UW System Administrative Policy 1038

Information Security: Network Protection

Policy
Policy Bookmark Anchor

Original Issuance Date: November 10, 2022

Last Revision Date: January 19, 2023

Effective Date: December 1, 2023

1. Policy Purpose
1. Policy Purpose Bookmark Anchor

The purpose of this policy is to provide structure for the deployment and management of network controls used to mitigate Information Security (IS) threats throughout the University of Wisconsin (UW) System.

Top

2. Responsible UW System Officer
2. Responsible UW System Officer Bookmark Anchor

Associate Vice President for Information Security

Top

3. Scope and Institutional Responsibilities
3. Scope and Institutional Responsibilities Bookmark Anchor

This policy applies to all UW System institutions, including UW System Administration. This policy identifies the requirements for the installation and use of network protection controls on all UW System managed networks, where technically feasible, that transport data used to accomplish University research, teaching, learning, operations, or administration.

Top

4. Background
4. Background Bookmark Anchor

The President of the University of Wisconsin System is empowered to establish IS polices under the provisions of Regent Policy Document 25-5, Information Technology: Information Security. The UW System is committed to a secure information technology environment in support of its mission.

The network protection requirements described within this policy are designed to help ensure satisfactory and consistent practices to address and mitigate persistent IS threats that use the network to attack information technology resources.

Top

5. Definitions
5. Definitions Bookmark Anchor

Please see SYS 1000, Information Security: General Terms and Definitions, for a list of general terms and definitions. Terms and definitions found within this policy include:

  • External Network
  • Managed Interface
  • Network Security Zone
  • System Boundary
  • Trusted Network Security Zone

Top

6. Policy Statement
6. Policy Statement Bookmark Anchor

A. Network Security Architecture Documentation
A. Network Security Architecture Documentation Bookmark Anchor

High-level network security architecture documentation must be maintained that identifies the security services and mechanisms for the Network Security Zones within the System Boundary and connections to External Networks. High-level network security architecture diagram(s) must accompany network security architecture documentation.

B. Network Access Controls
B. Network Access Controls Bookmark Anchor

Employ network access controls to monitor and control communications at external boundaries and key Managed Interfaces between Network Security Zones within the System Boundary to restrict the flow of traffic and prevent unauthorized access commensurate with the classification of the data being transmitted. Network access controls must be aligned with the institution’s defined architecture.

C. Network Communication Protection Activities
C. Network Communication Protection Activities Bookmark Anchor

Ensure network access controls protect the integrity and confidentiality of transmitted data in Trusted Network Security Zones and as defined by the institution’s network security architecture.

D. Network Configuration Management
D. Network Configuration Management Bookmark Anchor

Employ configuration change management processes and maintain documentation for security-related configuration changes to networking IT devices. Limit access rights to the minimal level necessary for administrators to perform their job duties.

E. Network Device Security
E. Network Device Security Bookmark Anchor

Network devices must be reasonably secured from unauthorized physical and logical access commensurate with the criticality of the device and its associated Network Security Zone.

Top

7. Related Documents
7. Related Documents Bookmark Anchor

Regent Policy Document 25-5, Information Technology: Information Security

UW System Information Security Program

UW System Administrative Procedure 1038.A, Information Security: Network Protection Standard

NIST Special Publication 800-53 Rev. 5

Top

8. Policy History
8. Policy History Bookmark Anchor

Revision 1: January 19, 2023

First approved: November 10, 2022

Top

9. Scheduled Review
9. Scheduled Review Bookmark Anchor

November 2025