Topics Map > UW-Madison > Cybersecurity

UW-Madison - Policy Portfolio - Cybersecurity Portfolio List

These are all UW-Madison cybersecurity policies that are registered with the Office of Cybersecurity. Closely related policies are grouped together.

The list is primarily useful to UW-Madison IT Staff. For a general list of campus IT policies, see: https://kb.wisc.edu/itpolicy/cio-policies.

These eight policy portfolios cover all cybersecurity-related policies and documents that are currently tracked as relevant to IT Policy. The NIST SP 800-53 control families are exhaustively mapped to/from these portfolios at: https://kb.wisc.edu/itpolicy/cybersecurity-policy-control-mapping. The majority of the material aligns with the main portfolio entry of a document. There are additional entries when there is significant overlap with other portfolios.

Documents identified as "IT Policy" are developed and mantained by the Office of the CIO and are approved by the Information Technology Committee. Relevant documents from UW System and from other UW-Madison Schools, Colleges and Divisions are included in each portfolio. The Policy Planning and Analysis Team and the Office of the CIO cooperate with others to help ensure consistency.

Acquisition and Development
Configuration and Maintenance
Contingency Planning
Education, Training and Awareness
Identity and Access Management
Monitoring and Mitigation
Privacy
Risk Management
See also: Provisional UW–Madison Online Collaboration Session Recording Policy (eff. March 16, 2020) for IT policy related to COVID-19
See also: Policy Portfolios (all portfolios, including the cybersecurity portfolios listed above)

Acquisition and Development

Acquisition and Development addresses the selection, acquiring or development of any IT asset, including hardware, software, data, and IT services. The cybersecurity-related policies in this portfolio are mapped to the NIST SP 800-53 control families.

Policies

Accounting Services - Credit Card Merchant Services and PCI Compliance (device acquisition, merchant accounts, third-party vendors) _{(on bussvc.wisc.edu)}
DoIT - Standards for Managing Test and Service Accounts _{(please contact itpolicy@cio.wisc.edu)}
Purchasing Services - Purchasing Policies & Procedures _{(on bussvc.wisc.edu)}
UW System _{(on wisconsin.edu)}
- 1110 Information Technology Acquisitions Approval
- 25-4 Strategic Planning and Large or High Risk Projects

Configuration and Maintenance

Configuration and Maintenance addresses how IT devices and software are managed and maintained to ensure correct and secure operation. The cybersecurity-related policies in this portfolio are mapped to the NIST SP 800-53 control families.

Policies

Accounting Services - Credit Card Merchant Services and PCI Compliance (device configuration and maintenance) _{(on bussvc.wisc.edu)}
HIPAA _{(on compliance.wisc.edu)}
- 8.11 HIPAA Security Data Management and Backup
- 8.13 HIPAA Security System Configuration and Use
IT Policy

Contingency Planning

Contigency Planning addresses what is to be done to account for a possible situation or event, particularly ones that involve IT, that may be harmful or disruptive to operations. The cybersecurity-related policies in this portfolio are mapped to the NIST SP 800-53 control families.

Policies

Accounting Services - Credit Card Merchant Services and PCI Compliance (contingency planning) _{(on bussvc.wisc.edu)}
HIPAA _{(on compliance.wisc.edu)}
- 8.4 HIPAA Security Contingency Planning
- 8.11 HIPAA Security Data Management and Backup (backup provisions)

Education, Training and Awareness

Education, Training and Awareness addresses IT-related information that faculty, staff, and students should understand in order to properly act within their role at UW. The cybersecurity-related policies in this portfolio are mapped to the NIST SP 800-53 control families.

Policies

Accounting Services - Credit Card Merchant Services and PCI Compliance (training, disposal) _{(on bussvc.wisc.edu)}
HIPAA _{(on compliance.wisc.edu)}
- 8.7 Destruction/Disposal of PHI
- 9.1 HIPAA Privacy and Security Training
- 9.2 Responding to Employee Noncompliance related to HIPAA
- 9.3 Responding to Student Noncompliance related to HIPAA
IT Policy
- Endpoint Management and Security Policy _{(main entry: Configuration and Maintenance)}
- Disposal and Reuse Policy and Procedures _{(main entry: Configuration and Maintenance)}
- Security Education, Training, and Awareness Implementation Plan (SETA) (under development)
- Password Standard _{(main entry: Identity and Access Management)}

UW System _{(on wisconsin.edu)}

Identity and Access Management

Identity and Access Management (IAM) addresses online and physical access to assets and data, specifically how a person or resource is identified, the resoures that can be accessed, and what can be done with that access. The cybersecurity-related policies in this portfolio are mapped to the NIST SP 800-53 control families.

Policies

Accounting Services - Credit Card Merchant Services and PCI Compliance (access control provisions) _{(on bussvc.wisc.edu)}
Faculty Senate - Access to Faculty and Staff Electronic Files Policy _{(main entry: Privacy)}
HIPAA _{(on compliance.wisc.edu)}
- 3.8 Minimum Necessary Standard
- 8.9 HIPAA Security System Access
- 8.10 HIPAA Security Remote Access
- 8.12 HIPAA Security Facilities Access
IT Policy
- Access Control Services Policy and Standard
- IT Credentials Policy (planned) _{(on IT Policy Wiki)}
- Guest NetID Policy
- NetID Eligibility Policy
- Password Policy and Standard
UW System _{(on wisconsin.edu)}
- 1030 Authentication Policy
- 1030A Authenticaion Procedures
- 25-3 Acceptable Use of Information Technology Resources (credentials and access provisions)

Monitoring and Mitigation

Monitoring and Mitigation addresses how IT assets and resources are monitored for vulnerablities or unauthorized access, and how corrective action is taken. The cybersecurity-related policies in this portfolio are mapped to the NIST SP 800-53 control families.

Policies

Accounting Services - Credit Card Merchant Services and PCI Compliance (reconciliation, vulnerability scanning, transaction walk-thru's) _{(on bussvc.wisc.edu)}
DoIT - Incident Reporting and Response Policy _{(please contact itpolicy@cio.wisc.edu)}
HIPAA _{(on compliance.wisc.edu)}
- 8.3 HIPAA Security Auditing Policy
- 8.8 Notification and Reporting Policy
IT Policy
UW System _{(on wisconin.edu)}
- 1033 Information Security: Incident Response
- 25-3 Acceptable Use of Information Technology Resources (privacy and security provisions)

Privacy

Privacy addresses the protection of privacy in an IT environment. The cybersecurity-related policies in this portfolio are mapped to the NIST SP 800-53 control families.

Policies

Faculty Senate - Access to Faculty and Staff Electronic Files Policy
HIPAA _{(on compliance.wisc.edu)}
- 2.1 Notice of Privacy Practices (NPP)
- 3.2 Uses and Disclosures of Protected Health Information That Require Patient Authorization
- 3.3 Uses and Disclosures of PHI Not Requiring Patient Authorization
- 3.4 Uses and Disclosures of PHI That Require Providing Patient with an Opportunity to Agree or Object
- 3.5 Uses and Disclosures of Protected Health Information for Education and Training
- 3.6 Uses and Disclosures of Protected Health Information for Marketing
- 3.7 Uses and Disclosures of Protected Health Information for Fundraising
- 3.8 Minimum Necessary Standard
- 3.9 Verifying Identity and Authority of Persons Seeking Disclosure of a Patient's PHI
- 3.10 Designated Record Set
- 3.11 Sale of Protected Health Information Generally Prohibited
- 5.1 De-identification of Protected Health Information Under the HIPAA Privacy Rule
- 5.2 Creation of a Limited Data Set Under the HIPAA Privacy Rule
- 7.1 Requests by Patients for an Accounting of Certain Disclosures
- 7.2 Requests by Patients to Amend Protected Health Information
- 7.3 Requests by Patients for Alternative Confidential Communications
- 7.4 Requests by Patients for Access to Inspect and Obtain a Copy of Protected Health Information
- 7.5 Requests by Patients for Restrictions on Uses and Disclosures of Protected Health Information
- 8.5 Security of Faxed, Printed, and Copied Documents Containing Protected Health Information
- 8.6 Email Communication Involving Protected Health Information
- 10.1 Complaints Under the HIPAA Privacy Rule
IT Policy - Collection of Personal Identity Information via Email
UW-Madison IT Professionals - Guidelines, Best Practices, and Advice _{(on it.wisc.edu)}
UW System - 25-3 Acceptable Use of Information Technology Resources (privacy and security provisions) _{(on wisconsin.edu)}

Risk Management

Risk Management addresses how the protection of IT assets and resources will be balanced with the likelihood and impact of malicious activity and the ability of UW and its affiliates to carry out their missions. The cybersecurity-related policies in this portfolio are mapped to the NIST SP 800-53 control families.

Policies

Accounting Services - Credit Card Merchant Services and PCI Compliance (annual validation, approvals, roles, responsibilities, sanctions) _{(on bussvc.wisc.edu)}
HIPAA _{(on compliance.wisc.edu)}
- 1.1 Designation of the UW-Madison Health Care Component (UW HCC)
- 1.2 Designation of the University of Wisconsin Affiliated Covered Entity (UW ACE)
- 6.1 Managing Arrangements with Business Associates of the University of Wisconsin-Madison
- 6.2 Managing Business Associate Arrangements When the University of Wisconsin-Madison is the BA
- 6.3 Use of and Safeguards for PHI by UW-Madison Internal Business Support Personnel
- 8.1 HIPAA Security Risk Management
- 8.2 HIPAA Security Oversight
- 10.2 Designation of Unit Privacy and Security Coordinators
IT Policy
- Cybersecurity Risk Management Policy and Implementation Plan
- Data Classification Policy _{(main entry: Data)}
- Restricted Data Security Management Policy and Procedures _{(main entry: Monitoring and Mitigation)}
UW System _{(on wisconsin.edu)}
- 1031 Data Classification Policy and 1031A Data Classification Procedures _{(main entry: Data)}
- 25-3 Acceptable Use of Information Technology Resources (privacy and security provisions)
- 25.4 Strategic Planning for Large or High Risk Projects
- 25-5 Information Technology: Information Security

Contact

Please address questions or comments to itpolicy@cio.wisc.edu.

References

CIO IT Policies - https://kb.wisc.edu/itpolicy/cio-policies
HIPAA Privacy and Security Policies - http://hipaa.wisc.edu/hipaa-policies.htm
Purchasing Services Polices and Procedures -- http://www.bussvc.wisc.edu/purch/pppindx.html

Keywords:

policies index policy requirements requirement requirements, it-security-staff it-staff information-technology security, cloud-services identity-management mobile-devices network personally-owned-devices records-management resource-management security cloud cybersecurity devices identity mobile networking personal personally records resource telecommunications, access archive business-use collection disposal monitoring retention storage transmission distribution, access-control acquisition-and-development configuration-and-maintenance contingency-planning education-and-training monitoring-and-mitigation privacy risk-management access acquisition configuration contingency cdm development education maintenance awareness mitigation monitoring planning risk training seta coop rmf list

Doc ID:

58557

Owned by:

Tim B. in IT Policy

Created:

2015-11-27

Updated:

2022-08-31

Sites:

IT Policy

Clean URL:

https://kb.wisc.edu/itpolicy/cybersecurity-policy-list

15 0 Comment Suggest new doc

UW-Madison - Policy Portfolio - Cybersecurity Portfolio List

UW-Madison - Policy Portfolio - Cybersecurity Portfolio List

Contents

Acquisition and Development

Policies

Related Documents

Configuration and Maintenance

Policies

Related Documents

Contingency Planning

Policies

Related Documents

Education, Training and Awareness

Policies

Related Documents

Identity and Access Management

Policies

Related Documents

Monitoring and Mitigation

Policies

Related Documents

Privacy

Policies

Related Documents

Risk Management

Policies

Related Documents

Contact

References