Original Issuance Date:  September 14, 2016

Last Revision Date:  July 31, 2017

1. Policy Purpose

The purpose of this policy is to ensure that all individuals and organizations that access University of Wisconsin System information technology assets are exposed to information security awareness materials and have a level of understanding commensurate with their role within the UW System.

2. Responsible UW System Officer

UW System Chief Information Officer (CIO)

3. Scope

This policy applies to any authorized individuals, including, faculty, staff, students, other authorized users, and entities that have access to non-public University of Wisconsin System information. This policy does not cover members of the general public, who may have casual or incidental access to publicly accessible information technology resources made available by the UW System.

4. Background

The President of the University of Wisconsin System is empowered to establish information security polices under Regent Policy Document 25-5, Information Technology: Information Security. The UW System is committed to a secure information technology environment in support of its mission. The information security awareness training described within this policy is designed to help ensure satisfactory and consistent information security awareness throughout all UW System institutions.

5. Definitions

Low Risk Data: Data assets classified as being of low risk as defined in UW System Administrative Policy 1031, Information Security: Data Classification and Protection.

Moderate Risk Data: Data assets classified as being of moderate risk as defined in UW System Administrative Policy 1031, Information Security: Data Classification and Protection.

High Risk Data: Data assets classified as being of high risk as defined in UW System Administrative Policy 1031, Information Security: Data Classification and Protection.

Institutions: All four year campuses of the UW System, UW Colleges, the University of Wisconsin- Extension, and UW System Administration.

6. Policy Statement

Any individuals or entities that have access to non-public low risk, moderate risk, or high risk data shall:

  1. Upon hire and annually thereafter review Regent Policy Document 25-3 Acceptable Use of Information Technology Resources and Computing Devices, UW System Administrative Policy 1034, Information Security: Acceptable Use, and any applicable institutional Acceptable Use Policy.
  2. Annually complete information security awareness training that provides information on security best practices, and their roles in protecting the university’s systems and data. All newly hired employees are required to complete the information security awareness training within 30 days of their initial hire date.

Students with access to only their own data, will on an annual basis:

a. Receive notification of Regent Policy Document 25-3, Acceptable Use of Information Technology Resources and Computing Devices, UW System Administrative Policy 1034, Information Security: Acceptable Use, and any applicable institutional Acceptable Use Policy.

b. Be provided access to information security awareness training that includes security best practices and their roles in protecting the university’s systems and data.

All contractors, consultants, and business partners are required to abide by UW System acceptable use policies when accessing the UW System’s information technology assets. Contracts, grants, and other engagement documents shall reflect this requirement.

The UW System CIO shall specify annual systemwide information security awareness training activities that clearly indicate that information security is an integral part of day-to-day activities. UW System institutions shall facilitate the systemwide training to the extent necessary. The systemwide activities must be reviewed and updated, as appropriate, on an annual basis.

Institutions shall supplement the systemwide information security awareness training, as appropriate, depending upon individuals’ roles and the risk classifications of the data they can access.

Institutions are responsible for ensuring that individuals and entities have access to and have completed the required training and may take appropriate action, including but not limited to the removal of access to UW System non-public data for those who have not completed training requirements.

Institutions shall foster additional broad based information security awareness activities as they deem necessary through methods such as:

  • Websites
  • Email
  • Social media
  • In-person or online training sessions
  • Conferences or events
  • New employee or student orientations
  • Social engineering campaigns

 

7. Related Documents

Regent Policy Document 25-3, Acceptable Use of Information Technology Resources and Computing Devices
Regent Policy Document 25-5, Information Security
UW System Administrative Policy 1031, Information Security: Data Classification and Protection

UW System Administrative Policy 1034, Information Security: Acceptable Use

8. Policy History

Revision 1: July 31, 2017
First approved: September 14, 2016

9. Scheduled Review

July 2018

'