Policy Updates

Administrative Policy Development page has been added under Policy Resources on the  UW System Administrative Policies & Procedures page. The Administrative Policy Development page describes the UWSA policy development process, including the institution distribution schedule, the policy prioritization and review process, and the specific roles and responsibilities involved in the policy process.

Policies Approved

On March 29, 2019, President Cross approved SYS 350, Payment Card Compliance Policy.

On April 11, 2019, President Cross approved SYS 1032, Information Security: Awareness.

Please find a detailed description of the approved policy revisions below:

SYS 350, Payment Card Compliance Policy

The effective date to comply with the service provider requirements is September 30, 2019. This gives campuses about six months after the March 29th approval date to become compliant with that element of the policy.

Summary of Policy and Policy Revisions

  • SYS 350, Payment Card Compliance Policy, provides guidance and procedures to prevent loss or disclosure of cardholder data. Due to the relationship with some third-party entities, UW institutions may find it cost beneficial to allow these entities to remain on the UW network and comply with Service Provider requirements defined by the PCI DSS. This policy revision allows institutions to implement the information security measures needed to do so.
    • Language was revised throughout the document in order to provide additional clarification.
    • A definition for Qualified Security Assessor was added and the Payment Card definition was revised.
    • Language was revised in Section 6.A: Accepting Payments via Payments Cards to describe the Service Provider requirements needed in order to allow for third-party entities to remain on the UW network.

Affected Areas on Campuses

  • The UW System Office of Financial Administration will be responsible for communicating the policy provisions to institutions.
  • The following general units/functions on campuses are affected by the policy revision:
    • Chief Business Officers
    • Controllers
    • Chief Information Officers

Expectation of Campuses on UWSA policy reporting

  • The policy does not provide flexibility for campuses to tailor specifically to their institution.

Additional Communication

  • On request, trainings may be provided. These trainings may cost the institution.

SYS 1032, Information Security: Awareness

The effective date of the policy is April 11, 2019.

Summary of Policy and Policy Revisions

  • The policy is to ensure that all employees and students that access University of Wisconsin (UW) System information technology assets are exposed to information security awareness materials commensurate with their role within the UW System. The policy was revised in the following ways:
    • Scope revised to be more specific of audience and removed unenforceable language regarding a level of understanding
    • Changed responsible UW System officer to AVP for Information Security
    • Defined digital credentials, employee, and non-public information technology resources. Removed definitions for low-, moderate-, and high-risk data. Adjusted definition for institution to reflect UW Colleges and UW Extension reorganization
    • Revised policy statement to specify timeframe for completion of security awareness training (fiscally)
    • Updated policy title for RPD 25-3 to current policy title, throughout document
    • Removed language requiring contractors, consultants, and business partners to abide by RPD 25-3. This requirement should be included in RPD 25-3, if at all
    • Added language that employees, who are employed by more than one UW institution, are only required to take a security awareness training at one institution
    • Other grammatical and sentence structure changes to promote a consistent message throughout the policy

Affected Areas on Campuses

  • The UW System Office for Information Security is responsible for communicating the policy to campuses. The policy applies to authorized users who are issued digital credentials to access non-public IT digital resources under the control of UW System.
  • The following general units/functions on campus are affected by the policy revisions:
    • Staff
    • Faculty
    • Student Employees

Expectation of Campuses on UWSA policy reporting

  • Institutions are given limited flexibility when implementing the policy. Institutions are given leeway in how to implement the training requirement described in the policy.

Additional Communication

No additional communication is currently planned.