Original Issuance Date: October 13, 2020
Last Revision Date: October 13, 2020
Effective Date: April 1, 2021
1. Purpose of Procedures
This procedure defines the specific method and information required to document, track, and provide notification of risk acceptance of information security-related requirements, throughout the University of Wisconsin (UW) System.
2. Responsible UW System Officer
Associate Vice President (AVP) for Information Security
Please see SYS 1000, Information Security: General Terms and Definitions, for a list of general terms and definitions. Terms and definitions found within this procedure include:
- Compensating Control
- Risk Acceptance
- Risk Executive
- Risk Mitigation
A Risk Acceptance Notification Form is required for the acceptance of all risks and/or the application of any compensating controls in place of published requirements within UW System information security policies, procedures and/or enterprise deployment criteria. The completed form must be submitted to the UW System Office of Information Security using the form referenced in Related Documents. Each Risk Acceptance Form must be reviewed, updated and resubmitted within one year of their issuance date, on a recurring basis, for as long as the risk acceptance remains in force.
i. Procedure Owner
The UW System Office of Information Security owns the Risk Acceptance Notification process. It is responsible for ensuring that all necessary parties review, make comments and recommendations concerning the risks associated with non-compliance with UW System information security policies, procedures, and deviation from enterprise deployment criteria.
Questions concerning the process are to be directed to the UW System Office of Information Security.
B. Documentation and Record Keeping
Once submitted by the institution, the Office of Information Security retains a repository of this documentation, provides a copy to UW System Internal Audit and periodically engages UW System leadership and the Risk and Compliance Council for their awareness.
The completed form must be submitted via the approved TISC formal documentation method, within the TISC channel of Microsoft Teams.
5. Related Documents
First approved: September 30, 2020