and Operational Practices 

    • A baseline measurement process for application, system, and network activity 
  • A monitoring capability for critical systems 
    • An intrusion detection mechanism 
    • Logging processes for networks, systems, and applications. 
       

Key EDR Capabilities Addressed 

  • Real-time Monitoring: Continuous surveillance of endpoints for suspicious activities 
  • Incident Detection: Automated identification of security events and potential threats 
  • Threat Response: Rapid containment and remediation of security incidents 
  • Forensic Analysis: Detailed investigation capabilities for security events 
  • Data Loss Prevention: Monitoring for unauthorized data access or exfiltration 
  • Behavioral Analytics: Detection of anomalous user and system behavior 
  • Integration Capabilities: Correlation with other security tools and SIEM systems