Posted 9:37 a.m. Friday, Jan. 21, 2022
The January 2022 institution policy distribution includes for comment four revised policies and four revised procedures. All revisions are part of technical amendments in the Information Security series.
January Policy Distribution and Revised Comment Form The January 2022 institution policy distribution includes for comment four revised policies and four revised procedures. All revisions are part of technical amendments in the Information Security series. Four (4) revised policies: · SYS 1000, Information Security: General Terms and Definitions · SYS 1037, Information Security: IT Disaster Recovery · SYS 1041, Information Security: Logging and Monitoring · SYS 1042, Information Security: Threat and Vulnerability Management Standard Four (4) revised procedures: · SYS 1030.A, Information Security: Authentication · SYS 1031.A, Information Security: Data Classification Procedure · SYS 1039.A, Information Security: Risk Management Procedure · SYS 1042.A, Information Security: Threat and Vulnerability Management Standard Click on the links above to view the drafts and ensure that your feedback is captured for review during the post-comment period. Comments can include attachments, including word documents and PDFs. Please submit your feedback by Friday, February 4. Please find summaries of the policies below. |
DRAFT POLICY REVISIONS SYS 1000, Information Security: General Terms and Definitions The purpose of this policy is to provide a list of general terms and definitions that are used in the 1000 series of the UW System Administrative policy set. Revisions to the policy include: · Updated policy and procedures links to Related Documents in section 7 · Added definitions from SYS 1037, SYS 1041, and SYS 1042 to section 5. |
DRAFT POLICY REVISIONS SYS 1037, Information Security: IT Disaster Recovery This policy establishes the minimum requirements for an Information Technology (IT) Disaster Recovery (DR) Plan for UW System institutions and is designed to assist in executing recovery processes in response to a disaster or significant IT disruption. Revisions to the policy include: · Moved following definitions in section 5 to SYS 1000 and updated standard definition section language: · Data Backup · Disaster Recovery (DR) Plan · Recovery Time Objective (RTO) · Recovery Point Objective (RPO) |
DRAFT POLICY REVISIONS SYS 1041, Information Security: Logging and Monitoring The purpose of this policy is to establish a consistent expectation of security logging and monitoring practices across the UW System to aid in the early identification and forensics of security events. Revisions to this policy include: · Moved following definition from section 5 to SYS 1000: · High Impact System · Removed definition for IT Asset |
DRAFT POLICY REVISIONS SYS 1042, Information Security: Threat and Vulnerability Management This policy establishes the minimum requirements for vulnerability management, vulnerability scanning, patch management, threat intelligence and penetration testing of UW System information technology owned or leased IT assets. Revisions to the policy include: · Moved the following definitions from section 5 to SYS 1000: · Vulnerability Scanning · Vulnerability Management · Patch Management · Penetration Testing · IT Asset Owner |
DRAFT PROCEDURE REVISIONS SYS 1030.A, Information Security: Authentication This procedure describes the minimum authentication standards that must be met by UW System institutions. Revisions to the procedure include: · In section 5 (Related Documents), updated NIST 800-53v4 reference to NIST 800-53v5 |
DRAFT PROCEDURE REVISIONS SYS 1031.A, Information Security: Data Classification Procedure This procedure outlines a method to classify data according to risk to the UW System and assign responsibilities and roles that are applicable to data governance. Revisions to this procedure include: · In subsection 4.C, updated financial account number language to be consistent with s. 134.98, Wis. Stats. · Added link to Information Security Compensating Control Request Form to section 5, Related Documents. |
DRAFT PROCEDURE REVISIONS SYS 1039.A, Information Security: Risk Management Procedure This Information Security Risk Management (ISRM) procedure establishes the process for the management of information security risks faced by the institutions of the UW System. Revisions to the procedure include: · Updated NIST 800-53v4 reference in section 1 (Policy Purpose) and section 2 (Related Documents) to NIST 800-53v5 |
DRAFT PROCEDURE REVISIONS SYS 1042.A, Information Security: Threat and Vulnerability Management Standard The purpose of this procedure is to establish the minimum requirements for vulnerability management, vulnerability scanning, patch management, threat intelligence and penetration testing of UW System owned or leased information. Revisions to this procedure include: · Updated definition section language to conform with rest of the SYS 1000 series policies |
Revised Comment Form In an effort to solicit more targeted feedback on policies, we have revised the comment form. The current version of the comment form for draft policies includes sections to indicate the nature of proposed revisions (substantive or technical) and to cite specific policy sections. All policies and procedures in this month's distribution use the revised comment form. Unfortunately, the IT issue that prevents submitted comments from displaying persists. While submitted comments are not displayed on the form page, our office is receiving all submitted feedback. We continue to work with IT and are hopeful that submitted comments will be displayed on the comment form again soon. |
