Original Issuance Date: November 10, 2022

Last Revision Date: January 19, 2023

Effective Date: December 1, 2023

1. Policy Purpose

The purpose of this policy is to provide structure for the deployment and management of network controls used to mitigate Information Security (IS) threats throughout the University of Wisconsin (UW) System.

2. Responsible UW System Officer

Associate Vice President for Information Security

3. Scope and Institutional Responsibilities

This policy applies to all UW System institutions, including UW System Administration. This policy identifies the requirements for the installation and use of network protection controls on all UW System managed networks, where technically feasible, that transport data used to accomplish University research, teaching, learning, operations, or administration.

4. Background

The President of the University of Wisconsin System is empowered to establish IS polices under the provisions of Regent Policy Document 25-5, Information Technology: Information Security. The UW System is committed to a secure information technology environment in support of its mission.

The network protection requirements described within this policy are designed to help ensure satisfactory and consistent practices to address and mitigate persistent IS threats that use the network to attack information technology resources.

5. Definitions

Please see SYS 1000, Information Security: General Terms and Definitions, for a list of general terms and definitions. Terms and definitions found within this policy include:

  • External Network
  • Managed Interface
  • Network Security Zone
  • System Boundary
  • Trusted Network Security Zone

6. Policy Statement

A. Network Security Architecture Documentation

High-level network security architecture documentation must be maintained that identifies the security services and mechanisms for the Network Security Zones within the System Boundary and connections to External Networks. High-level network security architecture diagram(s) must accompany network security architecture documentation.

B. Network Access Controls

Employ network access controls to monitor and control communications at external boundaries and key Managed Interfaces between Network Security Zones within the System Boundary to restrict the flow of traffic and prevent unauthorized access commensurate with the classification of the data being transmitted. Network access controls must be aligned with the institution’s defined architecture.

C. Network Communication Protection Activities

Ensure network access controls protect the integrity and confidentiality of transmitted data in Trusted Network Security Zones and as defined by the institution’s network security architecture.

D. Network Configuration Management

Employ configuration change management processes and maintain documentation for security-related configuration changes to networking IT devices. Limit access rights to the minimal level necessary for administrators to perform their job duties.

E. Network Device Security

Network devices must be reasonably secured from unauthorized physical and logical access commensurate with the criticality of the device and its associated Network Security Zone.

7. Related Documents

Regent Policy Document 25-5, Information Technology: Information Security

UW System Information Security Program

UW System Administrative Procedure 1038.A, Information Security: Network Protection Standard

NIST Special Publication 800-53 Rev. 5

8. Policy History

Revision 1: January 19, 2023

First approved: November 10, 2022

9. Scheduled Review

November 2025