SYS Policy Approval Notice

Friday, August 26, 2022

 

SYS Policy Approval Notification

On August 24th, President Rothman approved substantive revisions to SYS 1033, Information Security: Incident Response.

On August 25th, President Rothman approved technical revisions to SYS 1214, Catastrophic Leave Program.

See below for a brief summary of the policy revisions.

SYS 1033, Information Security: Incident Response

These policy revisions became effective upon approval.

This policy establishes the minimum requirements to report an Information Security (IS) incident throughout the University of Wisconsin (UW) System and the subsequent required actions by the institutions when an incident occurs.

The following revisions have been approved:

  • Clarifications of reportable incidents. Addition of all ransomware attacks and specific vendor breaches as reportable incidents.
  • Reportable incidents are now to be reported to the UW System Office of Information Security distribution list rather than directly to the AVP Information Security.
  • Added a requirement for institutions to develop and maintain joint incident response plans with their associated Foundation(s), and to clearly define roles and responsibilities between the institution and Foundation regarding who is responsible for remediating incidents.
  • Other various non-substantive clarifications and formatting changes.

Institution Comments and Concerns:

  • UW System received and incorporated Institutional feedback on SYS 1033, this included:
    • A recommendation was made to not require all ransomware attacks be reportable incidents since lower severity incidents, such as those on student devices, may not need to be reported. This recommendation was not implemented. Only UW-owned assets are within scope of this policy. Ransomware continues to be the largest cybersecurity concern of leadership and most impactful cyber incident across the industry. Tracking ransomware incidents across UW, regardless of severity, is necessary for effective threat modeling and preparedness. The IR plan will be reviewed and updated to ensure consistency with policy.
    • A recommendation was made to limit the reporting of vendor breaches to those where official breach notification was received from the vendor. This recommendation was implemented. In addition, the final findings template will be reviewed and updated to assist with reporting of these incidents.
    • A recommendation was made to only require annual tabletop exercises if a campus has not activated the UW System Incident Response plan in the last calendar year. This recommendation was not implemented. This policy requirement stems from expectations from cyber liability insurance providers and industry best practice. Tabletop exercises can vary in scope and therefore can be adjusted to utilize scenarios or target audiences that did not participate in IR plan activations.
    • A statement was made pertaining to the new policy requirement to develop a joint IR plan with institution’s associated Foundation(s), in that this new requirement does not add any significant value. This requirement was added to resolve an internal audit finding and to add clarity on responsibilities when incidents occur at foundations. Conversely, this new policy language was endorsed by a separate institution.

SYS 1214, Catastrophic Leave Program

These policy revisions became effective upon approval.

The purpose of this policy is to establish a catastrophic leave program for UW System employees. The following technical revisions were made:

  • Technical change to Leave Credits definition – reference to UPS operational policy was updated to System Administrative Policy.
  • Added section 2, Responsible UW System Officer.
  • Added section 3, Scope.
  • In section 6, updated the numbering scheme to match the current SYS policy template.
  • Added section 9,Scheduled Review. The policy will be reviewed prior to August  2025.
  • No substantive updates were made to this policy.