August Policy Distribution Reminder
As a reminder, the August 2022 institution policy distribution includes for comment one (1) revised policy, two (2) new policies, and one (1) new procedure.
One (1) revised policy:
Two (2) new policies:
- SYS 1038, Information Security: Network Protection
- SYS 1220, Postdoc Absence with Pay and Legal Holidays
One (1) new procedure:
Click on the links above to view the drafts and ensure that your feedback is captured for review during the post-comment period. Comments can include attachments, including word documents and PDFs. Please submit your feedback for the policies by Friday, September 2.
Please find summaries of the policies and procedures below.
draft policy revisions
The Office of Federal Contract Compliance Programs has updated its guidance surrounding the use of visual observation as a mechanism for determining the race and sex of employees who have not completed a voluntary self-identification. The practice is now discouraged as such observations may not be reliable. The following revisions are proposed for this policy:
- This update revises section 6 of the above-listed policy to bring current practices into compliance with this new guidance.
draft new policy
The purpose of this policy is to provide structure for the deployment and management of network controls used to mitigate Information Security threats throughout the University of Wisconsin (UW) System. This policy was developed with a group of subject matter experts representing multiple institutions across UW System. This policy requires:
- High-level network security architecture documentation be maintained and include high-level security architecture diagram(s).
- Network access controls be employed to monitor and control communications at external boundaries and key internal managed interfaces, and to protect the integrity and confidentiality of transmitted data.
- Network IT assets be reasonably secured from unauthorized physical and logical access, and their security-related configuration changes must be documented as part of a defined change management process.
- Standards for these policy requirements are further defined in SYS 1038, Information Security: Network Protection Standards. We note requirements for authentication to network devices and services are defined in SYS 1030, Information Security: Authentication, and are not duplicated in this policy
draft new policy
This policy provides the framework for postdoc absences with pay and legal holidays for all postdocs in the university workforce, except for employees at UW-Madison. This new policy requires:
- This policy creates paid leave for postdocs for purposes of illness or medical need.
- This policy creates paid leave for postdocs for purposes of personal time off. This policy allows postdocs to receive paid leave for legal holidays.
- The policy distinguishes the unique nature of the leave granted to postdocs and clarifies that it is not considered sick leave or vacation leave within the meaning of UWS policies. The leave does not carry over, is not bankable and does not automatically transfer if the employee changes positions within the UW system.
draft new procedure
Standards for the newly proposed SYS 1038, Information Security: Network Protection. The purpose of this procedure is to provide structure and guidance for the deployment and management of Information Technology (IT) network controls used to mitigate Information Security (IS) threats throughout the University of Wisconsin (UW) System.
SYS Policy Approval Notification
On August 24th, President Rothman approved substantive revisions to SYS 1033, Information Security: Incident Response.
On August 25th, President Rothman approved technical revisions to SYS 1214, Catastrophic Leave Program.
See below for a brief summary of the policy revisions.
These policy revisions became effective upon approval.
This policy establishes the minimum requirements to report an Information Security (IS) incident throughout the University of Wisconsin (UW) System and the subsequent required actions by the institutions when an incident occurs.
The following revisions have been approved:
- Clarifications of reportable incidents. Addition of all ransomware attacks and specific vendor breaches as reportable incidents.
- Reportable incidents are now to be reported to the UW System Office of Information Security distribution list rather than directly to the AVP Information Security.
- Added a requirement for institutions to develop and maintain joint incident response plans with their associated Foundation(s), and to clearly define roles and responsibilities between the institution and Foundation regarding who is responsible for remediating incidents.
- Other various non-substantive clarifications and formatting changes.
Institution Comments and Concerns:
- UW System received and incorporated Institutional feedback on SYS 1033, this included:
- A recommendation was made to not require all ransomware attacks be reportable incidents since lower severity incidents, such as those on student devices, may not need to be reported. This recommendation was not implemented. Only UW-owned assets are within scope of this policy. Ransomware continues to be the largest cybersecurity concern of leadership and most impactful cyber incident across the industry. Tracking ransomware incidents across UW, regardless of severity, is necessary for effective threat modeling and preparedness. The IR plan will be reviewed and updated to ensure consistency with policy.
- A recommendation was made to limit the reporting of vendor breaches to those where official breach notification was received from the vendor. This recommendation was implemented. In addition, the final findings template will be reviewed and updated to assist with reporting of these incidents.
- A recommendation was made to only require annual tabletop exercises if a campus has not activated the UW System Incident Response plan in the last calendar year. This recommendation was not implemented. This policy requirement stems from expectations from cyber liability insurance providers and industry best practice. Tabletop exercises can vary in scope and therefore can be adjusted to utilize scenarios or target audiences that did not participate in IR plan activations.
- A statement was made pertaining to the new policy requirement to develop a joint IR plan with institution’s associated Foundation(s), in that this new requirement does not add any significant value. This requirement was added to resolve an internal audit finding and to add clarity on responsibilities when incidents occur at foundations. Conversely, this new policy language was endorsed by a separate institution.
These policy revisions became effective upon approval.
The purpose of this policy is to establish a catastrophic leave program for UW System employees. The following technical revisions were made:
- Technical change to Leave Credits definition – reference to UPS operational policy was updated to System Administrative Policy.
- Added section 2, Responsible UW System Officer.
- Added section 3, Scope.
- In section 6, updated the numbering scheme to match the current SYS policy template.
- Added section 9,Scheduled Review. The policy will be reviewed prior to August 2025.
- No substantive updates were made to this policy.