UW System Administrative Procedure 1039.B

Information Security: Notification of Risk Acceptance

Original Issuance Date: October 13, 2020

Last Revision Date: March 25, 2021

Effective Date: April 1, 2021

1.     Purpose of Procedures

This procedure defines the specific method and information required to document, track, and provide notification of risk acceptance of information security-related requirements, throughout the University of Wisconsin (UW) System.

2.     Responsible UW System Officer

Associate Vice President (AVP) for Information Security

3.     Definitions

Please see SYS 1000, Information Security: General Terms and Definitions, for a list of general terms and definitions. Terms and definitions found within this procedure include:

  • Compensating Control
  • Risk Acceptance
  • Risk Executive
  • Risk Mitigation
  • Vulnerability

4.     Procedures

A.      Standards

A Risk Acceptance Notification Form is required for the acceptance of all risks and/or the application of any compensating controls in place of published requirements within UW System information security policies, procedures and/or enterprise deployment criteria. The completed form must be submitted to the UW System Office of Information Security using the form referenced in Related Documents. Each Risk Acceptance Form must be reviewed, updated and resubmitted within one year of their issuance date, on a recurring basis, for as long as the risk acceptance remains in force.

i. Procedure Owner

The UW System Office of Information Security owns the Risk Acceptance Notification process. It is responsible for ensuring that all necessary parties review, make comments and recommendations concerning the risks associated with non-compliance with UW System information security policies, procedures, and deviation from enterprise deployment criteria.

Questions concerning the process are to be directed to the UW System Office of Information Security.

B.      Documentation and Record Keeping

Once submitted by the institution, the Office of Information Security retains a repository of this documentation, provides a copy to UW System Internal Audit and periodically engages UW System leadership and the Risk and Compliance Council for their awareness.

The completed form must be submitted via the approved TISC formal documentation method, within the TISC channel of Microsoft Teams.

5.     Related Documents

Risk Acceptance Form

Regent Policy Document 25-5, Information Technology: Information Security

UW System Information Security Program

UW System Administrative Policy 1000, Information Security: General Terms and Definitions

UW System Administrative Policy 1039, Information Security: Risk Management

UW System Administrative Procedure 1039.A, Information Security: Risk Management

6.     History

Revision 1: March 25, 2021

First approved: September 30, 2020