Policy

On August 6, 2025, President Rothman approved substantive revisions to SYS 1042, Information Security: Threat and Vulnerability Management. The policy revisions will be effective on February 1, 2026. Please review the revised policy and make necessary preparations prior to the February 1 effective date.

Original Issuance Date: April 20, 2021
Last Revision Date: March 8, 2022
Effective Date: April 1, 2022

1.     Policy Purpose

This policy establishes the minimum requirements for vulnerability management, vulnerability scanning, patch management, threat intelligence and penetration testing of University of Wisconsin (UW) System information technology owned or leased IT assets.

2.     Responsible UW System Officer

Associate Vice President (AVP) for Information Security

3.     Scope and Institutional Responsibilities

This policy is applicable to all UW System institutions, including W System Administration.

4.     Background

The President of the University of Wisconsin System is empowered to establish information security polices under the provisions of Regent Policy Document 25-5, Information Technology: Information Security. The UW System is committed to a secure information technology environment in support of its mission and recognizes the need to identify and manage security threats and vulnerabilities.

5.     Definitions

Please see SYS 1000, Information Security: General Terms and Definitions,  for a list of general terms and definitions. Terms and definitions found within this policy include:

  • IT Asset Owner
  • Patch Management
  • Penetration Testing
  • Vulnerability Management
  • Vulnerability Scanning

6.     Policy Statement

All University-owned, or leased, IT assets must have an operational process and technical enforcement for discovering, reviewing, reporting, and remediating vulnerabilities. The minimum requirements for vulnerability management, vulnerability scanning, patch management, threat intelligence and penetration testing must be met as described in UW System Administrative Procedure 1042.A, Information Security: Threat and Vulnerability Management Procedure. The documentation process for the acceptance of all risks and/or the application of any compensating controls in place of published requirements must be in accordance with UW System Administrative Procedure 1039.B, Information Security: Notification of Risk Acceptance.

7.     Related Documents

Regent Policy Document 25-5, Information Technology: Information Security  
UW System Information Security Program
UW System Administrative Procedure 1042.A., Information Security: Threat and Vulnerability Management
UW System Administrative Policy 1039, Information Security: Risk Management
UW System Administrative Procedure 1039.A, Information Security: Risk Management Procedure
UW System Administrative Procedure 1039.B, Information Security: Notification of Risk Acceptance

8.     Policy History

Revision 2: March 8, 2022
Revision 1: July 7, 2021
First approved: April 20, 2021

9.     Scheduled Review

April 2023