July Policy Action Summary

Please find attached the July Policy Action Summary. It details policy work completed between June 11, 2021 and July 16, 2021. This includes:

  • one (1) revised interim policy action;
  • one (1) new system administrative policy;
  • seven (7) revised system administrative policies;
  • one (1) revised system administrative procedure; and
  • one (1) rescinded system administrative policy.

Additional details and a listing of policies in the final revision stages can be found in the memo below:

July Policy Action Summary pdf

Operational and Information Security Policy Approvals

On July 14, 2021, President Thompson approved a technical revision to the policy SYS 3, Development, Revision, and Approval of Finance and General Administration Policies and Procedures.

On July 14, 2021, President Thompson also approved a substantive revision to SYS 1032, Information Security: Awareness.

For more information, see the summaries below.


SYS 3, Development, Revision, and Approval of Finance and General Administration Policies and Procedures

The revisions to this policy are effective on approval.

Summary of Policy and Policy Revisions

  • The revisions to this policy incorporate the Office of Compliance & Integrity into the Finance and General Administrative Policy Committee.
  • In Section 4, “compliance and integrity” will be added to the listing of UW System operations governed by the Finance and General Administration policies.
  • In Section 5, the Office of Compliance & Integrity will be added to the membership list in the definition for the Finance and General Administration Policy Committee (FGAPC).

Affected Areas on Campuses

  • This policy applies to all System Administrative Policies except for those in the 100 Series: Academic & Student Affairs. It does not apply to RPDs or institution-specific policies, procedures, or guidelines.

Campus Implementation

  • This policy does not apply to RPDs or institution-specific policies, procedures, or guidelines.

Additional Communication

  • No additional communication was planned at this time.

SYS 1032, Information Security: Awareness

These policy revisions will go into effect on upon approval.

Summary of Policy and Policy Revisions

  • The policy ensures that all individuals who interact with non-public University of Wisconsin (UW) System information technology assets are exposed to information security awareness materials commensurate with their role within the UW System. The policy was revised in the following ways:
    • The policy has been broken out into two sections, including Security Awareness Training and Phishing Simulations.
    • Security awareness training revisions include:
      • Removes the requirement that security awareness training be completed every fiscal year. New requirement that security awareness training be completed within the timeframe prescribed and employees shall be assigned training at least annually. This change was made to provide flexibility for use of micro-trainings rather than a single, long comprehensive training.
      • New employees are still expected to take security awareness training within 30 days of the employee’s initial hire date.
      • Adds consequences for failure to take assigned training within prescribed timeframes, including restricting the employee’s access to university resources.
      • Recommends institutions supplement systemwide security awareness training(s) with role-based training commensurate with the employee’s role within the organization.
      • Removes policy language allowing institutions to request proof that security awareness training was taken at a different institution. This tracking issue was resolved via changes in UW’s Human Resources System.
      • Adds a requirement to incorporate security awareness training requirements into contracts and agreements with third parties, where possible. Information Officers and Technology and Information Security Council.
    •  Phishing simulation policy additions:
      • Adds a requirement that phishing simulations be conducted for all UW employees.
      • Adds a requirement that employees to be enrolled in supplemental phishing training following three failed phishing simulations within a given calendar year. Supplemental phishing training shall be completed within 30 days or the employee risks having their access to university resources restricted until successful completion of training.

Affected Areas on Campuses

  • This policy applies to authorized users who are issued digital credentials to access non-public information technology (IT) digital resources under the control of the UW System.
  • The (Chief) Information Officer, or their designee, will be responsible for communicating these policy changes at their institution, as appropriate.

Expectation of Campuses on UWSA Policy Reporting

  • Campuses will be expected to report compliance with this policy in accordance with President Thompson’s February 8, 2021 Information Security Actions memo.

Additional Communication

  • Further guidance will be communicated by the University of Wisconsin System Administration Office of Information Security to the Council of Chief Information Officers and Technology and Information Security Council.

Policy Effective Dates Reminders

There are a number of previously approved policies that have upcoming effective dates in the next two months. Please review the list of policies below and visit the links to familiarize yourself with the content that will be coming into effect. If you have questions about implementation leading up to the effective date, please contact the policy owner for more information and clarification.

The following policies will be effective on Sunday, July 18, 2021:

The policy below will go into effect on Sunday, August 1, 2021:

The following policies will be effective on Wednesday, September 1, 2021: