Scope
This policy outlines the expectations of the Board of Regents related to ensuring information security for University of Wisconsin System institutions. This policy covers all information assets and systems under the control of the UW System institutions and those who access these systems.
Purpose
The purpose of this policy is to establish the parameters for information technology security and access. The policy applies to all institutional information assets regardless of who manages the data and which devices are used to process, transmit or store the data. This policy also provides guidance regarding the physical and logical access to, and security of, data and information technology systems.
Policy Statement
Under s. 36.09(1), Wis. Stats., the Board of Regents is vested with the primary responsibility for the governance of the University of Wisconsin System. In discharging this responsibility, compliance with state, federal and local regulations is necessary to protect institutional and research data, including:
- student educational records;
- protected health information;
- data related to financial products or services;
- confidential and sensitive data; and
- the intellectual property of all UW System institutions and scholars.
The Board of Regents seeks to balance various aspects of information security, including:
- meeting the educational and research needs of the UW System institutions;
- protecting individuals;
- managing internal and external risks;
- controlling costs; and
- ensuring the reputation of the institutions.
In order to achieve these objectives, it is the policy of the Board of Regents that the UW System develop and maintain a comprehensive information security program. Using federal National Institute of Standards and Technology (NIST) standards as a guide, the UW System information security program shall encompass all aspects of information security including, but not limited to:
- system access and authentication;
- system and data integrity;
- data access, privacy and confidentiality; and
- incident response.
Once implemented, UW System institutions shall monitor compliance with the systemwide information security program.
Oversight, Roles, and Responsibilities
The Board of Regents delegates to the President of the UW System the authority to implement and maintain an information security program. Each UW System institution shall consistently apply the program and related processes.
The chancellor or designee, generally the chief information officer, at each UW System institution shall:
- be responsible for compliance with the systemwide information security program and related processes;
- provide information-security-related training and guidance to their respective institutions; and
- collaborate with systemwide information security governance committees to maintain consistent policies, processes, and communications about the UW System information security program.
Individuals and organizations accessing UW System information technology assets are responsible for following the UW System information security program and relevant state, federal and local regulations.
Related Regent Policies and Applicable Laws
Federal Laws
- Family Educational Rights and Privacy Act (FERPA)
- Health Insurance Portability and Accountability Act (HIPAA)
- Graham-Leach-Bliley Act
- Red Flags Law
- Fair and Accurate Credit Transactions Act (FACTA)
State Laws and Regulations
- Chapter UWS 14 Wisconsin Administrative Code, Student Academic Disciplinary Procedures
- Chapter UWS 17 Wisconsin Administrative Code, Student Nonacademic Disciplinary Procedures
- Chapter UWS 18 Wisconsin Administrative Code, Conduct on University Lands
- Section 943.70, Wisconsin Statutes
Regent Policy Documents
- RPD 21-4, Identity Theft Detection, Prevention, and Mitigation
- RPD 25-3, Acceptable Use of Information Technology Resources
- RPD 25-4, Strategic Planning and Large or High-Risk Projects
Other Considerations
- Payment Card Industry (PCI)
History: Res. 10629, adopted 02/05/2016, created Regent Policy Document 25-5.
See Also:
SYS 1030: Information Security: Authentication
SYS 1031: Information Security: Data Classification
SYS 1032: Information Security: Awareness
SYS 1033: Information Security: Incident Response
[UW System Administrative policies are included for reference and are separate from Regent Policy Documents adopted by the Board.]