June University Policy Distribution
As a reminder, the June university policy distribution contains three (3) revised policies and one (1) revised procedure.
Revised Policies
- SYS 320, Internal Service Entities/Chargebacks
- SYS 1042, Information Security: Threat and Vulnerability Management
- SYS 1212, Sick Leave
Revised Procedure
- SYS 1042.A, Information Security: Threat and Vulnerability Management Standard
Click on the links above to view the drafts and ensure that your feedback is captured for review during the post-comment period. Comments can include attachments, including word documents and PDFs. Comments are due by 5:00pm on Friday, July 11.
DRAFT REVISED POLICY
SYS 320, Internal Service Entities/Chargebacks
These policy revisions will be effective upon signature by the president.
Summary of Policy and Policy Revisions
The purpose of this policy is to standardize the methods of accounting for internal and external sales and services for University of Wisconsin (UW) System internal service departments. Proposed revisions are as follows:
- Added policy sections to align with current SYS policy template, including Section 1, Policy Purpose; Section 2, Responsible UW System Officer; Section 3, Scope and Institutional Responsibilities; Section 5, Definitions; Section 7, Related Documents; Section 8, Policy History; and Section 9, Scheduled Review.
- Removed Constraints section and moved content to Section 1.
- Removed Procedures section and incorporated content into Section 6.
- Throughout the policy, updated references to “internal service departments” to “internal service entities,” and references to “class codes” to “ledger account and revenue category.”
- In the first paragraph of Section 6.A, updated accounting code for General Administration and Logistical Services included under Institutional Support to the new code in Workday.
- In the second paragraph of Section 6.A, updated process for coding credits for interdepartmental transactions of internal service entities or storerooms which provide services to reflect the new process in Workday.
- Moved information about sales and services of an auxiliary enterprise from Section 6.B to Section 6.A. Updated accounting code for Auxiliary Enterprises to the new code in Workday and updated process to new process in Workday.
- In Section 6.A, added additional information about accounting for costs coded to internal service delivery expenses in Workday.
- In Section 6.B, clarified the process for coding sales and services for departments funded by General Purpose Revenue (GPR) and for departments funded by Program Revenue (PR).
DRAFT REVISED POLICY
SYS 1042, Information Security: Threat and Vulnerability Management
These policy revisions will be effective 6 months after signature by the president.
Summary of Policy and Policy Revisions
This policy and accompanying procedure sets expectations for how we identify and fix known security issues in our IT systems, keep software up to date, and stay aware of cyber threats; especially those targeting the higher education sector. This policy is being revised as part of a regularly scheduled review and to incorporate feedback received from campuses.
The most significant update to this policy is a shift to using a risk-based approach for vulnerability management. Rather than treating all technical issues the same, this approach helps campuses prioritize which vulnerabilities to address first based on how likely they are to be exploited, the potential impact, and how critical the affected systems are to operations. Previously, decisions were based mostly on external severity ratings, which don’t always reflect our specific campus environments; for example, whether a system is public-facing or supports essential services. This change supports more strategic use of time and resources and also aligns us with industry standards in this control area.
Finally, the remaining revisions primarily involve formatting, structural reorganization, and clarifications. For example, the original policy primarily referenced the procedure and lacked substantive standalone requirements; we’ve since moved key requirements into the policy itself where appropriate.
Proposed Policy Revisions:
- Reorganized and clarified the Policy statements to introduce and distinguish the core elements of the threat and vulnerability management program, including vulnerability management, scanning, patch management, penetration testing, and threat intelligence. Previously, the policy primarily referenced the standard for these elements. Key policy-level statements have now been elevated from the standard into the policy itself, while detailed implementation requirements remain within the standard.
- Improved the Background section to better reflect the policy’s alignment with the broader UW Information Security Program and evolving threat landscape.
- Reformatted policy layout and structure for clarity and consistency with other SYS policies.
DRAFT REVISED POLICY
SYS 1212, Sick Leave
These policy revisions will be effective upon signature by the president.
Summary of Policy and Policy Revisions
The purpose of this policy is to establish parameters for the administration of sick leave for all UW System employees. It covers sick leave eligibility, accrual, usage, and reporting.
This is a Workday-related update. Proposed revisions are as follows:
- In Sections 6.G.VI and 6.G.VII, add the requirement that FLSA-exempt university staff submit a monthly no-leave-taken report in the same manner as other FLSA-exempt employee groups (Faculty, Academic Staff, Limited Appointees).
- FLSA-Exempt university staff are not subject to the sick leave accrual penalty for non-compliance, as the related statute does not specifically identify their employee category (See Wis. Stat. §40.05(4)(bp).)
- This revision is tied to Workday’s rule system for leave management and the timekeeping treatment of FLSA exempt vs. FLSA non-exempt employees. FLSA-exempt university staff will receive reminders to certify no-leave-taken, but will not be subject to the statutory sick leave accrual cap.
DRAFT REVISED PROCEDURE
SYS 1042.A, Information Security: Threat and Vulnerability Management Standard
These policy revisions will be effective 6 months after signature by the vice president for finance and administration.
Summary of Procedure and Procedure Revisions
This procedure supports the policy SYS 1042, Information Security: Threat and Vulnerability Management and sets expectations for how we identify and fix known security issues in our IT systems, keep software up to date, and stay aware of cyber threats; especially those targeting the higher education sector.
Proposed Procedure (Standard) Revisions:
- Removed the following sections:
- A Roles and Responsibilities – Defining roles and responsibilities in a standardized way is challenging across campuses due to variations in organizational structure and how responsibilities are assigned.
- B.VI Documentation and Metrics – Documentation and metric requirements are now incorporated, where appropriate, into each respective policy and standard section.
- Emphasized a risk-based approach to vulnerability management, prioritizing remediation based on likelihood and impact of exploitation, asset criticality, and operational context.
- Clarified that remediation timelines begin upon initial detection and availability of a patch or viable mitigation.
- Clarified authenticated vulnerability scanning is a recommended best practice, with specific guidance on when it is recommended.
- Reformatted standard layout and structure for clarity and consistency with other SYS policies.
June Policy Action Summary
Please find attached the memo. It details policy work completed between June 9 and July 3, 2025. There were two (2) new, four (4) revised, and seven (7) rescinded UW System Administrative Policies, as well as one (1) new UW System Guidelines Document.
New UW System Administrative Policies
- SYS 195, Institutional Statements (approved June 16, 2025)
- SYS 405, Universities of Wisconsin Travel and Expense Policy (approved June 12, 2025; effective July 1, 2025)
Revised UW System Administrative Policies
- SYS 232, Benefit Prepay Deductions and Short Work Break Benefits Eligibility (approved July 3, 2025)*
- SYS 435, Universities of Wisconsin Business Meals and Expense (approved June 12, 2025; effective July 1, 2025)
- SYS 1275, Recruitment Policies (approved June 25, 2025)*
- SYS 1315, Patents and Inventions (approved June 17, 2025)
Rescinded UW System Administrative Policies
- SYS 405, Travel and Expense – General Travel & Expense Policy (approved June 12, 2025; effective July 1, 2025)
- SYS 410, Purchase & Payment of Business Air Travel (approved June 12, 2025; effective July 1, 2025)
- SYS 415, Purchase & Payment of Lodging (approved June 12, 2025; effective July 1, 2025)
- SYS 420, Travel & Expense – Meal and Incidental Expense (M&IE) Per Diem Allowance Reimbursements (approved June 12, 2025; effective July 1, 2025)
- SYS 425, Use of Personal Vehicles, Rental Case and Fleet for Business Transportation (approved June 12, 2025; effective July 1, 2025)
- SYS 430, Travel & Expense – Purchase & Payment Miscellaneous Travel Expenses (approved June 12, 2025; effective July 1, 2025)
- SYS 616, University of Wisconsin Student Drivers Under the State’s Liability Protection (approved June 18, 2025)
New UW System Administrative Guidance
*denotes first notice of approval
Upcoming Policy Effective Dates
The following policy revisions were previously approved by President Rothman and have upcoming effective dates. Please review the revisions in preparation for the upcoming effective date.
The policy and procedure below have an effective date of August 1, 2025:
- SYS 1037, Information Security: IT Disaster Recovery (approved February 11, 2025)
- SYS 1037.A, Information Security: IT Disaster Recovery Standard (approved February 11, 2025)
Federal Fridays
The Universities of Wisconsin Federal Update Working group has a Federal Updates web page for the public to learn about the federal issues the UW is monitoring. The site provides a dashboard view of the various issues organized by topic, with a summary and links related to the topic.