Original Issuance Date: April 20, 2021
Last Revision Date: August 6, 2025
Effective Date: February 1, 2026
1. Policy Purpose
This policy establishes baseline requirements for the identification, assessment, and management of threats and vulnerabilities affecting Universities of Wisconsin (UW) information technology (IT) assets.
2. Responsible UW System Officer
Associate Vice President for Information Security
3. Scope and Institutional Responsibilities
This policy applies to all UW universities, including UW Administration, and encompasses all University-owned or leased IT assets.
4. Background
The UW System is committed to maintaining a secure and resilient information technology environment in support of its academic, research, and administrative missions. Recognizing the evolving threat landscape, this policy supports the broader UW Information Security Program by establishing a consistent, enterprise-wide risk approach to threat and vulnerability management.
5. Definitions
Please see SYS 1000, Information Security: General Terms and Definitions, for a list of general terms and definitions. Terms and definitions found within this policy include:
- IT Asset Owner
- Patch Management
- Penetration Testing
- Vulnerability Scanning
- Vulnerability Management
6. Policy Statement
A. Vulnerability Management
Universities must implement and maintain a vulnerability management program. This program must prioritize remediation efforts based on the likelihood and potential impact of exploitation, the criticality of affected assets, and the operational context in which vulnerabilities exist.
B. Vulnerability Scanning
Each university must perform regular vulnerability scanning to assess and manage risks to its IT assets. Scanning frequency and scope should be guided by asset criticality, risk exposure, and compliance requirements.
C. Patch Management
Universities must maintain a documented patch management process. This process must ensure timely identification, evaluation, and deployment of security patches to reduce exposure to known vulnerabilities.
D. Penetration Testing
Where appropriate, universities should conduct periodic penetration testing to identify exploitable vulnerabilities and validate security controls.
E. Threat Intelligence
Each university must conduct routine external threat intelligence gathering and sharing.
7. Related Documents
Regent Policy Document 25-5, Information Technology: Information Security
UW System Information Security Program
UW System Administrative Procedure 1042.A, Information Security: Threat and Vulnerability Management Standard
8. Policy History
Revision 3: August 6, 2025
Revision 2: March 8, 2022
Revision 1: July 7, 2021
First approved: April 20, 2021
9. Scheduled Review
August 2030