Table of Contents

• These fifteen portfolios cover policies and policy-related documents that govern information technology and closely related subjects. Documents identified as "IT Policy" are developed and mantained by the Office of the CIO and are approved by the Information Technology Committee. Relevant documents from other UW-Madison Schools, Colleges and Divisions and from UW System are included in each portfolio. The Policy Planning and Analysis Team and the Office of the CIO cooperate with others to help ensure consistency.

• Acquisition and Development

• Configuration and Maintenance

• Contingency Planning

• Copyright and Intellectual Property

• Data Management

• Digital Accessibility

• Education, Training and Awareness

• Electronic Records Management

• Identity and Access Management

• Monitoring and Mitigation

• Networking and Telecommunications

• Policy Program

• Privacy

• Resource Management

• Risk Management

• See also: Cybersecurity Portfolios (consists of eight of the portfolios listed above that are primarily cybersecurity)

---

Acquisition and Development

Acquisition and Development addresses the selection, acquiring or development of any IT asset, including hardware, software, data, and IT services. The cybersecurity-related policies in this portfolio are mapped to the NIST SP 800-53 control families.

Policies

• Accounting Services - Credit Card Merchant Services and PCI Compliance (device acquisition, merchant accounts, third-party vendors) _{(on bussvc.wisc.edu)}

• DoIT - Standards for Managing Test and Service Accounts _{(please contact itpolicy@cio.wisc.edu)}

• Purchasing Services - Purchasing Policies & Procedures _{(on bussvc.wisc.edu)}

• UW System _{(on wisconsin.edu)}

  • 1110 Information Technology Acquisitions Approval
  • 25-4 Strategic Planning and Large or High Risk Projects

Related Documents

• IT Policy-related

  • Cloud Services
  • Non-UW-Madison Applications and Services Guidelines

• IT Governance _{(on it.wisc.edu)}

  • Project Intake and Prioritization _{(main entry: Resource Management)}
  • Service Catalog _{(main entry: Resource Management)}

---

Configuration and Maintenance

Configuration and Maintenance addresses how IT devices and software are managed and maintained to ensure correct and secure operation. The cybersecurity-related policies in this portfolio are mapped to the NIST SP 800-53 control families.

Policies

• Accounting Services - Credit Card Merchant Services and PCI Compliance (device configuration and maintenance) _{(on bussvc.wisc.edu)}

• HIPAA _{(on compliance.wisc.edu)}

  • 8.11 HIPAA Security Data Management and Backup
  • 8.13 HIPAA Security System Configuration and Use

• IT Policy

  • Media and Device Disposal and Reuse Policy and Procedures
  • Electronic Devices Policy
  • Email Servers Policy
  • Encryption Policy and Standard

Related Documents

• None

---

Contingency Planning

Contigency Planning addresses what is to be done to account for a possible situation or event, particularly ones that involve IT, that may be harmful or disruptive to operations. The cybersecurity-related policies in this portfolio are mapped to the NIST SP 800-53 control families.

Policies

• Accounting Services - Credit Card Merchant Services and PCI Compliance (contingency planning) _{(on bussvc.wisc.edu)}

• HIPAA _{(on compliance.wisc.edu)}

  • 8.4 HIPAA Security Contingency Planning
  • 8.11 HIPAA Security Data Management and Backup (backup provisions)

Related Documents

• DoIT - Disaster Recovery Plan _{(please contact itpolicy@cio.wisc.edu)}

• UW PD - Continuity of Operations Plan (COOP) _{(on uwpd.wisc.edu)}

---

Copyright and Intellectual Property

Copyright and Intellectual Property addresses both the protection of UW copyrights and intellectual property, and respecting the copyright and intellectual property of others.

Policies

• UW System _{(on wisconsin.edu)}

  • 1125 Advertising, Sponsorship, and Links on the Internet
  • 25-3 Acceptable Use of Information Technology Resources

Related Documents

• IT Policy-related

  • Copyright Infringement
  • Copyright policies and related documents
  • Non-UW-Madison Applications and Services Guidelines _{(main entry: Acquisition and Development)}

---

Data Management

Data Management addresses the data itself, rather than systems that collect, transmit, store, or process data.

Policies

• HIPAA _{(on compliance.wisc.edu)}

  • 8.11 HIPAA Security Data Management and Backup _{(main entry: Configuration and Maintenance)}

• IT Policy

  • Data Classification Policy
  • UDS Responsible Use Policy

• Data Policy _{(on data.wisc.edu)}

  • Institutional Data Policy
  • Data-Related Policies, Standards and Procedures

• UW System _{(on wisconsin.wisc.edu)}

  • 1031 Data Classification Policy and 1031A Data Classification Procedures

Related Documents

• IT Policy-related

  • Non-UW-Madison Applications and Services Guidelines _{(main entry: Acquisition and Development)}

• Data Policy-related _{(on data.wisc.edu)}

  • Classifications of Data
  • Data Stewards
  • Office of Data Management and Analytics Services Knowledge Base

---

Digital Accessibility

Digital Accessibility addresses access to electronic resources for people with disabilities.

Policies

• IT Policy

  • Web Accessibility Policy and Procedures

    • Web Accessibility Memorandum

Related Documents

• DoIT _{(on the Accessibility KB)}

  • Accessibility Guidelines
  • Accessibility Starting Points
  • Accessibility - for Users of Content Management Systems
    • Accessibility - for Users of Content Management Systems - Forms and Frames Supplement
  • Accessibility - for Web Developers
    • Accessibility - for Web Developers - Forms, Frames and Advanced Topics

---

Education, Training and Awareness

Education, Training and Awareness addresses IT-related information that faculty, staff, and students should understand in order to properly act within their role at UW. The cybersecurity-related policies in this portfolio are mapped to the NIST SP 800-53 control families.

Policies

• Accounting Services - Credit Card Merchant Services and PCI Compliance (training, disposal) _{(on bussvc.wisc.edu)}

• HIPAA _{(on compliance.wisc.edu)}

  • 8.7 Destruction/Disposal of PHI
  • 9.1 HIPAA Privacy and Security Training
  • 9.2 Responding to Employee Noncompliance related to HIPAA
  • 9.3 Responding to Student Noncompliance related to HIPAA

• IT Policy

  • Electronic Devices Policy _{(main entry: Configuration and Maintenance)}
  • Disposal and Reuse Policy and Procedures _{(main entry: Configuration and Maintenance)}
  • Security Education, Training, and Awareness Implementation Plan (SETA) (under development)
  • Password Standard _{(main entry: Identity and Access Management)}

UW System _{(on wisconsin.edu)}

• 1032 Information Security: Awareness Policy
• 25-3 Acceptable Use of Information Technology Resources

Related Documents

• IT Policy-related

  • Copyright Infringement _{(main entry: Copyright and Intellectual Property)}
  • IT Compliance Agreement

---

Electronic Records Management

Electronic Records Management addresses how electronic versions of public records are managed in compliance with relevant state and federal laws.

Policies

• UW System - 3-2 Public Records Management _{(on wisconsin.edu)}

Related Documents

• IT Policy-related - Non-UW-Madison Applications and Services Guidelines _{(main entry: Acquisition and Development)}

• Records Management _{(on library.wisc.edu)}

  • Electronic Business Communication and University Records (PDF)
  • Records Management Policy and Guidelines

• Office of Compliance - Public Records _{(on compliance.wisc.edu)}

---

Identity and Access Management

Identity and Access Management (IAM) addresses online and physical access to assets and data, specifically how a person or resource is identified, the resoures that can be accessed, and what can be done with that access. The cybersecurity-related policies in this portfolio are mapped to the NIST SP 800-53 control families.

Policies

• Accounting Services - Credit Card Merchant Services and PCI Compliance (access control provisions) _{(on bussvc.wisc.edu)}

• Faculty Senate - Access to Faculty and Staff Electronic Files Policy _{(main entry: Privacy)}

• HIPAA _{(on compliance.wisc.edu)}

  • 3.8 Minimum Necessary Standard
  • 8.9 HIPAA Security System Access
  • 8.10 HIPAA Security Remote Access
  • 8.12 HIPAA Security Facilities Access

• IT Policy

  • Access Control Services Policy and Standard
  • IT Credentials Policy (planned) _{(on IT Policy Wiki)}
  • Guest NetID Policy
  • NetID Eligibility Policy
  • Password Policy and Standard

• UW System _{(on wisconsin.edu)}

  • 1030 Authentication Policy
  • 1030A Authenticaion Procedures
  • 25-3 Acceptable Use of Information Technology Resources (credentials and access provisions)

Related Documents

• IT Policy-related

  • IT Compliance Agreement (NetID Terms of Use)
  • NetID Appropriate Use Standards
  • Non-UW-Madison Applications and Services Guidelines _{(main entry: Acquisition and Development)}

• Records Management - Electonic Communications Guidance (PDF) _{(on library.wisc.edu)}

---

Monitoring and Mitigation

Monitoring and Mitigation addresses how IT assets and resources are monitored for vulnerablities or unauthorized access, and how corrective action is taken. The cybersecurity-related policies in this portfolio are mapped to the NIST SP 800-53 control families.

Policies

• Accounting Services - Credit Card Merchant Services and PCI Compliance (reconciliation, vulnerability scanning, transaction walk-thru's) _{(on bussvc.wisc.edu)}

• DoIT - Incident Reporting and Response Policy _{(please contact itpolicy@cio.wisc.edu)}

• HIPAA _{(on compliance.wisc.edu)}

  • 8.3 HIPAA Security Auditing Policy
  • 8.8 Notification and Reporting Policy

• IT Policy

  • Incident Reporting and Response Policy and Procedures and Template
  • Network Firewall Policy and Implementation Plan
  • Restricted Data Security Management Policy and Procedures
  • Vulnerability Scanning Policy

• UW System _{(on wisconin.edu)}

  • 1033 Information Security: Incident Response
  • 25-3 Acceptable Use of Information Technology Resources (privacy and security provisions)

Related Documents

• IT Policy-related

  • Computer Logging Statement
  • Continuous Diagnostics and Mitigation Implementation Plan (under development)

---

Networking and Telecommunications

Networking and Telecommunications addresses policies related to connecting to, using, and managing the UW-Madison network and telecommunications resources.

Policies

• IT Policy

  • Electronic Devices Policy _{(main entry: Configuration and Maintenance)}
  • Guest NetID Policy _{(main entry: Identity and Access Management)}
  • IP version 4 Allocation Policy
  • Network Firewall Policy and Implementation Plan _{(main entry: Monitoring and Mitigation)}
  • Vulnerability Scanning Policy _{(main entry: Monitoring and Mitigation)}

• UW-System _{(on wisconsin.edu)}

  • 25-3 Acceptable Use of Information Technology Resources

Related Documents

• DoIT - Voice Services and Unified Communications Policy

• IT Policy-related

  • Cloud Services
  • Computer Logging Statement _{(main entry: Monitoring and Mitigation)}
  • Copyright Infringement _{(main entry: Copyright and Intellectual Property)}
  • Mobile Devices
  • Personally-owned Devices

---

Policy Program

The Policy Program addresses development, publication, and revision of policies and related-documents.

Policies

• IT Policy

  • IT Policy Principles and Procedures

• UW-Madison Policy

  • UW-Madison Policies (all types) _{(on wisc.edu)}

• UW System Policy

  • UW System Policies (all types) _{(on wisconsin.edu)}

Related Documents

• IT Policy-related

  • Cybersecurity Portfolios
  • Finding IT Policies (under development) _{(on it.wisc.edu)}
  • IT Policy Development _{(on IT Policy Wiki)}
  • IT Policy Executive Summary _{(on IT Policy Wiki)}
  • IT Policy Forums _{(on IT Policy Wiki)}
  • IT Policy Glossary
  • List of IT Polices and Related Documents _{(on it.wisc.edu)}
  • Policy Planning and Analysis Team (PAT) _{(on IT Policy Wiki)}
  • Policy Portfolios (all policies and documents related to IT Policy)
  • Published IT Policies and Related Documents

• IT Governance

  • IT Governance _{(on it.wisc.edu)}
  • Information Technology Committee _{(ITC) (on it.wisc.edu)}
  • ITC Vision for Campus IT - 2018 through 2023

• Other Documents

  • Where to find policies

---

Privacy

Privacy addresses the protection of privacy in an IT environment. The cybersecurity-related policies in this portfolio are mapped to the NIST SP 800-53 control families.

Policies

• Faculty Senate - Access to Faculty and Staff Electronic Files Policy

• HIPAA _{(on compliance.wisc.edu)}

  • 2.1 Notice of Privacy Practices (NPP)
  • 3.2 Uses and Disclosures of Protected Health Information That Require Patient Authorization
  • 3.3 Uses and Disclosures of PHI Not Requiring Patient Authorization
  • 3.4 Uses and Disclosures of PHI That Require Providing Patient with an Opportunity to Agree or Object
  • 3.5 Uses and Disclosures of Protected Health Information for Education and Training
  • 3.6 Uses and Disclosures of Protected Health Information for Marketing
  • 3.7 Uses and Disclosures of Protected Health Information for Fundraising
  • 3.8 Minimum Necessary Standard
  • 3.9 Verifying Identity and Authority of Persons Seeking Disclosure of a Patient's PHI
  • 3.10 Designated Record Set
  • 3.11 Sale of Protected Health Information Generally Prohibited
  • 5.1 De-identification of Protected Health Information Under the HIPAA Privacy Rule
  • 5.2 Creation of a Limited Data Set Under the HIPAA Privacy Rule
  • 7.1 Requests by Patients for an Accounting of Certain Disclosures
  • 7.2 Requests by Patients to Amend Protected Health Information
  • 7.3 Requests by Patients for Alternative Confidential Communications
  • 7.4 Requests by Patients for Access to Inspect and Obtain a Copy of Protected Health Information
  • 7.5 Requests by Patients for Restrictions on Uses and Disclosures of Protected Health Information
  • 8.5 Security of Faxed, Printed, and Copied Documents Containing Protected Health Information
  • 8.6 Email Communication Involving Protected Health Information
  • 10.1 Complaints Under the HIPAA Privacy Rule

• IT Policy - Collection of Personal Identity Information via Email

• UW-Madison IT Professionals - Guidelines, Best Practices, and Advice _{(on it.wisc.edu)}

• UW System - 25-3 Acceptable Use of Information Technology Resources (privacy and security provisions) _{(on wisconsin.edu)}

Related Documents

• IT Policy-related

  • FERPA Description
  • HIPAA Descrption
  • Non-UW-Madison Applications and Services Guidelines _{(main entry: Acquisition and Development)}

---

Resource Management

Resource Management addresses how UW-Madison manages IT resources.

Policies

• IT Policy

  • Access Control Services Policy and Standard (main entry: Identity and Access Management)
  • IP version 4 Allocation Policy (main entry: Networking and Telecommunications)
  • NetID Eligibility Policy (main entry: Identity and Access Management)

• UW System _{(on wisconsin.edu)}

  • 25-4 Strategic Planning and Large or High Risk Projects

Related Documents

• IT Governace (on it.wisc.edu)

  • IT Services Catalog
  • Project Intake and Prioritization

• IT Policy-related

  • Non-UW-Madison Applications and Services Guidelines (main entry: Acquisition and Development)
  • Cloud Services
  • Personally-owned Devices

---

Risk Management

Risk Management addresses how the protection of IT assets and resources will be balanced with the likelihood and impact of malicious activity and the ability of UW and its affiliates to carry out their missions. The cybersecurity-related policies in this portfolio are mapped to the NIST SP 800-53 control families.

Policies

• Accounting Services - Credit Card Merchant Services and PCI Compliance (annual validation, approvals, roles, responsibilities, sanctions) _{(on bussvc.wisc.edu)}

• HIPAA _{(on compliance.wisc.edu)}

  • 1.1 Designation of the UW-Madison Health Care Component (UW HCC)
  • 1.2 Designation of the University of Wisconsin Affiliated Covered Entity (UW ACE)
  • 6.1 Managing Arrangements with Business Associates of the University of Wisconsin-Madison
  • 6.2 Managing Business Associate Arrangements When the University of Wisconsin-Madison is the BA
  • 6.3 Use of and Safeguards for PHI by UW-Madison Internal Business Support Personnel
  • 8.1 HIPAA Security Risk Management
  • 8.2 HIPAA Security Oversight
  • 10.2 Designation of Unit Privacy and Security Coordinators

• IT Policy

  • Cybersecurity Risk Management Policy and Implementation Plan
  • Data Classification Policy _{(main entry: Data)}
  • Restricted Data Security Management Policy and Procedures _{(main entry: Monitoring and Mitigation)}

• UW System _{(on wisconsin.edu)}

  • 1031 Data Classification Policy and 1031A Data Classification Procedures _{(main entry: Data)}
  • 25-3 Acceptable Use of Information Technology Resources (privacy and security provisions)
  • 25.4 Strategic Planning for Large or High Risk Projects
  • 25-5 Information Technology: Information Security

Related Documents

• IT Policy-related

  • FERPA Description
  • HIPAA Descrption
  • Non-UW-Madison Applications and Services Guidelines _{(main entry: Acquisition and Development)}

---

Contact

Please address questions or comments to itpolicy@cio.wisc.edu.

References