UW SYSTEM ADMINISTRATIVE POLICY DISTRIBUTION

Key Updates

University Personnel System Policies

The University Personnel Systems (UPS) policies have been successfully integrated into the UW System Administrative (SYS) policy framework as the SYS 1200 series. This process resulted in no substantive changes to the policies, and they continue to apply to all UW institutions other than UW-Madison. Future changes to the UPS policies will go through the regular SYS policy review process.

Practice directives are housed on the UW System Office of Human Resources’ website and can be found here. Practice directives may have been UPS policies, appendices, or other tools intended to be used as a reference point informing practice at institutions. The UW System Office of Human Resources will update them periodically.

Please see the SYS 1200 And Practice Directives Policy References for a table that demonstrates the new numbering scheme for the SYS 1200 series as it relates to the old UPS numbering. For more detailed information regarding the integration process, please see Chief Human Resources Officers UPS Update.

INSTITUTION REVIEW

There are two policies and one procedure included in the July 2019 SYS institution distribution. The deadline to review and submit feedback via the comment form on the policies’ web page is Friday, August 2.

SYS 3XX, Change Requests of Bank and Contact Information

The effective date of the policy depends on feedback and comments received by the Finance and General Administrative Policy Committee and institutions.

Summary of Policy and Policy Revisions

  • SYS 3XX, Change Requests of Bank and Contact Information, is a new policy which establishes standard processes for verifying student, employee, and vendor contact and bank account information when change requests are received.

Affected Areas on Campuses

  • UW System institution’s Office of Finance is expected to communicate this policy across their campus.
  • This policy applies to all student, employee, and vendor contact and bank account information that is maintained by a UW System institution.

Expectation of Campuses on UWSA Policy Reporting

  • UW System institutions are to ensure that adequate controls are in place when changes are made to student, employee, and vendor contact and bank account information, including those set forth in the policy.
  • UW System Administration will develop written procedures for out-of-band verification for the UW System’s shared financial and payroll/benefit systems.
  • Each UW System institution must develop written procedures for how out-of-band verification will be completed for information within its student information system and any other system containing contact and bank account information.

Additional Communication

  • No further communication planned at this time.

SYS 1030, Information Security: Authentication

Below please find a summary of the proposed revisions. For a more detailed description of the affected areas on campuses, expectation of campuses on UWSA policy reporting, and planned additional communication, please see the summary document at the top of the policy draft.

Summary of Policy and Policy Revisions

  • SYS 1030, Information Security: Authentication, establishes specific minimum standards for authentication across the University of Wisconsin System. The policy is designed to ensure that the UW System manages authentication in a consistent manner and to appropriately safeguard account-based access to information assets.
    • In an effort to reduce variations and inconsistency of definitions throughout different policies documents, the UW System Office of Information Security will begin referring users to the Information Security Program Glossary within our set of policies, procedures, and guidelines. Definitions that are not listed in the Glossary will still appear within policy documents until the Information Security Program Glossary is updated (anticipated on an annual basis).
      • Section 5. Definitions was revised to reflect this change.

SYS 1030.A, Information Security: Authentication Standard

Below please find a summary of the proposed revisions. For a more detailed description of the affected areas on campuses, expectation of campuses on UWSA policy reporting, and planned additional communication, please see the summary document at the top of the procedure draft.

Summary of Policy and Policy Revisions

  • SYS 1030.A, Information Security: Authentication Standard, describes the minimum authentication standards that must be met by University of Wisconsin System institutions.
    • A major re-organization and extensive content overhaul of SYS 1030.A, Information Security: Authentication Standard,has been performed. Therefore, this revision should be reviewed in its entirety and no ‘tracked-changes’ version of the document will be provided. A description of the changes can be found below:
      • The procedure title was changed to SYS 1030.A, Information Security: Authentication Standard,to be clear that the procedure is a standard that must be met. Authentication procedures are to be developed by individual institutions in accordance with the SYS 1030, Information Security: Authentication, and SYS 1030.A, Information Security: Authentication Standard,
      • Removed requirements for authentication systems to meet LoA2 entropy requirements; this is no longer recommended or supported as a federal or industry standard.
      • Password strength now focused on having a longer password versus requiring complexity in passwords. This is to allow for use of passphrases and is consistent with the latest recommendations from NIST.
      • Password change frequency
        • For accounts that incorporate MFA into the authentication process, passwords do not need to be changed on a scheduled basis.
        • When MFA is not incorporated into the authentication process, UW System Administration continues to recommend that passwords be changed on a frequent basis.
        • Includes a new section pertaining to the storage of user passwords and passphrases.
          • Formal allowance for the use of password managers at the institution’s ISO or CISO’s discretion.