Information Technology: Information Security

Scope

This policy outlines the expectations of the Board of Regents related to ensuring information security for University of Wisconsin System institutions. This policy covers all information assets and systems under the control of the UW System institutions and those who access these systems.

Purpose

The purpose of this policy is to establish the parameters for information technology security and access. The policy applies to all institutional information assets regardless of who manages the data and which devices are used to process, transmit or store the data. This policy also provides guidance regarding the physical and logical access to, and security of, data and information technology systems.

Policy Statement

Under s. 36.09(1), Wis. Stats., the Board of Regents is vested with the primary responsibility for the governance of the University of Wisconsin System. In discharging this responsibility, compliance with state, federal and local regulations is necessary to protect institutional and research data, including:

student educational records;
protected health information;
data related to financial products or services;
confidential and sensitive data; and
the intellectual property of all UW System institutions and scholars.

The Board of Regents seeks to balance various aspects of information security, including:

meeting the educational and research needs of the UW System institutions;
protecting individuals;
managing internal and external risks;
controlling costs; and
ensuring the reputation of the institutions.

In order to achieve these objectives, it is the policy of the Board of Regents that the UW System develop and maintain a comprehensive information security program. Using federal National Institute of Standards and Technology (NIST) standards as a guide, the UW System information security program shall encompass all aspects of information security including, but not limited to:

system access and authentication;
system and data integrity;
data access, privacy and confidentiality; and
incident response.

Once implemented, UW System institutions shall monitor compliance with the systemwide information security program.

Oversight, Roles, and Responsibilities

The Board of Regents delegates to the President of the UW System the authority to implement and maintain an information security program. Each UW System institution shall consistently apply the program and related processes.

The chancellor or designee, generally the chief information officer, at each UW System institution shall:

be responsible for compliance with the systemwide information security program and related processes;
provide information-security-related training and guidance to their respective institutions; and
collaborate with systemwide information security governance committees to maintain consistent policies, processes, and communications about the UW System information security program.

Individuals and organizations accessing UW System information technology assets are responsible for following the UW System information security program and relevant state, federal and local regulations.

Related Regent Policies and Applicable Laws

Federal Laws

Family Educational Rights and Privacy Act (FERPA)
Health Insurance Portability and Accountability Act (HIPAA)
Graham-Leach-Bliley Act
Red Flags Law
Fair and Accurate Credit Transactions Act (FACTA)

State Laws and Regulations

Chapter UWS 14 Wisconsin Administrative Code, Student Academic Disciplinary Procedures
Chapter UWS 17 Wisconsin Administrative Code, Student Nonacademic Disciplinary Procedures
Chapter UWS 18 Wisconsin Administrative Code, Conduct on University Lands
Section 943.70, Wisconsin Statutes

Regent Policy Documents

RPD 21-4, Identity Theft Detection, Prevention, and Mitigation
RPD 25-3, Acceptable Use of Information Technology Resources
RPD 25-4, Strategic Planning and Large or High-Risk Projects

Other Considerations

Payment Card Industry (PCI)

History: Res. 10629, adopted 02/05/2016, created Regent Policy Document 25-5.

Regent Policy Document 25-5