Policy
On August 6, 2025, President Rothman approved substantive revisions to SYS 1042, Information Security: Threat and Vulnerability Management. The policy revisions will be effective on February 1, 2026. Please review the revised policy and make necessary preparations prior to the February 1 effective date.
Original Issuance Date: April 20, 2021
Last Revision Date: March 8, 2022
Effective Date: April 1, 2022
1. Policy Purpose
This policy establishes the minimum requirements for vulnerability management, vulnerability scanning, patch management, threat intelligence and penetration testing of University of Wisconsin (UW) System information technology owned or leased IT assets.
2. Responsible UW System Officer
Associate Vice President (AVP) for Information Security
3. Scope and Institutional Responsibilities
This policy is applicable to all UW System institutions, including W System Administration.
4. Background
The President of the University of Wisconsin System is empowered to establish information security polices under the provisions of Regent Policy Document 25-5, Information Technology: Information Security. The UW System is committed to a secure information technology environment in support of its mission and recognizes the need to identify and manage security threats and vulnerabilities.
5. Definitions
Please see SYS 1000, Information Security: General Terms and Definitions, for a list of general terms and definitions. Terms and definitions found within this policy include:
- IT Asset Owner
- Patch Management
- Penetration Testing
- Vulnerability Management
- Vulnerability Scanning
6. Policy Statement
All University-owned, or leased, IT assets must have an operational process and technical enforcement for discovering, reviewing, reporting, and remediating vulnerabilities. The minimum requirements for vulnerability management, vulnerability scanning, patch management, threat intelligence and penetration testing must be met as described in UW System Administrative Procedure 1042.A, Information Security: Threat and Vulnerability Management Procedure. The documentation process for the acceptance of all risks and/or the application of any compensating controls in place of published requirements must be in accordance with UW System Administrative Procedure 1039.B, Information Security: Notification of Risk Acceptance.
7. Related Documents
Regent Policy Document 25-5, Information Technology: Information Security
UW System Information Security Program
UW System Administrative Procedure 1042.A., Information Security: Threat and Vulnerability Management
UW System Administrative Policy 1039, Information Security: Risk Management
UW System Administrative Procedure 1039.A, Information Security: Risk Management Procedure
UW System Administrative Procedure 1039.B, Information Security: Notification of Risk Acceptance
8. Policy History
Revision 2: March 8, 2022
Revision 1: July 7, 2021
First approved: April 20, 2021
9. Scheduled Review
April 2023