Original Issuance Date: July 31, 2017
Last Revision Date: July 31, 2017

1. Purpose of Procedures

The purpose of these procedures is to define the specific data handling methods employed in the day-to-day operations of systems that are subject to the information security policies of the University of Wisconsin System.

2. Responsible UW System Officer

UW System Chief Information Officer (CIO)

3. Definitions

Low Risk Data: Data assets classified as being of low risk as defined in UW System Administrative Policy 1031, Information Security: Data Classification and Protection.

Moderate Risk Data:  Data assets classified as being of moderate risk as defined in UW System Administrative Policy 1031, Information Security: Data Classification and Protection.
High Risk Data:  Data assets classified as being of high risk as defined in UW System Administrative Policy 1031, Information Security: Data Classification and Protection.

Compensating Control: A data security measure that is designed to satisfy the requirement for some other security measure that is deemed too difficult or impractical to implement and that meets the intent and rigor of the original control.

 Institutions: All four-year UW System campuses, UW Colleges, the University of Wisconsin- Extension On-line Learning and UW System Administration.

4. Procedures

These procedures establish a minimum baseline for data handling on all current and future systems. It may be permissible to substitute a compensating control for a particular item below, provided it meets the rigor and intent of the original control. Compensating controls and their rationale must be documented in writing and submitted by the institutional CIO(s) to the UW System CIO for approval. If there are any concerns, the CIOs will engage with subject matter experts as needed. Resolution will be documented by the UW System CIO and forwarded to the institutional CIO(s).

Data Handling and Control Areas
Low Risk (Public) Data) Moderate Risk Data High Risk Data
Access Controls (incl. Request for Data Access) Access to view low risk data does not require authentication.
Access to modify low risk data must use authentication methods that meet the requirements of UW System Administrative Policy 1030, Information Security: Authentication, and its associated procedure.
Access to view or modify is restricted to authorized individuals.
Remote access by third party for technical support is limited to authenticated and authorized access via secure protocols.
Access is limited to end users and administrators who have been designated by the appropriate Data Steward or similar position.
Remote access by third party for technical support is limited to authenticated and authorized access via secure protocols.
Authorization and authentication are required for access.
Multi-factor authentication is required.
Confidentiality requirements must be established and disseminated to appropriate parties.
Data must be encrypted in transit and at rest.
Copying/Printing/Transmission No restrictions. Data distribution must be limited to individuals whose role requires access to the data domain and who have authorization to access the data domain. Data distribution must be limited to as few individuals as feasible whose role requires access to the data domain and who have authorization to access the data domain.
Hard copies must not be left unattended and must be stored in a secure location.
Data must be encrypted in transit and at rest, and all parties must be authenticated.
Network Security No restrictions. Defense in depth must be used, including two of the three following controls:

  1. Network firewall protection, including port restriction, protocol restriction or IP address Access Control Lists (ACL)
  2. Single factor authentication, such as username/password
  3. Comprehensive intrusion detection and intrusion prevention, including advanced logging of all attempted access to network resources, or Advanced Threat Protection (ATP)
In addition to the moderate controls, protection with a network firewall is required.
Network access to a system or server hosting the data must be limited to the minimum necessary.
System Security No restrictions. System administrators shall follow any system security procedures established by the institution as well as operating system-specific best practices for system management and security. System administrators shall follow any system security procedures established by the institution as well as operating system-specific best practices for system management and security.
Protection with a firewall is required.
Physical Security No restrictions. Data must be masked from casual view to prevent unauthorized access.
Hardcopy files must be properly marked and stored in a locked cabinet.
System must be locked or logged out when unattended.
Storage must be in secured location.
Data Storage No restrictions. Data must be stored in an institution or UW-System provided cloud storage service or data center.
Individuals and departments should not select storage providers or technologies without institution or UW System approval.
If data are stored on individual workstation or mobile device, encryption is required.
Hard copies must not be left unattended and must be stored in a secure location.
Data must be stored in an institution or UW-System provided cloud storage service or data center.
Individuals and departments should not select storage providers or technologies without institution or UW System approval.
If data are stored on individual workstation or mobile device, encryption is required.
Hard copies must not be left unattended and must be stored in a secure location.
All devices that access high risk data must be managed in an institution or UW-System approved manner.
Backup/Disaster Recovery No restrictions Regular backup is required and recovery periodically tested.
Backup media must be encrypted and stored in a secure location.
Regular backup is required and recovery periodically tested.
Backup media must be encrypted and stored in a secure location.
Media Sanitization and Disposal No restrictions. Must securely destroy or use bonded disposal service. Must securely destroy or use bonded disposal service.
Workstation and Mobile Devices (incl. personally-owned devices) No restrictions. Password protection and an inactivity auto-lock are required.
Employees shall remove UW System data from their personally owned devices before the devices are discarded or replaced, or before the individual is discharged from employment with the UW System.
Password protection and an inactivity auto-lock are required.
Employees shall remove UW System data from their personally owned devices before the devices are discarded or replaced, or before the individual is discharged from employment with the UW System.

5. Related Documents

Regent Policy Document 25-5, Information Technology: Information Security
UW System Administrative Policy 1031, Information Security: Data Classification and Protection
Information Security Compensating Control Request Form

6. History

First approved:     July 31, 2017

'