The one policy and one procedure in the January Policy Distribution are listed below:

  • SYS 1042,Information Security: Threat and Vulnerability Management
  • SYS 1042.A,Information Security: Threat and Vulnerability Management Standard

Click on the links from the “January Distribution Policies” page to view the drafts and ensure that your feedback is captured for review during the post-comment period.  Comments can include attachments, including word documents and PDFs.

Below find brief summaries of the policies. Complete summaries are located at the top of the draft policy pages.

Submit feedback for the policies by Friday, February 5, 2021.


SYS 1042, Information Security: Threat and Vulnerability Management

This policy will be effective February 1, 2022.

The purpose of SYS 1042, Information Security: Threat and Vulnerability Management is to establish the minimum requirements for vulnerability management, vulnerability scanning, patch management, threat intelligence and penetration testing of University of Wisconsin (UW) System information technology (IT) assets.

  • All University- owned or leased IT assets must have an operational process and technical enforcement for discovering, reviewing, reporting, and remediating vulnerabilities.

Institutions shall report and confirm compliance with this policy on an annual basis.


SYS 1042.A, Information Security: Threat and Vulnerability Management Standard

This procedure will be effective February 1, 2022.

The purpose of SYS 1042.A, Information Security: Threat and Vulnerability Management Standard is listed below.

  • Automated vulnerability scanning tool(s) must be run against University- owned or leased IT assets on a periodic basis commensurate with asset risk profile.
  • Penetration testing of University owned information systems, services, and supporting infrastructure containing high risk data must be conducted on a regular basis and such testing must be performed by a qualified assessor.
  • UW Institutions must conduct routine threat Intelligence gathering and sharing.
  • UW institutions are responsible for maintaining a documented patch management program.

UW institutions are responsible for reporting and preparing documented vulnerability and patch management metrics