Original Issuance Date: November 10, 2022
Last Revision Date:  November 10, 2022
Effective Date: December 1, 2023

1. Policy Purpose

The purpose of this policy is to provide structure for the deployment and management of network controls used to mitigate Information Security (IS) threats throughout the University of Wisconsin (UW) System.

2. Responsible UW System Officer

Associate Vice President for Information Security

3. Scope and Institutional Responsibilities

This policy applies to all UW System institutions, including UW System Administration. This policy identifies the requirements for the installation and use of network protection controls on all UW System managed networks, where technically feasible, that transport data used to accomplish University research, teaching, learning, operations, or administration.

4. Background

The President of the University of Wisconsin System is empowered to establish IS polices under the provisions of Regent Policy Document 25-5, Information Technology: Information Security. The UW System is committed to a secure information technology environment in support of its mission.

The network protection requirements described within this policy are designed to help ensure satisfactory and consistent practices to address and mitigate persistent IS threats that use the network to attack information technology resources.

5. Definitions

Please see SYS 1000, Information Security: General Terms and Definitions, for a list of general terms and definitions. Terms and definitions found within this policy include:

  • External Network: A network not controlled by the organization.
  • Managed Interface: An interface that provides boundary protection capabilities using automated mechanisms or devices.
  • Network Security Zone: A group of logical or physical network segments with a defined level of network security for the connected systems, users, and data within an overall network architecture.
  • System Boundary: Defines the components of the information systems under the authority of the institution.
  • Trusted Network Security Zone: A Network Security Zone with an institution-defined trust level based on the security services and standards for control and management commensurate with the risk and classification of the connected systems and data transmitted. Example controls include firewalls, access control lists, virtual private networks, intrusion detection systems, and network access control policy enforcement.

6. Policy Statement

A. Network Security Architecture Documentation

High-level network security architecture documentation must be maintained that identifies the security services and mechanisms for the Network Security Zones within the System Boundary and connections to External Networks. High-level network security architecture diagram(s) must accompany network security architecture documentation.

B. Network Access Controls

Employ network access controls to monitor and control communications at external boundaries and key Managed Interfaces between Network Security Zones within the System Boundary to restrict the flow of traffic and prevent unauthorized access commensurate with the classification of the data being transmitted. Network access controls must be aligned with the institution’s defined architecture.

C. Network Communication Protection Activities

Ensure network access controls protect the integrity and confidentiality of transmitted data in Trusted Network Security Zones and as defined by the institution’s network security architecture.

D. Network Configuration Management

Employ configuration change management processes and maintain documentation for security-related configuration changes to networking IT devices. Limit access rights to the minimal level necessary for administrators to perform their job duties.

E. Network Device Security

Network devices must be reasonably secured from unauthorized physical and logical access commensurate with the criticality of the device and its associated Network Security Zone.

7. Related Documents

Regent Policy Document 25-5, Information Technology: Information Security

UW System Information Security Program

UW System Administrative Procedure 1038.A, Information Security: Network Protection Standard

NIST Special Publication 800-53 Rev. 5

8. Policy History

First approved: November 10, 2022

9. Scheduled Review

November 2025