Policies for the April Distribution

There are 3 policies and 2 procedures included in the April Institution Distribution. They are listed below:

To view and comment on the policies, please click on the links above. Please submit your comments (which may include attachments such as word documents, PDFs, etc.) through the links above. Doing so ensures your feedback is captured and reviewed during the post-comment period.

The deadline to review and submit feedback for the policies and procedure via the comment form is Friday, May 15.

SYS 415, Purchase & Payment of Lodging

This policy will go into effect on July 1, 2020.

Summary of Policy

This policy provides the requirements for booking lodging and hotel stays with UW System funds.

  • July 1 starts our new contract term for new travel agencies that was approved by BOR in December 2019 for services to begin on July 1, 2020. Moving from Fox World Travel to:
    • Travel Incorporated for Employee Services
    • Shorts for Athletic Services (excluding UW Madison)
    • Fox World Travel for Group Block Servicers
  • Modifications to this policy allow for Airbnb bookings and full prepayment, but continues to restrict most third party bookings.

Affected Area on Campus

  • This policy modification impacts all those who book lodging and hotels for UW-related travel, and the offices that reimburse such expenses.

Expectation of Campuses on UWSA Policy Reporting

  • UW institutions must adhere to the provisions of this policy.

Additional Communication

  • Further notice will be given prior to the effective date of this policy.

SYS 420, Travel & Expense- Meal and Incidental Expense (M&IE) Per Diem Allowance Reimbursements

This policy will go into effect on July 1, 2020.

Summary of Policy

This policy provides the daily allowances for UW System reimbursement of meal and incidental expenses

  • Modifications to this policy allow for reimbursement of meal expenses during single day trips.

Affected Area on Campus

  • This policy modification impacts all those who book lodging and hotels for UW-related travel, and the offices that reimburse such expenses.

Expectation of Campuses on UWSA Policy Reporting

  • UW institutions must adhere to the provisions of this policy.

Additional Communication

  • Further notice will be given prior to the effective date of this policy.

SYS 1039, Information Security: Risk Management

This policy and these procedures will go into effect December 1, 2020.

Summary of Policy and Procedure

This policy and procedures have been developed to establish expectations for Information Security Risk Management activities, as described below.

These three documents establish the foundation for a UW-Systemwide Information Security Risk Management Program. The policy and associated procedures address core pillars of information security risk management, setting associated expectations for UW faculty and staff.

The policy has been developed to ensure UW’s compliance with current and future information security governance, risk and compliance needs. Key components of this policy and procedures include:

SYS 1039, Information Security: Risk Management

  • The policy provides a formal structure for the management of information security (IS) risks occurring within the University of Wisconsin (UW) System.
  • Establishes standard methods for Information security risk management associated with all institution owned or leased information systems that process, maintain, transmit or store data used to accomplish UW System research, teaching and learning, or administration.
  • Establishes standard methods to ensure that the likelihood and impact of threats and vulnerabilities are understood and minimized to the furthest extent practical.
  • Creates a repository known as the Risk Register, for the identification, management, reporting, and tracking of implementation of controls, in relation to Information security risks and the assessment of those risks.
  • Documents accepted risks in situations in which a UW institution does not implement a standard control or process.
  • Establishes responsibility for ensuring information security risk management training materials are made available to leaders, managers, system developers and users.

SYS 1039.A, Information Security: Risk Management Procedure

  • This procedure establishes the process for the management of information security risks faced by the institutions of the University of Wisconsin (UW) System.
  • Establishes the process for the management of information security risks faced by the institutions of the University of Wisconsin.
  • Enables UW System institutions to proactively assess, mitigate, and manage information security risk throughout the enterprise.
  • Enables UW System institutions to capture information security risks in a formal, standardized manner.
  • Assigns formal information security risk ownership, treatment and validation.
  • Establishes a formal method for the assessment of likelihood, impact and resulting overall information security risk(s) throughout UW System.

SYS 1039.B, Information Security: Notification of Risk Acceptance

  • This procedure defines the specific methods for documenting, tracking, and notifying of information security risk acceptance and the application of equivalent information security controls, throughout UW System.
  • Defines specific methods for documenting, tracking, and notification of information security risk acceptance and the application of equivalent information security controls, throughout UW System

Affected Areas on Campuses

  • Each institution’s information technology office, led by its Chief Information Officer (CIO), is responsible for communicating this policy and associated procedures to its community of constituents.
  • This policy and associated procedure documents are applicable to all institutions, schools, departments and employees of UW System, including academic staff, faculty, student employees, and researchers, as well as third-parties, such as authorized contractors and vendors, who have access to UW System data and/or systems.

Expectation of Campuses on UWSA Policy Reporting

  • It is expected that the identified institution’s Chancellor or their designee will regularly report to UWSA on the implementation status of this policy and the associated procedures.

Additional Communication

  • The UW System Office of Information Security will ensure information security risk management training materials are made available to UW System leaders, managers, system developers and users.
  • Further reminder communications will be sent prior to the effective date.