JANUARY 2020 POLICY DISTRIBUTION

Two policies and one procedure are included in the January 2020 SYS policy institutional distribution. They are listed below:

To view and comment on the policies, please click on the links above. Please submit your comments (which may include attachments such as word documents, PDFs, etc.) through the links above. Doing so ensures your feedback is captured and reviewed during the post-comment period.

The deadline to review and submit feedback for the policies and procedure via the comment form is Friday, February 7.

Institution Review

SYS 1035, Information Security: IT Asset Management and SYS 1035.A, Information Security: IT Asset Management Standard
This policy will be effective one year after approval.

Summary of Policy and Policy Revisions

  • The purpose of SYS 1035, Information Security: IT Asset Management is to establish a system-wide standard IT asset management practice to account for UW owned or leased IT assets.
    • UW System will identify a standard asset management tool to be used by all institutions in the UW System.
    • Each institution will conduct an annual inventory of all UW owned or leased IT assets. The results will be provided to the UW System Office of Information Security.
  • SYS 1035.A, Information Security: IT Asset Management Standard details the specific asset details to be recorded and tracked for:
    • the inventory of IT assets;
    • the inventory of Software assets; and
    • asset provisioning and decommissioning.

Affected Areas on Campuses

  • This policy is applicable to all UW System institutions and identifies the parameters for maintaining and managing all institution owned or leased IT assets.

Campus Implementation

  • Institutions must adhere to the provisions of this policy and procedure. They may not tailor them to their campuses.

Additional Communication

  • Further communication will be sent prior to the effective date of this policy.

 

SYS 1257, Title Change
The effective date of this policy is May 1, 2020.

Summary of Policy and Policy Revisions

  • The purpose of this policy is to provide guidance for a title change of a filled position.
  • The policy background has been condensed to remove statutory references to Wis. Stat. § 230.09(2) that no longer apply due to the implementation of the University Personnel System (UPS) July 1, 2015.
    • Definitions specific to this policy have been added and/or clarified including:
      • Appellant
      • Best Fit
      • Business Title
      • CHRO/HRD
      • Demotion
      • Job Framework
      • Lateral Move
      • Market
      • Promotion
      • Regrading (Reallocation)
      • Standard Job Description
      • Standard of Review
      • Title Change (Re-titling)
      • Title of Record (Official Title)
    • The conditions and resultant actions of a title change have been clarified in Section 6.A, Title Change/Regrading.
    • The title appeal process has been expanded with a standard of review and systemwide minimum recommended steps in Section 6.B, Title Appeal.
    • Related documents have been updated to include a Title Appeal Request Form.

Affected Areas on Campuses

  • The institution’s Human Resources office is responsible for communicating the policy on campuses. The policy applies to all employees of UW System institutions.

Campus Implementation

  • Limited flexibility is provided to campuses when implementing this policy. They can be more restrictive but not more lenient in terms of requirements of the policy.
    If further guidance beyond the University of Wisconsin System Title Change Policy is required, reach out to the University of Wisconsin System Human Resources.

Additional Communication

  • After approval notification of the policy, University of Wisconsin Human Resources will develop communications for institution Human Resources offices to inform institution stakeholders about the updates to the Title Change Policy.

 

UPCOMING EFFECTIVE DATE REMINDER

As a reminder, one policy and one procedure become effective on March 17, 2020. They can be accessed via the links below:

Institutions should review the versions of the policy and procedure approved in September 2019 and take the necessary steps to be in compliance with the updated documents.

Please see the summary of changes below:

SYS 1030, Information Security: Authentication

  • In an effort to reduce variations and inconsistency of definitions throughout different policies documents, OIS will begin referring users to the Information Security Program Glossary within our set of policies, standards, procedures, and guidelines. Definitions that are not listed in the Glossary will still appear within policy documents until the Information Security Program Glossary is updated (anticipated on an annual basis).

SYS 1030.A, Information Security: Authentication Standard

  • A major re-organization and extensive content overhaul of this Standard has been performed.
  • Procedure document is now referred to as a Standard (as denoted by the ‘Standard’ postfix in the title) to be consistent with industry norms, the State of Wisconsin Department of Administration, and other higher education institutions throughout the U.S. However, the format and layout of the document remains the same. Authentication procedures are to be developed by individual institutions in accordance with the SYS Policy (1030) and Procedure (1030.A) documents.
  • Removed requirements for authentication systems to meet LoA2 entropy requirements; this is no longer recommended or supported as a federal or industry standard
  • Password strength now focused on having a longer password vs. requiring complexity in passwords. This is to allow for use of passphrases and is consistent with the latest recommendations from NIST.
  • Secret change frequency
    • For accounts that incorporate MFA into the all occurrences of internet-facing authenticators, secrets do not need to be changed on a scheduled basis
    • When MFA is not incorporated into the authentication process, UWSA continues to recommend that secrets be changed on a frequent basis.
  • Includes a new section pertaining to the storage of user secrets
  • Formal allowance for the use of password managers at the institution’s CIO’s discretion