UW System Administrative Policy 1042

Information Security: Threat and Vulnerability Management

Policy

Original Issuance Date: April 20, 2021

Last Revision Date: March 8, 2022

Effective Date: April 1, 2022

1.     Policy Purpose

This policy establishes the minimum requirements for vulnerability management, vulnerability scanning, patch management, threat intelligence and penetration testing of University of Wisconsin (UW) System information technology owned or leased IT assets.

2.     Responsible UW System Officer

Associate Vice President (AVP) for Information Security

3.     Scope and Institutional Responsibilities

This policy is applicable to all UW System institutions, including W System Administration.

4.     Background

The President of the University of Wisconsin System is empowered to establish information security polices under the provisions of Regent Policy Document 25-5, Information Technology: Information Security. The UW System is committed to a secure information technology environment in support of its mission and recognizes the need to identify and manage security threats and vulnerabilities.

5.     Definitions

Please see SYS 1000, Information Security: General Terms and Definitions,  for a list of general terms and definitions. Terms and definitions found within this policy include:

  • IT Asset Owner
  • Patch Management
  • Penetration Testing
  • Vulnerability Management
  • Vulnerability Scanning

6.     Policy Statement

All University-owned, or leased, IT assets must have an operational process and technical enforcement for discovering, reviewing, reporting, and remediating vulnerabilities. The minimum requirements for vulnerability management, vulnerability scanning, patch management, threat intelligence and penetration testing must be met as described in UW System Administrative Procedure 1042.A, Information Security: Threat and Vulnerability Management Procedure. The documentation process for the acceptance of all risks and/or the application of any compensating controls in place of published requirements must be in accordance with UW System Administrative Procedure 1039.B, Information Security: Notification of Risk Acceptance.

7.     Related Documents

Regent Policy Document 25-5, Information Technology: Information Security  

UW System Information Security Program

UW System Administrative Procedure 1042.A., Information Security: Threat and Vulnerability Management

UW System Administrative Policy 1039, Information Security: Risk Management

UW System Administrative Procedure 1039.A, Information Security: Risk Management Procedure

UW System Administrative Procedure 1039.B, Information Security: Notification of Risk Acceptance

8.     Policy History

Revision 2: March 8, 2022

Revision 1: July 7, 2021

First approved: April 20, 2021

9.     Scheduled Review

April 2023