June Policy Action Summary
Please find attached the June Policy Action Summary. It details policy work completed between May 14, 2021 and June 11, 2021. This includes:
- one (1) new interim policy action;
- three (3) new UW System administrative policies;
- one (1) new UW System administrative procedure;
- one(1) revised UW System administrative policy; and
- four (4) expiring interim policy actions.
Additional details can be found in the memo below.
Information Security Policy Approval
On June 9, 2021, President Thompson approved the new System Administrative Policy SYS 1041, Information Security: Logging and Monitoring. This policy will go into effect on July 1, 2022.
For more information, see the summary below.
This policy will go into effect on July 1, 2022.
Summary of Policy
- The purpose of this policy is to establish a logging and monitoring program for computer security-related information within the University of Wisconsin (UW) System to aid in the early identification and forensics of security events and to establish the groundwork necessary for Information Technology as a Service (ITaaS) security operations, such as security monitoring and threat hunting.
- Establishes requirements to ensure hosts and network equipment have logging enabled and logs are readily available for 30 days.
- Establishes expectations for managed logging of security events for high impact systems.
- Establishes requirements for the security of logs to protect the confidentiality, integrity and availability to necessary personnel.
- Establishes minimum retention requirements for logs within scope of this policy.
Affected Areas on Campuses
- The Chief Information Officer at each institution, or their designee, will be responsible for communication of these policy requirements and monitoring progress with any institutional initiatives or changes necessary to align with this policy.
- This policy applies to all IT environments managed by an institution. Specifically, this policy applies to High Impact Systems or systems that require special attention to security due to increased risk of harm resulting from loss, misuse, or unauthorized access to or modification of information or configurations therein. Cloud-based, externally hosted systems and services should be included within scope where practical.
- Institutions will be expected to report on the following to the UWSA Office of Information Security:
- Progress towards ensuring all hosts and network equipment within scope of this policy have logging enabled and allowing for logs to be retained for 30 days
- Progress towards the identification of computer security-related logs of high impact systems that should be monitored to protect the confidentiality, integrity and availability of the systems
- Progress towards compilation of logs from high impact systems to an institution-identified managed logging service
- Progress towards the development and implementation of process(es) to review logs and security events for identification of anomalies and suspicious activity
- Financial resources may be required by all UW institutions to provide the technology and storage capacity necessary to operationalize this policy. The estimates vary considerably and may also require additional staffing to develop and maintain solutions for this effort, including staff time for initial configuration and ongoing care and feeding of logs, setting up alerts, monitoring and investigation of alerts and events, and training of systems.
- Reminder communications will go out 6 months prior to effective date and additional implementation collaboration is expected between the publishing office and institutional security officers.
Policy Feedback Reminder
As a reminder, there is one policy from the April Policy Distribution still out for comment, listed below:
The policy above has a 60-day comment period. Submit feedback for this policy by Wednesday, June 23, 2021.
Click on the link above to view the draft and ensure that your feedback is captured for review during the post-comment period. Comments can include attachments, including word documents and PDFs. See a brief summary of the proposed revisions below.
Feedback on this policy is due Wednesday, June 23.
This policy will be effective upon approval.
As a result of the recent Regent policy update and rescission of the Board academic calendar policy, it became necessary to review and update the System academic calendar policy. A review of the current system academic calendar resulted in the decision to eliminate material in the policy that is not related to the academic calendar. After consultation with the UW System Office of General Counsel & UW System Human Recourses and the creation of a policy analysis crosswalk with other system policies, several components of the policy were recommended for elimination. The rationale for these revisions is to make clear the UW System adoption of the federal credit hour definition as a guiding principle for our institutions.