Original Issuance Date: April 20, 2021

Last Revision Date: April 20, 2021

Effective Date: April 1, 2022

1.     Policy Purpose

This policy establishes the minimum requirements for vulnerability management, vulnerability scanning, patch management, threat intelligence and penetration testing of University of Wisconsin (UW) System information technology owned or leased IT assets.

2.     Responsible UW System Officer

Associate Vice President (AVP) for Information Security

3.     Scope and Institutional Responsibilities

This policy is applicable to all UW System institutions, including central administration comprised of UW System Administration, UW Shared Services and UW Extended Campus.

4.     Background

The President of the University of Wisconsin System is empowered to establish information security polices under the provisions of Regent Policy Document 25-5, Information Technology: Information Security. The UW System is committed to a secure information technology environment in support of its mission and recognizes the need to identify and manage security threats and vulnerabilities.

5.     Definitions

Please see SYS 1000, Information Security: General Terms and Definitions,  for a list of general terms and definitions. Terms and definitions found within this policy include:

Vulnerability Scanning: The technique used to identify vulnerabilities of IT systems.

Vulnerability Management: The process to identify, analyze, and manage vulnerabilities.

Patch Management: The process to identify, deploy, install and verify successful patching.

Penetration Testing: The mimicking of real-world attacks, in an attempt to verify the security features or identify methods to circumvent the security features of an application, system, or network, often involving execution of attacks on production systems and data, utilizing tools and techniques employed by malicious actors.

IT Asset Owner: People or team responsible for making decisions about the asset which includes patching, testing patches or accepting the risk of not remediating vulnerabilities.

6.     Policy Statement

All University-owned, or leased, IT assets must have an operational process and technical enforcement for discovering, reviewing, reporting, and remediating vulnerabilities. The minimum requirements for vulnerability management, vulnerability scanning, patch management, threat intelligence and penetration testing must be met as described in UW System Administrative Procedure 1042.A, Information Security: Threat and Vulnerability Management Procedure. The documentation process for the acceptance of all risks and/or the application of any compensating controls in place of published requirements must be in accordance with UW System Administrative Procedure 1039.B, Information Security: Notification of Risk Acceptance.

7.     Related Documents

Regent Policy Document 25-5, Information Technology: Information Security  

UW System Information Security Program   

UW System Administrative Procedure 1042.A., Information Security: Threat and Vulnerability Management

UW System Administrative Policy 1039, Information Security: Risk Management

UW System Administrative Procedure 1039.A, Information Security: Risk Management Procedure

UW System Administrative Procedure 1039.B, Information Security: Notification of Risk Acceptance

8.     Policy History

First approved: April 20, 2021

9.     Scheduled Review

April 2023