Policies Approved

Below is a list of policies that have been approved by President Cross:

Please find a detailed description of the approved policy revisions below:

SYS 1030, Information Security: Authentication

The effective date of this policy and the associated procedure is March 17, 2020.

Summary of Policy and Policy & Procedure Revisions

  • SYS 1030, Information Security: Authentication was updated to reference the Information Security Program Glossary. In an effort to reduce variations and inconsistency of definitions throughout different policies documents, OIS will begin referring users to the Information Security Program Glossary within our set of policies, standards, procedures, and guidelines. Definitions that are not listed in the Glossary will still appear within policy documents until the Information Security Program Glossary is updated (anticipated on an annual basis).
  • For SYS 1030.A, Information Security: Authentication Standard, a major re-organization and extensive content overhaul has been performed.
    • Procedure document is now referred to as a Standard (as denoted by the ‘Standard’ postfix in the title) to be consistent with industry norms, the State of Wisconsin Department of Administration, and other higher education institutions throughout the U.S. However, the format and layout of the document remains the same. Authentication procedures are to be developed by individual institutions in accordance with the UWSA Policy (1030) and Procedure (1030.A) documents.
    • Removed requirements for authentication systems to meet LoA2 entropy requirements; this is no longer recommended or supported as a federal or industry standard.
    • Password strength now focused on having a longer password vs. requiring complexity in passwords. This is to allow for use of passphrases and is consistent with the latest recommendations from NIST.
    • Secret change frequency.
    • For accounts that incorporate MFA into the all occurrences of internet-facing authenticators, secrets do not need to be changed on a scheduled basis.
    • When MFA is not incorporated into the authentication process, UWSA continues to recommend that secrets be changed on a frequent basis.
    • Includes a new section pertaining to the storage of user secrets.
    • Formal allowance for the use of password managers at the institution’s CIO’s discretion.

Resource Effect on Implementing

  • No additional resources are expected to be required to conform with this policy over the prior requirements. These updates provide additional flexibility to utilize modern authentication technologies and practices.

Affected Areas on Campuses

  • These changes affect all students, staff, and faculty across UW System.

Rationale

  • The policy was updated to conform to newest federal Authentication guidelines and industry standards. Provide institution additional flexibility to utilize modern authentication technologies.

Additional Communication

  • The updates to SYS 1030 and the related procedure SYS 1030.A are not set to take effect until 6 months after the approval date, to allow time for the finalization of the UW System Information Security Program Glossary. Until that date, institutions are expected to adhere to the currently published versions of the policy and procedure. PDF files of the newly approved documents will be made available on the current policy webpage until the effective date. Upon the effective date of March 17, 2020, the policy webpages will be updated to reflect the changes and additional communication will be made to institutions.