DRAFT NEW POLICY
This policy will be effective July 1, 2027.
Summary of Policy
- To maintain accountability and to preserve the trust the public and students place in the University of Wisconsin (UW) System, records must be maintained legally and ethically as evidence of our work, decisions, and behavior. Like all state agencies, UW System must adhere to Wis. Stat. § 16.61, which governs the length of time public records must be kept and how these records must be disposed of or transferred to university archives. Unauthorized disclosure, alteration, or destruction of records constitutes a serious breach of public trust and risks legal and reputational harm to UW System. This policy outlines the roles and responsibilities for the proper management, disposition, and preservation of UW System records in order to comply with these requirements.
- Per Wis. Stat. § 16.61 all employees of the state of Wisconsin are obligated to manage records according to records schedules approved by the Wisconsin Public Records Board. However, most employees are unaware of the records schedules that apply to their records and therefore are not in compliance with this obligation. The key requirement of this policy is for units to create, maintain, and adhere to a unit records management plan. The unit records management plan:
- Identifies the types of records created and managed by their staff and all associated records schedules.
- Identifies how those types of records are organized and ensures that all pertinent records are stored centrally instead of on individual drives, devices, or accounts.
- After initial creation, employees will have unit records management plans available for their use which will increase awareness and overall compliance with records management obligations. It will also significantly decrease the time and effort of each individual employee to meet these obligations. Records management plans will help to secure records by identifying those records that require additional protections due to containing personally identifiable or other confidential information required by statute. Records management plans will also be greatly useful with preserving records management functions with staff turnover.
DRAFT REVISED POLICY
These revisions will be effective 6 months after signature by the President.
Summary of Policy
- This policy establishes a unified and structured approach to IT risk management across the Universities of Wisconsin, ensuring risks to systems, data, and operations are identified, evaluated, documented, and treated in a consistent and accountable manner. It reinforces that risk management is a shared responsibility across all institutions and applies to institution-owned systems as well as third-party and cloud environments. The policy aligns decision-making with institutional priorities, business value, and risk appetite, and clarifies the roles of risk owners and risk executives in ensuring risks are addressed and approved at appropriate authority levels.
- This draft policy will replace the current policy. Major changes focus on strengthening accountability, sharpening expectations, and embedding risk-based governance into institutional practice. Key enhancements include clearer requirements for identifying and assessing meaningful risks, formal assignment of risk ownership, defined and documented risk treatment approaches, expanded expectations for maintaining accurate and auditable risk registers, and more structured escalation and reporting of risks that exceed an institution’s defined risk appetite. The updates also modernize terminology, improve alignment with national standards and industry best practices, and reinforce transparency through increased reporting to the UW Administration Office of Information Security.
Policy Revisions
- In Section 3, refined scope and applicability, extending policy coverage to all UW institutions and explicitly including cloud services, third-party providers, and external data processors.
- In Section 5, added and updated key definitions, including new definitions for risk owner and residual risk and updated responsibilities for the risk executive, aligned to enterprise risk governance practices.
- These definitions are currently included in the body of the draft policy for the purpose of gathering feedback. They will be moved to SYS 1000, Information Security: General Terms and Definitions prior to the publication of the approved policy per regular practices.
- In Section 6.A, shifted risk identification expectations to prioritize risks with the potential to significantly affect institution operations, systems, or data, while still encouraging visibility into unit-level risks that may create broader exposure.
- In Section 6.B, established formal accountability for risk ownership, requiring every IT risk to have a designated risk owner responsible for evaluation and response aligned to institution priorities and risk appetite.
- In Section 6.B, strengthened risk decision-making governance, requiring risks exceeding defined risk appetite to be reviewed and approved by a designated risk executive.
- In Section 6.C, defined consistent risk treatment options, formalizing mitigation, transfer, avoidance, and documented acceptance as acceptable responses.
- In Section 6.D, strengthened documentation and risk register requirements, establishing formal expectations for institutions to maintain current records of identified IT risks, associated assessments, and treatment decisions. The revised policy requires documenting risks that exceed the institution’s risk appetite in a designated risk register, linking policy exceptions to corresponding risk entries when applicable, and ensuring records remain current and available for review by UW System Office of Information Security, Internal Audit, or other authorized parties. The UW System Office of Information Security will maintain a central risk register to improve awareness of systemwide risks, trends, and shared exposures.
- In Section 6.E, enhanced reporting expectations, requiring institutions to report material risks and policy exceptions to the UW System Office of Information Security in accordance with SYS 1039.B.
DRAFT REVISED PROCEDURES
These revisions will be effective 6 months after signature by the President.
Summary of Procedure and Procedure Revisions
- This standard shifts from treating individual vulnerabilities or control gaps as risks by default to focusing on risks that could meaningfully affect institution objectives, operations, systems, or data, emphasizing strategic, mission-aligned risk identification.
- In Section 4.A.I, institutions are now required to use documented and repeatable processes to identify IT risks across systems, services, third-party relationships, and major initiatives, incorporating sources such as audit findings, incidents, emerging threats, and input from distributed units.
- All identified risks must be formally recorded in a designated risk register, with defined minimum data elements to ensure consistent documentation, traceability, and completeness across institutions.
- Institutions are encouraged to conduct a comprehensive, enterprise-wide IT risk assessment at least every five (5) years. This approach remains recommended in the revised standard, but is now more clearly positioned as a maturity practice that improves systemwide visibility and coordinated risk oversight, rather than a mandated compliance requirement.
- In Section 4.A.II, risk assessment must follow a consistent methodology that evaluates likelihood and impact, determines inherent and residual risk levels, and aligns decisions with institutional risk appetite and tolerance thresholds.
- Risk review and reassessment expectations have been expanded and clarified, requiring periodic review of enterprise and high-risk items and reassessment when conditions materially change, improving ongoing accuracy and accountability.
- In Section 4.A.III, every IT risk must now be assigned to a risk owner with responsibility for evaluation, treatment selection, monitoring, and escalation, reinforcing accountability and aligning decisions with operational authority.
- Risks that exceed the institution’s risk appetite must be escalated to a designated risk executive for review and approval, strengthening governance and ensuring major risk decisions occur at the appropriate level.
- In Section 4.A.IV, risk treatment expectations are formalized, requiring documented justification for mitigation, transfer, avoidance, or acceptance decisions, and follow-up to validate the effectiveness of controls once implemented.
- In Section 4.A.V, documentation requirements are significantly expanded, including defined minimum data fields, linkage to related artifacts such as policy exceptions or audit findings, version and change tracking, approval history, review cadence, and closure criteria, resulting in more consistent and auditable risk records across universities.
- A risk may only be closed when residual risk is within appetite, treatment actions are complete and verified, and required approvals and documentation are finalized, establishing a clear and controlled closure process.
- Universities must make risk records available to UW System OIS, Internal Audit, or other authorized parties and follow SYS 1039.B for reporting above-appetite risks and policy exceptions, improving transparency and systemwide visibility into significant risks.
These revisions will be effective 6 months after signature by the President.
Summary of Procedure and Procedure Revisions
- This procedure defines the method and information required to document, track, and provide notification of risk acceptance and policy exception reporting throughout the University of Wisconsin (UW) System.
- In Section 4.A, expanded scope to include both risk acceptance and policy exception reporting, replacing the prior focus solely on risk acceptance.
- Clarified reporting criteria, specifying:
- Policy exceptions must be reported when a required control or process is not implemented.
- Risk acceptance must be reported when residual risk exceeds the institution’s defined risk appetite.
- In Section 4.B, replaced references to a specific form for submitting exceptions with flexible language allowing submission via forms, workflows, or approved tools designated by the Office of Information Security.
- Strengthened submission requirements by specifying required elements for each report.
- Revised renewal cadence, changing the required review and resubmission period from annual to every three years for risk acceptance and policy exception notifications that remain in effect.
- Aligned terminology with SYS 1039 and broader UW System governance, explicitly referencing local documentation requirements under SYS 1039, Section 6.D and including updated definitions.
- Reformatted structure and language for clarity, readability, and consistency with revised SYS 1039 and other updated SYS information security standards.
|
