The January 2022 institution policy distribution includes for comment four revised policies and four revised procedures. All revisions are part of technical amendments in the Information Security series.

Four (4) revised policies:

Four (4) revised procedures:

Click on the links above to view the drafts and ensure that your feedback is captured for review during the post-comment period.  Comments can include attachments, including word documents and PDFs. Please submit your feedback by Friday, February 4.

Please find summaries of the policies below.


DRAFT POLICY REVISIONS

SYS 1000, Information Security: General Terms and Definitions

The purpose of this policy is to provide a list of general terms and definitions that are used in the 1000 series of the UW System Administrative policy set. Revisions to the policy include:

  • Updated policy and procedures links to Related Documents in section 7
  • Added definitions from SYS 1037, SYS 1041, and SYS 1042 to section 5.

DRAFT POLICY REVISIONS

SYS 1037, Information Security: IT Disaster Recovery

This policy establishes the minimum requirements for an Information Technology (IT) Disaster Recovery (DR) Plan for UW System institutions and is designed to assist in executing recovery processes in response to a disaster or significant IT disruption. Revisions to the policy include:

  • Moved following definitions in section 5 to SYS 1000 and updated standard definition section language:
    • Data Backup
    • Disaster Recovery (DR) Plan
    • Recovery Time Objective (RTO)
    • Recovery Point Objective (RPO)

DRAFT POLICY REVISIONS

SYS 1041, Information Security: Logging and Monitoring

The purpose of this policy is to establish a consistent expectation of security logging and monitoring practices across the UW System to aid in the early identification and forensics of security events.  Revisions to this policy include:

  • Moved following definition from section 5 to SYS 1000:
    • High Impact System
  • Removed definition for IT Asset

DRAFT POLICY REVISIONS

SYS 1042, Information Security: Threat and Vulnerability Management

This policy establishes the minimum requirements for vulnerability management, vulnerability scanning, patch management, threat intelligence and penetration testing of UW System information technology owned or leased IT assets. Revisions to the policy include:

  • Moved the following definitions from section 5 to SYS 1000:
    • Vulnerability Scanning
    • Vulnerability Management
    • Patch Management
    • Penetration Testing
    • IT Asset Owner

DRAFT PROCEDURE REVISIONS

SYS 1030.A, Information Security: Authentication

This procedure describes the minimum authentication standards that must be met by UW System institutions. Revisions to the procedure include:

  • In section 5 (Related Documents), updated NIST 800-53v4 reference to NIST 800-53v5

DRAFT PROCEDURE REVISIONS

SYS 1031.A, Information Security: Data Classification Procedure

This procedure outlines a method to classify data according to risk to the UW System and assign responsibilities and roles that are applicable to data governance. Revisions to this procedure include:

  • In subsection 4.C, updated financial account number language to be consistent with s. 134.98, Wis. Stats.
  • Added link to Information Security Compensating Control Request Form to section 5, Related Documents.

DRAFT PROCEDURE REVISIONS

SYS 1039.A, Information Security: Risk Management Procedure

This Information Security Risk Management (ISRM) procedure establishes the process for the management of information security risks faced by the institutions of the UW System. Revisions to the procedure include:

  • Updated NIST 800-53v4 reference in section 1 (Policy Purpose) and section 2 (Related Documents) to NIST 800-53v5

DRAFT PROCEDURE REVISIONS

SYS 1042.A, Information Security: Threat and Vulnerability Management Standard

The purpose of this procedure is to establish the minimum requirements for vulnerability management, vulnerability scanning, patch management, threat intelligence and penetration testing of UW System owned or leased information. Revisions to this procedure include:

  • Updated definition section language to conform with rest of the SYS 1000 series policies

Revised Comment Form

In an effort to solicit more targeted feedback on policies, we have revised the comment form. The current version of the comment form for draft policies includes sections to indicate the nature of proposed revisions (substantive or technical) and to cite specific policy sections. All policies and procedures in this month’s distribution use the revised comment form.

Unfortunately, the IT issue that prevents submitted comments from displaying persists. While submitted comments are not displayed on the form page, our office is receiving all submitted feedback. We continue to work with IT and are hopeful that submitted comments will be displayed on the comment form again soon.