Original Issuance Date: October 13, 2020
Last Revision Date: November 11, 2022
Effective Date: January 1, 2022
1. Policy Purpose
The purpose of this policy is to provide a formal structure for the management of information security (IS) risks occurring within the University of Wisconsin (UW) System. IS risk management protects the confidentiality, integrity, and availability of UW IT assets in compliance with applicable UW System policies, state and federal regulations, and industry guidelines.
2. Responsible UW System Officer
Associate Vice President (AVP) for Information Security
3. Scope and Institutional Responsibilities
This policy is applicable to all UW System institutions and identifies the parameters for assessing risk of all institution owned or leased IT assets and/or systems that store or process data used to accomplish research, teaching, learning, administration, or fulfill public service.
The President of the UW System is empowered to establish information security polices under Regent Policy Document 25-5, Information Technology: Information Security. The UW System is committed to a secure information technology environment in support of its mission. The information security risk management principles described within this policy are designed to help ensure satisfactory and consistent practices to address and mitigate information security risk throughout all UW System institutions.
Please see SYS 1000, Information Security: General Terms and Definitions, for a list of general terms and definitions. Terms and definitions found within this policy include:
- IT Asset
- Inherent Risk
- Risk Executive
- Risk Management
- Risk Assessment
- Risk Treatment
6. Policy Statement
Information security risk associated with all IT assets must be formally managed, as described in UW System Administrative Procedure 1039.A, Information Security: Risk Management and UW System Administrative Procedure 1039.B, Information Security: Notification of Risk Acceptance, to ensure that the likelihood and impact of threats and vulnerabilities are understood and minimized to the furthest extent practical.
Information security risks and the assessment of those risks will be compiled and maintained in a centralized repository known as the UW System Risk Register. Risks will be identified through a variety of sources, including but not limited to, internal and external audits and assessments, systems monitoring, vulnerability scans, penetration tests, and incident investigations. UW System leadership will convene regularly, in the form of a Risk and Compliance Council, to evaluate and prioritize any mitigation actions to address identified risks.
As part of the Information Security Risk Management process, the UW System institutions will be required to:
- Identify and Document: Formally identify and document information security risks.
- Manage: Manage the lifecycle of information security risks in a formal and consistent manner and ensure that risks are aligned with the UW System Administrative Procedure 1039.A, Information Security: Risk Management.
- Report: Report information security risks as described in UW System Administrative Procedure 1039.A, Information Security: Risk Management.
- Implement/Maintain Security Controls: Implement, administer, and maintain information risk treatments necessary to reduce risk to an acceptable level occurring within the UW System, when a given risk is determined to be unacceptable.
B. Risk Acceptance
In a situation in which a UW institution does not implement a control or process to manage an identified risk, such a decision must be formally documented, as described in UW System Administrative Procedure 1039.B, Information Security Notification of Risk Acceptance. For UW System Administration, the Vice President for Finance and Administration shall serve in place of the Chancellor, in relation to responsibilities identified within UW System Administrative Procedure 1039.B.
The UW System Office of Information Security will ensure information security risk management training materials are made available to Risk Executives, UW System leaders, managers, system developers and users.
7. Related Documents
Regent Policy Document 25-5, Information Security
UW System Information Security Program
UW System Administrative Policy 1000, Information Security: General Terms and Definitions
UW System Administrative Procedure 1039.A, Information Security: Risk Management
UW System Administrative Procedure 1039.B, Information Security: Notification of Risk Acceptance
8. Policy History
Revision 2: November 11, 2022
Revision 1: March 24, 2021
First approved: October 13, 2020
9. Scheduled Review