Posted 4:18 p.m. Friday, Jan. 28, 2022
The January 2022 institution policy distribution includes for comment four revised policies and four revised procedures. All revisions are part of technical amendments in the Information Security series.
The January 2022 institution policy distribution includes for comment four revised policies and four revised procedures. All revisions are part of technical amendments in the Information Security series. Four (4) revised policies: · SYS 1000, Information Security: General Terms and Definitions · SYS 1037, Information Security: IT Disaster Recovery · SYS 1041, Information Security: Logging and Monitoring · SYS 1042, Information Security: Threat and Vulnerability Management Standard Four (4) revised procedures: · SYS 1030.A, Information Security: Authentication · SYS 1031.A, Information Security: Data Classification Procedure · SYS 1039.A, Information Security: Risk Management Procedure · SYS 1042.A, Information Security: Threat and Vulnerability Management Standard Click on the links above to view the drafts and ensure that your feedback is captured for review during the post-comment period. Comments can include attachments, including word documents and PDFs. Please submit your feedback by Friday, February 4. Please find summaries of the policies below. |
DRAFT POLICY REVISIONS SYS 1000, Information Security: General Terms and Definitions The purpose of this policy is to provide a list of general terms and definitions that are used in the 1000 series of the UW System Administrative policy set. Revisions to the policy include: · Updated policy and procedures links to Related Documents in section 7 · Added definitions from SYS 1037, SYS 1041, and SYS 1042 to section 5. |
DRAFT POLICY REVISIONS SYS 1037, Information Security: IT Disaster Recovery This policy establishes the minimum requirements for an Information Technology (IT) Disaster Recovery (DR) Plan for University of Wisconsin (UW) institutions and is designed to assist in executing recovery processes in response to a disaster or significant IT disruption. Revisions to the policy include: · Moved following definitions in section 5 to SYS 1000 and updated standard definition section language: · Data Backup · Disaster Recovery (DR) Plan · Recovery Time Objective (RTO) · Recovery Point Objective (RPO) |
DRAFT POLICY REVISIONS SYS 1041, Information Security: Logging and Monitoring The purpose of this policy is to establish a consistent expectation of security logging and monitoring practices across the University of Wisconsin (UW) System to aid in the early identification and forensics of security events. Revisions to this policy include: · Moved following definition from section 5 to SYS 1000: · High Impact System · Removed definition for IT Asset |
DRAFT POLICY REVISIONS SYS 1042, Information Security: Threat and Vulnerability Management This policy establishes the minimum requirements for vulnerability management, vulnerability scanning, patch management, threat intelligence and penetration testing of University of Wisconsin (UW) System information technology owned or leased IT assets. Revisions to the policy include: · Moved the following definitions from section 5 to SYS 1000: · Vulnerability Scanning · Vulnerability Management · Patch Management · Penetration Testing · IT Asset Owner |
DRAFT PROCEDURE REVISIONS SYS 1030.A, Information Security: Authentication This procedure describes the minimum authentication standards that must be met by University of Wisconsin (UW) System institutions. Revisions to the procedure include: · In section 5 (Related Documents), updated NIST 800-53v4 reference to NIST 800-53v5 |
DRAFT PROCEDURE REVISIONS SYS 1031.A, Information Security: Data Classification Procedure This procedure outlines a method to classify data according to risk to the University of Wisconsin System and assign responsibilities and roles that are applicable to data governance. Revisions to this procedure include: · In subsection 4.C, updated financial account number language to be consistent with Wis. Stats. § 134.98 · Added link to Information Security Compensating Control Request Form to section 5, Related Documents. |
DRAFT PROCEDURE REVISIONS SYS 1039.A, Information Security: Risk Management Procedure This Information Security Risk Management (ISRM) procedure establishes the process for the management of information security risks faced by the institutions of the University of Wisconsin (UW) System. Revisions to the procedure include: · Updated NIST 800-53v4 reference in section 1 (Policy Purpose) and section 2 (Related Documents) to NIST 800-53v5 |
DRAFT PROCEDURE REVISIONS SYS 1042.A, Information Security: Threat and Vulnerability Management Standard The purpose of this procedure is to establish the minimum requirements for vulnerability management, vulnerability scanning, patch management, threat intelligence and penetration testing of University of Wisconsin (UW) System owned or leased information. Revisions to this procedure include: · Updated definition section language to conform with rest of the SYS 1000 series policies |
Revised Comment Form In an effort to solicit more targeted feedback on policies, we have revised the comment form. The current version of the comment form for draft policies includes sections to indicate the nature of proposed revisions (substantive or technical) and to cite specific policy sections. All policies and procedures in this month's distribution use the revised comment form. Unfortunately, the IT issue that prevents submitted comments from displaying persists. While submitted comments are not displayed on the form page, our office is receiving all submitted feedback. We continue to work with IT and are hopeful that submitted comments will be displayed on the comment form again soon. |
SYS Policy Action Approvals President Thompson recently approved three SYS Policy Actions. These include: · Rescission of SYS 1110, Information Technology Acquisitions Approval (approved January 24, 2022) · Revisions to two (2) policies: · SYS 306, Accounting and Budget Control (approved January 25, 2022) · SYS 1237, Student Employment (approved January 27, 2022) For more information on these policy actions, please see the summaries below. |
APPROVED POLICY RESCISSION Rescission of SYS 1110, Information Technology Acquisitions Approval The purpose of this policy was to authorize UW System institutions to make information technology acquisitions and provide for review by the UW System Chief Information Officer where such an acquisition would be classified as a large or high risk information technology project under Regent Policy Document 25-4, Strategic Planning and Large or High Risk Projects. The State of Wisconsin has delegated information technology acquisition authority to the UW System. Separately, under, 36.59, Wis. Stats., the UW System Administration is responsible for reporting semi-annually on all large or high-risk information technology projects to the legislature’s Joint Committee on Information Technology. Regent Policy Document 25-4, Strategic Planning and High Risk Projects, outlines requirements institutions must follow when managing and overseeing projects that are reportable as large or high risk. The rationale for rescinding this policy was as follows: · The amendment to RPD 25-4 (in 7/9/2021) formally the delegates limits of information technology purchases below $1 million to the UW President and Chancellors and establishes clear a process for approval of the large or high-risk projects above the $1 million threshold. · As such, all policy statements from SYS 1110 were superseded and SYS 1110 needed to be rescinded to avoid duplication and confusion. There were no comments submitted during the distribution feedback period. |
APPROVED POLICY SYS 306, Accounting and Budget Control This policy identifies the basic accounting activities to be performed within the University of Wisconsin System and establishes requirements for each accounting activity. Revisions to the policy included: · Reformatted policy to meet current policy format in alignment with SYS 1.A, UW System Administrative Policy Template, including drafting new sections for the scope, background, and definitions, and moving some previously used language to different sections to better cohere with the policy format. · Revised language for concision and clarity. · Throughout policy, replaced references to “Central Administration” with “UW System Administration”. · In Section 6.A, removed definition of budget now included in definitions section. · In section 6.A, removed unnecessary references to specific types of budget adjustments to be reported to the Board of Regents. · In Section 6.A, revised the frequency with which budget adjustments must be reported to the Board of Regents from “monthly” to “at least […] semi-annual[ly]”. · In Section 6.C.I, removed outdated references to processing centers. · In Section 6.C.I, added language to reflect current UW System Administration and business unit responsibilities related to the UW System’s finance ERP system. · In Section 6.C.II, removed outdated references to a Central Administration pre-audit department. · In Section 6.E., clarified updated responsibilities for business units and UW System Administration related to preparing the Annual Financial Report, as well as reporting standards. During the review period, the following recommendations were made: · To subsection C. Expenditures; III. Supplier Payments, a reviewer recommended adding the following sentence: “The preaudit process can be an electronic invoice to PO match within set tolerances as defined in the UW System’s Finance ERP system.” · This sentence was added. · In Section D. Reconciliation, a reviewer recommended not naming the State’s ERP system. · In response, the reference to the current ERP system, STAR, was removed. · In section E. Reporting, a reviewer recommended revising the section to indicate that reports are submitted as requested to the UW System Office of Finance, rather than to the Office of the Vice President for Finance and Controller. · This change was made. |
APPROVED POLICY This policy outlines UW System provisions specific student employment and provides guidance for university departments on complying with the Patient Protection and Affordable Care Act of 2010 as those requirements relate to student workers. Revisions to this policy included: · Throughout the policy, updated language to use “UW System” when the entire system is being referenced. · In Section 1, clarified the acronym of “ACA” for the Patient Protection and Affordable Care Act of 2010). · In section 3, updated definition of Non-benefits eligible to include corrected titles of benefits packages. · In section 3, updated definition of Standard Measurement Period to reflect the date parameters for this period. · Throughout the policy, made other formatting changes like removing unnecessary spaces. · Updated section headers to align with the format outlined in SYS 1.A, UW System Administrative Policy Template. There were no comments submitted during the distribution feedback period. |
