institution review

One policy, four procedures, and three proposed policy rescissions are included in the October 2019 SYS policy institutional review:

To view and comment on the policies, please click on the links above. Please submit your comments (which may include attachments such as word documents, PDFs, etc.) through the links above. Doing so ensures your feedback is captured and reviewed during the post-comment period.

The deadline to review and submit feedback for the policies, procedures, and rescissions via the comment form is Friday, November 8.

Please also note that the deadline for institutions to develop procedures to comply with Section 6 of SYS 363, Change Requests of Bank and Contact Information is October 31, 2019.

SYS 363.A, Change Requests of Bank and Contact Information

This procedure will be effective upon approval.

Summary of Procedure and Procedure Revisions

  • This procedure outlines the processes through which changes to suppliers in the UW System’s shared financial system (SFS) are to be verified in compliance with SYS 363, Change Requests of Bank and Contact Information.
  • For changes to supplier bank and contact information, valid out-of-band verification must be obtained before a change can be made.
    Verification attempts must be properly documented in accordance with this procedure and attached to the supplier record change request.

SYS 363.B, Change Requests of Bank and Contact Information for Employees

This procedure will be effective upon approval.

Summary of Procedure and Procedure Revisions

  • This procedure outlines the processes through which changes to employee bank (direct deposit) and contact information in the UW System’s human resource systems are to be verified in compliance with SYS 363, Change Requests of Bank and Contact Information.
  • Employees should be encouraged to complete these actions through Employee Self-Service
  • For in-person requests, staff must verify identity using picture identification.
  • For email or fax requests, valid out-of-band verification must be obtained before a change can be made.
  • All verification attempts must be properly documented in accordance with this procedure and attached to the employee’s payroll file.

Affected Areas on Campus

  • This procedure applies to all student, employee, and supplier contact and bank account information, regardless of the University of Wisconsin (UW) System institution that maintains the information.

Expectation of Campuses on UWSA Policy Reporting

  • UW System institutions must ensure adequate controls are in place when changes are made to student, employee, and supplier contact and bank account information.

Additional Communication

  • No further communication is planned at this time

SYS 1031, Information Security: Data Classification and Protection

This policy will be effective April 2020.

Summary of Policy and Policy Revisions

  • Modifications to Definitions section:
    • Integrity added to definitions:
      • Definitions of Data Steward and Institutions- now linked to the UW System Information Security Program
    •  Data Classification definitions changed to:
      • High Risk: The loss of confidentiality, integrity or availability of data that could result in a significant or catastrophic impact to individuals, mission, assets, or operations of UW System.
      • Moderate Risk: The loss of confidentiality, integrity or ability of data that could result in a serious impact to individuals, mission, assets, or operations of UW System.
      • Low Risk: The loss of confidentiality, integrity or availability of data that could result in minimal impact to individuals, mission, assets or on the operations of UW System.
  •   Modifications to Procedures section:
    • “Procedures” replaced with “Standards”
    • “Domains” replaced with “Institutions” in Data Steward section
    • FERPA defined as Family Educational Risk and Privacy Act
    • “Domain” replaced with “Sets”
    • “State of Wisconsin policies” replaced with “regulations”
  •  Modifications to Related Documents section:
    • Added link to UW System Information Security Program

Affected Areas on Campuses

  • This policy applies to all University of Wisconsin System Data and should also be included in contracts with third party providers.

Additional Communication

  • A reminder will be sent to institutions prior to the effective date.

SYS 1031.A, Information Security: Data Classification Standard

This policy will be effective April 2020.

Summary of Procedure and Procedure Revisions

  • Modifications to Definitions section:
    • Definitions for “High”, “Moderate”, and “Low” removed and reference added to UW System Administrative Policy 1031
    • Definition for “Data Steward” removed and reference added to UW System Information Security Program
    • Definition for “Institution” removed
  •  Modifications to Procedures section:
    • Added “These standards establish a minimum baseline for data classification across UW System”
    • Eliminated instructions for approval process for a substitute in compensating control.
    • “Annually” replaced with “365 days”
    • “Domains” replaced with “sets”
    • Added reference to PII
  •  Modifications to Related Documents section:
    • Added link to UW System Information Security Program

SYS 1031.B, Information Security: Data Protection Standard

This policy will be effective April 2020.

Summary of Procedure and Procedure Revisions

  • Modifications to Definitions section:
    • Definitions for “High”, “Moderate”, and “Low” removed and reference added to UW System Administrative Policy 1031
    • Definition for “Compensating Control” removed
    • Definition for “Institution” removed
  •  Modifications to Procedures section:
    • Descriptions minimized to one sentence “These following table establishes the minimum standards baseline for data handling”
    • “No restrictions” replaced with “minimum standards”
    • “Domain” replaced with “set”
    • “Offline” added to the secured location
  •  Modifications to Related Documents section:
    • Added link to UW System Information Security Program

RESCISSION- SYS 505, Delegation of Responsibility and Authority for Purchasing

Background Summary of Policy

  • SYS 505 describes the delegation of purchasing authority by the Department of Administration (DOA) to an agency, as constrained by State Statutes, the Administrative Code, the State Procurement Manual, A110 Federal Acquisitions Rules, UWSA Procurement Policies and Procedures, and the Uniform Commercial Code.
  • The policy outlines the roles and responsibilities of the UWSA Procurement Director and Campus Purchasing Directors as specified by the (DOA).

Rationale for Rescission

  • SYS 505 is superseded by SYS 521, Authority to Sign Procurement Contracts in the UW System, which incorporates the procurement authority granted by State Statutes to the Board of Regent and Board of Regents Procurement Policies.
  • Therefore, SYS 505 is being rescinded as its subject matter is incorporated in the newly approved SYS 521.

RESCISSION- SYS 1105, Laboratory and Classroom Modernization and General Computer/Network Access

Background Summary of Policy

  • SYS 1105, Laboratory and Classroom Modernization and General Computer/Network Access provides guidance on the types of projects that can utilize funding from the Laboratory Modernization Program (which began in 1985), Classroom Modernization (added in 1991), and General Computer Access Program (added in 1991).
  • It details the types of projects that may be undertaken under each program and the record keeping requirements for the purposes of oversight and future audits.

Rationale for Rescission

  • Funding for these programs was discontinued or merged into block grants given to campuses, with different restrictions and requirements.
  • SYS 1105 is therefore being rescinded, as its subject matter pertaining to the requirements for the above listed programs are no longer applicable.

RESCISSION- SYS 1125, Advertising, Sponsorship and Links on the Internet

Background Summary of Policy

  • SYS 1125, Advertising, Sponsorship and Links on the Internet is concerned with balancing the benefits of advertising and sponsorship on the internet with potential reputational risk to the University.
    • Advertising- denotes the difference between academic and non-academic advertising, specifies when non-university advertising can be included in university electronic publications, and specifies domain name usage
    • Sponsorship- denotes the details that need to be provided to acknowledge a sponsorship
    • Links- lists requirements for linking from university electronic publications to other internet sites, including the needs for disclaimers

Rationale for Rescission

  • The policy was initially drafted in 2001, and in the intervening years the Internet and its practices have evolved so as to make this policy obsolete. While the policy addresses advertising, sponsorship and links on the internet, these topics are no longer related to Information Technology.
  • Advertising, Sponsorship, and Links utilize the internet as a medium, but in the modern day do not pose the same risk or require the same intervention as they did in 2001. These practices now fall more under the purview of communication and are not administered by IT.
  • The Office of Information Security has reviewed the policy and concurs with Information Technology’s decision to rescind SYS 1125 as any security concerns addressed in SYS 1125 are already addressed in existing Information Security policies or in policies currently being drafted.

Upcoming Institution Distribution Dates

Please see below for a listing of the upcoming distribution dates for the next three months

November 2019 ———- Distribution: November 22 ———- Feedback Due: December 6
December 2019 ———- Distribution: December 20 ———- Feedback Due: January 10
January 2020      ———- Distribution: January 24     ———– Feedback Due: February 7