On April 24, President Thompson approved a technical revision to SYS 1039, Information Security: Risk Management.

On April 25, Vice President Langdon also approved technical revisions to the procedures SYS 1039.A, Information Security: Risk Management Procedure and SYS 1039.B, Information Security: Notification of Risk Acceptance.

The technical revisions delay the effective date of the policies and procedures until January 1, 2022. See a detailed summary of the revisions below:


SYS 1039, Information Security: Risk Management 

SYS 1039.A, Information Security: Risk Management Procedure 

SYS 1039.B, Information Security: Notification of Risk Acceptance Standard

This policy and these procedures will go into effect on January 1, 2022

Summary of Policy and Procedures

  • This policy and procedures have been developed to establish expectations for Information Security Risk Management activities, as described below:
    • SYS 1039: The policy provides a formal structure for the management of information security (IS) risks occurring within the University of Wisconsin (UW) System.
    • SYS 1039.A: This procedure establishes the process for the management of information security risks faced by the institutions of the University of Wisconsin (UW) System.
    • SYS 1039.B: This procedure defines the specific method and information required to document, track and provide notification of risk acceptance of information security-related requirements throughout the University of Wisconsin (UW) System. 
    • Due to delays in the implementation of ERM and the requested security actions from President Thompson to address cyber security incidents, the effective date of this policy and procedures is delayed.
  • The policies and procedures will now go into effect on January 1, 2022.
  • The policy scheduled review date is one year from the effective date, in January 2023.

Affected Areas on Campuses

  • Each institution’s information technology office, led by its Chief Information Officer (CIO), is responsible for communicating this policy and associated procedures to its community of constituents.
  • This policy and associated procedure documents are applicable to all institutions, schools, departments and employees of UW System, including academic staff, university staff, faculty, student employees, and researchers, as well as third-parties, such as authorized contractors and vendors, who have access to UW System data and/or systems.

Expectation of Campuses on UWSA Policy Reporting

  • It is expected that the identified institution’s Chancellor or their designee will regularly report to UWSA on the implementation status of this policy and the associated procedures.

Additional Communication

  • The UW System Office of Information Security will ensure information security risk management training materials are made available to UW System leaders, managers, system developers and users.
  • Further reminder communications will be sent prior to the effective date.