This policy was repealed as of July 31, 2017 see the notice.

Original Issuance Date: September 14, 2016
Last Revision Date: September 14, 2016

1. Purpose of Procedures

The purpose of these procedures is to define the methodology for information security awareness training as required by the information security policies of the University of Wisconsin System.

2. Responsible UW System Officer

UW System Chief Information Officer (CIO)

3. Definitions

Moderate Risk Data: Data assets classified as being of moderate risk as defined in UW System Administrative Policy 1031, Information Security: Data Classification.

High Risk Data: Data assets with classified as being of high risk as defined in UW System Administrative Policy 1031, Information Security: Data Classification.

Compensating Control: A data security measure that is designed to satisfy the requirement for some other security measure that is deemed too difficult or impractical to implement and that meets the intent and rigor of the original control.

Institutions: All four year campuses of the UW System, UW Colleges, the University of Wisconsin- Extension, and UW System Administration.

4. Procedures

These procedures establish a minimum baseline for information security awareness training. It may be permissible to substitute a compensating control for a particular item below provided it meets the intent and rigor of the original control. Compensating controls and their rationale must be documented in writing and submitted by the institutional CIO to the UW System CIO for approval. If there are any concerns, the two CIOs will engage with subject matter experts as needed. Resolution will be documented by the UW System CIO and forwarded to the institutional CIO.

  1. Information Security awareness may be delivered through multiple or combination of methods. Examples of such methods are:
    • An information security website
    • Information provided via mass email
    • Information security awareness training sessions
    • Information provided via new employee orientation
    • Awareness campaign such as targeted phishing or other social engineering methods
    • Online information security awareness training
  2. UW System institutions must track their covered parties with access to moderate and high risk data for:
    1. Acceptance of the UW System Acceptable Use Policy and any applicable institution Acceptable Use Policy.
    2. Completion of all required information security awareness course(s).
    3. Notification to all contractors, consultants and business partners that they are required to abide by UW System acceptable use policies prior to being given access to university systems and data resources, when possible.
  3. UW System institutions will follow-up with individuals and entities who have not completed the training and may take appropriate action, including but not limited to the removal of access to UW System non-public data until such requirements have been met.
  4. UW System institutions must provide for their students who have access to only their own data:
    1. Notification of the UW System Acceptable Use Policy and any applicable campus Acceptable Use Policy.
    2. Access to information security awareness training.
  5. UW System institutions will update the Information Security Awareness training annually to include recent best practices.
  6. UW System institutions will promote information security as an integral part of their day-to-day activities and as appropriate to the role and covers applicable laws, regulations, and industry standards.

5. Related Documents

Regent Policy Document 25-5, Information Security
UW System Administrative Policy 1031, Information Security: Data Classification
UW System Administrative Policy 1032, Information Security: Awareness

6. History

First approved: September 14, 2016
'