On December 1, 2023, President Rothman approved an update to this policy. The updated policy will become effective on December 1, 2024. Please review the revised policy SYS 1031, Information Security: Data Classification and the newly approved SYS 1031 Guidance: Data Classification Examples to prepare prior to the effective date.

The related procedures SYS 1031.A, Information Security: Data Classification and SYS 1031.B, Information Security: Data Protections were approved for rescission, which will also be effective on December 1, 2024. See the SYS 1031 A And 1031.B Rescission Memopdf .

Original Issuance Date: July 31, 2017
Last Revision Date: November 13, 2020

1. Purpose of Procedure

This document describes the minimum data protection standards that must be met by University Wisconsin System institutions.

2. Responsible UW System Officer

Associate Vice President (AVP) for Information Security

3. Definitions

Please see SYS 1000, Information Security: General Terms and Definitions, for a list of general terms and definitions. Terms and definitions found within this policy include:

  • Advance Threat Protection
  • Data Steward
  • Low Risk
  • Moderate Risk
  • High Risk

4. Procedures

A. Minimum Data Handling Requirements

The following table establishes the minimum standards for data handling.

Data Handling and Control Areas
Low Risk (Public) Data) Moderate Risk Data High Risk Data
Access Controls (incl. Request for Data Access) Access to view low risk data does not require authentication.
Access to modify low risk data must use authentication methods that meet the requirements of UW System Administrative Policy 1030, Information Security: Authentication, and its associated procedure.
Access to view or modify is restricted to authorized individuals.
Remote access by third party for technical support is limited to authenticated and authorized access via secure protocols.
Access is limited to end users and administrators who have been designated by the appropriate Data Steward or similar position.
Remote access by third party for technical support is limited to authenticated and authorized access via secure protocols.
Authorization and authentication are required for access.
Multi-factor authentication is required.
Confidentiality requirements must be established and disseminated to appropriate parties.
Data must be encrypted in transit and at rest.
Copying/Printing/Transmission No minimum standards. Data distribution must be limited to individuals whose role requires access to the data set and who have authorization to access the data set. Data distribution must be limited to as few individuals as feasible whose role requires access to the data domain and who have authorization to access the data set.
Hard copies must not be left unattended and must be stored in a secure location.
Data must be encrypted in transit and at rest, and all parties must be authenticated.
Network Security No minimum standards. Defense in depth must be used, including two of the three following controls:

  1. Network firewall protection, including port restriction, protocol restriction or IP address Access Control Lists (ACL).
  2. Single factor authentication, such as username/password.
  3. Comprehensive intrusion detection and intrusion prevention, including advanced logging of all attempted access to network resources, or Advanced Threat Protection (ATP).
In addition to the moderate controls, protection with a network firewall is required.
Network access to a system or server hosting the data must be limited to the minimum necessary.
System Security No minimum standards. System administrators shall follow any system security procedures established by the institution as well as operating system-specific best practices for system management and security. System administrators shall follow any system security procedures established by the institution as well as operating system-specific best practices for system management and security.
Protection with a firewall is required.
Physical Security No minimum standards. Data must be masked from casual view to prevent unauthorized access.
Hardcopy files must be properly marked and stored in a locked cabinet.
System must be locked or logged out when unattended.
Storage must be in secured location.
Data Storage No minimum standards. Data must be stored in an institution or UW System provided cloud storage service or data center.
Individuals and departments should not select storage providers or technologies without institution or UW System approval.
If data are stored on individual workstation or mobile device, encryption is required.
Hard copies must not be left unattended and must be stored in a secure location.
Data must be stored in an institution or UW System provided cloud storage service or data center.
Individuals and departments should not select storage providers or technologies without institution or UW System approval.
If data is stored on individual workstations or mobile devices, encryption at rest is required.
Hard copies must not be left unattended and must be stored in a secure location.
All devices that access high risk data must be managed in an institution or UW System approved manner.
Backup/Disaster Recovery No minimum standards. Regular backup is required and recovery periodically tested.
Backup media must be encrypted and stored in a secure location.
Regular backup is required and recovery periodically tested.
Backup media must be encrypted and stored in a secure location or offline.
Media Sanitization and Disposal No minimum standards. Must securely destroy or use bonded disposal service. Must securely destroy or use bonded disposal service.
Workstation and Mobile Devices (incl. personally-owned devices) No minimum standards. Password protection and an inactivity auto-lock are required.
Employees shall remove UW System data from their personally owned devices before the devices are discarded or replaced, or before the individual is discharged from employment with the UW System.
Password protection and an inactivity auto-lock are required.
Employees shall remove UW System data from their personally owned devices before the devices are discarded or replaced, or before the individual is discharged from employment with the UW System.

5. Related Documents

Regent Policy Document 25-5, Information Technology: Information Security
UW System Information Security Program
UW System Administrative Policy 1031, Information Security: Data Classification and Protection

UW System Administrative Policy 1031.A, Information Security: Data Classification Standard

6. History

Revision 3: November 23, 2020

Revision 2: December 9, 2019
Revision 1: January 9, 2019
First approved: July 31, 2017