Original Issuance Date: April 20, 2021
Last Revision Date: July 7, 2021
Effective Date: April 1, 2022
1. Policy Purpose
This policy establishes the minimum requirements for vulnerability management, vulnerability scanning, patch management, threat intelligence and penetration testing of University of Wisconsin (UW) System information technology owned or leased IT assets.
2. Responsible UW System Officer
Associate Vice President (AVP) for Information Security
3. Scope and Institutional Responsibilities
This policy is applicable to all UW System institutions, including W System Administration.
The President of the University of Wisconsin System is empowered to establish information security polices under the provisions of Regent Policy Document 25-5, Information Technology: Information Security. The UW System is committed to a secure information technology environment in support of its mission and recognizes the need to identify and manage security threats and vulnerabilities.
Please see SYS 1000, Information Security: General Terms and Definitions, for a list of general terms and definitions. Terms and definitions found within this policy include:
Vulnerability Scanning: The technique used to identify vulnerabilities of IT systems.
Vulnerability Management: The process to identify, analyze, and manage vulnerabilities.
Patch Management: The process to identify, deploy, install and verify successful patching.
Penetration Testing: The mimicking of real-world attacks, in an attempt to verify the security features or identify methods to circumvent the security features of an application, system, or network, often involving execution of attacks on production systems and data, utilizing tools and techniques employed by malicious actors.
IT Asset Owner: People or team responsible for making decisions about the asset which includes patching, testing patches or accepting the risk of not remediating vulnerabilities.
6. Policy Statement
All University-owned, or leased, IT assets must have an operational process and technical enforcement for discovering, reviewing, reporting, and remediating vulnerabilities. The minimum requirements for vulnerability management, vulnerability scanning, patch management, threat intelligence and penetration testing must be met as described in UW System Administrative Procedure 1042.A, Information Security: Threat and Vulnerability Management Procedure. The documentation process for the acceptance of all risks and/or the application of any compensating controls in place of published requirements must be in accordance with UW System Administrative Procedure 1039.B, Information Security: Notification of Risk Acceptance.
7. Related Documents
8. Policy History
Revision 1: July 7, 2021
First approved: April 20, 2021
9. Scheduled Review