June University Policy Distribution

As a reminder, the June university policy distribution contains three (3) revised policies and one (1) revised procedure.

Revised Policies

Revised Procedure

Click on the links above to view the drafts and ensure that your feedback is captured for review during the post-comment period. Comments can include attachments, including word documents and PDFs. Comments are due by 5:00pm on Friday, July 11. 


DRAFT REVISED POLICY

SYS 320, Internal Service Entities/Chargebacks 

These policy revisions will be effective upon signature by the president. 

Summary of Policy and Policy Revisions

The purpose of this policy is to standardize the methods of accounting for internal and external sales and services for University of Wisconsin (UW) System internal service departments. Proposed revisions are as follows:

  • Added policy sections to align with current SYS policy template, including Section 1, Policy Purpose; Section 2, Responsible UW System Officer; Section 3, Scope and Institutional Responsibilities; Section 5, Definitions; Section 7, Related Documents; Section 8, Policy History; and Section 9, Scheduled Review.
  • Removed Constraints section and moved content to Section 1.
  • Removed Procedures section and incorporated content into Section 6.
  • Throughout the policy, updated references to “internal service departments” to “internal service entities,” and references to “class codes” to “ledger account and revenue category.”
  • In the first paragraph of Section 6.A, updated accounting code for General Administration and Logistical Services included under Institutional Support to the new code in Workday.
  • In the second paragraph of Section 6.A, updated process for coding credits for interdepartmental transactions of internal service entities or storerooms which provide services to reflect the new process in Workday.
  • Moved information about sales and services of an auxiliary enterprise from Section 6.B to Section 6.A. Updated accounting code for Auxiliary Enterprises to the new code in Workday and updated process to new process in Workday.
  • In Section 6.A, added additional information about accounting for costs coded to internal service delivery expenses in Workday.
  • In Section 6.B, clarified the process for coding sales and services for departments funded by General Purpose Revenue (GPR) and for departments funded by Program Revenue (PR).

DRAFT REVISED POLICY

SYS 1042, Information Security: Threat and Vulnerability Management

These policy revisions will be effective 6 months after signature by the president. 

Summary of Policy and Policy Revisions

This policy and accompanying procedure sets expectations for how we identify and fix known security issues in our IT systems, keep software up to date, and stay aware of cyber threats; especially those targeting the higher education sector. This policy is being revised as part of a regularly scheduled review and to incorporate feedback received from campuses.

The most significant update to this policy is a shift to using a risk-based approach for vulnerability management. Rather than treating all technical issues the same, this approach helps campuses prioritize which vulnerabilities to address first based on how likely they are to be exploited, the potential impact, and how critical the affected systems are to operations. Previously, decisions were based mostly on external severity ratings, which don’t always reflect our specific campus environments; for example, whether a system is public-facing or supports essential services. This change supports more strategic use of time and resources and also aligns us with industry standards in this control area.

Finally, the remaining revisions primarily involve formatting, structural reorganization, and clarifications. For example, the original policy primarily referenced the procedure and lacked substantive standalone requirements; we’ve since moved key requirements into the policy itself where appropriate.

Proposed Policy Revisions:

  • Reorganized and clarified the Policy statements to introduce and distinguish the core elements of the threat and vulnerability management program, including vulnerability management, scanning, patch management, penetration testing, and threat intelligence. Previously, the policy primarily referenced the standard for these elements. Key policy-level statements have now been elevated from the standard into the policy itself, while detailed implementation requirements remain within the standard.
  • Improved the Background section to better reflect the policy’s alignment with the broader UW Information Security Program and evolving threat landscape.
  • Reformatted policy layout and structure for clarity and consistency with other SYS policies.

DRAFT REVISED POLICY

SYS 1212, Sick Leave

These policy revisions will be effective upon signature by the president. 

Summary of Policy and Policy Revisions

The purpose of this policy is to establish parameters for the administration of sick leave for all UW System employees. It covers sick leave eligibility, accrual, usage, and reporting.

This is a Workday-related update.  Proposed revisions are as follows:

  • In Sections 6.G.VI and 6.G.VII, add the requirement that FLSA-exempt university staff submit a monthly no-leave-taken report in the same manner as other FLSA-exempt employee groups (Faculty, Academic Staff, Limited Appointees).
    • FLSA-Exempt university staff are not subject to the sick leave accrual penalty for non-compliance, as the related statute does not specifically identify their employee category (See Wis. Stat. §40.05(4)(bp).)
    • This revision is tied to Workday’s rule system for leave management and the timekeeping treatment of FLSA exempt vs. FLSA non-exempt employees.  FLSA-exempt university staff will receive reminders to certify no-leave-taken, but will not be subject to the statutory sick leave accrual cap.

DRAFT REVISED PROCEDURE

SYS 1042.A, Information Security: Threat and Vulnerability Management Standard

These policy revisions will be effective 6 months after signature by the vice president for finance and administration. 

Summary of Procedure and Procedure Revisions

This procedure supports the policy SYS 1042, Information Security: Threat and Vulnerability Management and sets expectations for how we identify and fix known security issues in our IT systems, keep software up to date, and stay aware of cyber threats; especially those targeting the higher education sector.

Proposed Procedure (Standard) Revisions:

  • Removed the following sections:
    • A Roles and Responsibilities – Defining roles and responsibilities in a standardized way is challenging across campuses due to variations in organizational structure and how responsibilities are assigned.
    • B.VI Documentation and Metrics – Documentation and metric requirements are now incorporated, where appropriate, into each respective policy and standard section.
  • Emphasized a risk-based approach to vulnerability management, prioritizing remediation based on likelihood and impact of exploitation, asset criticality, and operational context.
  • Clarified that remediation timelines begin upon initial detection and availability of a patch or viable mitigation.
  • Clarified authenticated vulnerability scanning is a recommended best practice, with specific guidance on when it is recommended.
  • Reformatted standard layout and structure for clarity and consistency with other SYS policies.

June Policy Action Summary

Please find attached the July 2025 Policy Action Summary pdf  memo. It details policy work completed between June 9 and July 3, 2025. There were two (2) new, four (4) revised, and seven (7) rescinded UW System Administrative Policies, as well as one (1) new UW System Guidelines Document.

New UW System Administrative Policies

Revised UW System Administrative Policies

Rescinded UW System Administrative Policies

New UW System Administrative Guidance

*denotes first notice of approval


Upcoming Policy Effective Dates 

The following policy revisions were previously approved by President Rothman and have upcoming effective dates. Please review the revisions in preparation for the upcoming effective date.

The policy and procedure below have an effective date of August 1, 2025:


Federal Fridays 

The Universities of Wisconsin Federal Update Working group has a Federal Updates web page for the public to learn about the federal issues the UW is monitoring. The site provides a dashboard view of the various issues organized by topic, with a summary and links related to the topic.