Topics Map > UW-Madison > IT > Policy Program
UW-Madison - Policy Portfolio List
Table of Contents
These fifteen portfolios cover policies and policy-related documents that govern information technology and closely related subjects. Documents identified as "IT Policy" are developed and mantained by the Office of the CIO and are approved by the Information Technology Committee. Relevant documents from other UW-Madison Schools, Colleges and Divisions and from UW System are included in each portfolio. The Policy Planning and Analysis Team and the Office of the CIO cooperate with others to help ensure consistency.
See also: Cybersecurity Portfolios (consists of eight of the portfolios listed above that are primarily cybersecurity)
Acquisition and Development
Acquisition and Development addresses the selection, acquiring or development of any IT asset, including hardware, software, data, and IT services. The cybersecurity-related policies in this portfolio are mapped to the NIST SP 800-53 control families.
Policies
Accounting Services - Credit Card Merchant Services and PCI Compliance (device acquisition, merchant accounts, third-party vendors) (on bussvc.wisc.edu)
DoIT - Standards for Managing Test and Service Accounts (please contact itpolicy@cio.wisc.edu)
Purchasing Services - Purchasing Policies & Procedures (on bussvc.wisc.edu)
UW System (on wisconsin.edu)
Related Documents
IT Policy-related
IT Governance (on it.wisc.edu)
- Project Intake and Prioritization (main entry: Resource Management)
- Service Catalog (main entry: Resource Management)
Configuration and Maintenance
Configuration and Maintenance addresses how IT devices and software are managed and maintained to ensure correct and secure operation. The cybersecurity-related policies in this portfolio are mapped to the NIST SP 800-53 control families.
Policies
Accounting Services - Credit Card Merchant Services and PCI Compliance (device configuration and maintenance) (on bussvc.wisc.edu)
HIPAA (on compliance.wisc.edu)
- 8.11 HIPAA Security Data Management and Backup
- 8.13 HIPAA Security System Configuration and Use
IT Policy
Related Documents
- None
Contingency Planning
Contigency Planning addresses what is to be done to account for a possible situation or event, particularly ones that involve IT, that may be harmful or disruptive to operations. The cybersecurity-related policies in this portfolio are mapped to the NIST SP 800-53 control families.
Policies
Accounting Services - Credit Card Merchant Services and PCI Compliance (contingency planning) (on bussvc.wisc.edu)
HIPAA (on compliance.wisc.edu)
- 8.4 HIPAA Security Contingency Planning
- 8.11 HIPAA Security Data Management and Backup (backup provisions)
Related Documents
DoIT - Disaster Recovery Plan (please contact itpolicy@cio.wisc.edu)
UW PD - Continuity of Operations Plan (COOP) (on uwpd.wisc.edu)
Copyright and Intellectual Property
Copyright and Intellectual Property addresses both the protection of UW copyrights and intellectual property, and respecting the copyright and intellectual property of others.
Policies
UW System (on wisconsin.edu)
Related Documents
IT Policy-related
- Copyright Infringement
- Copyright policies and related documents
- Non-UW-Madison Applications and Services Guidelines (main entry: Acquisition and Development)
Data Management
Data Management addresses the data itself, rather than systems that collect, transmit, store, or process data.
Policies
HIPAA (on compliance.wisc.edu)
- 8.11 HIPAA Security Data Management and Backup (main entry: Configuration and Maintenance)
IT Policy
Data Policy (on data.wisc.edu)
UW System (on wisconsin.wisc.edu)
Related Documents
IT Policy-related
- Non-UW-Madison Applications and Services Guidelines (main entry: Acquisition and Development)
Data Policy-related (on data.wisc.edu)
Digital Accessibility
Digital Accessibility addresses access to electronic resources for people with disabilities.
Policies
IT Policy
Related Documents
DoIT (on the Accessibility KB)
Education, Training and Awareness
Education, Training and Awareness addresses IT-related information that faculty, staff, and students should understand in order to properly act within their role at UW. The cybersecurity-related policies in this portfolio are mapped to the NIST SP 800-53 control families.
Policies
- Accounting Services - Credit Card Merchant Services and PCI Compliance (training, disposal) (on bussvc.wisc.edu)
HIPAA (on compliance.wisc.edu)
- 8.7 Destruction/Disposal of PHI
- 9.1 HIPAA Privacy and Security Training
- 9.2 Responding to Employee Noncompliance related to HIPAA
- 9.3 Responding to Student Noncompliance related to HIPAA
IT Policy
- Endpoint Management and Security Policy (main entry: Configuration and Maintenance)
- Disposal and Reuse Policy and Procedures (main entry: Configuration and Maintenance)
- Security Education, Training, and Awareness Implementation Plan (SETA) (under development)
- Password Standard (main entry: Identity and Access Management)
UW System (on wisconsin.edu)
Related Documents
IT Policy-related
- Copyright Infringement (main entry: Copyright and Intellectual Property)
- IT Compliance Agreement
Electronic Records Management
Electronic Records Management addresses how electronic versions of public records are managed in compliance with relevant state and federal laws.
Policies
UW System - 3-2 Public Records Management (on wisconsin.edu)
Related Documents
IT Policy-related - Non-UW-Madison Applications and Services Guidelines (main entry: Acquisition and Development)
Records Management (on library.wisc.edu)
Office of Compliance - Public Records (on compliance.wisc.edu)
Identity and Access Management
Identity and Access Management (IAM) addresses online and physical access to assets and data, specifically how a person or resource is identified, the resoures that can be accessed, and what can be done with that access. The cybersecurity-related policies in this portfolio are mapped to the NIST SP 800-53 control families.
Policies
Accounting Services - Credit Card Merchant Services and PCI Compliance (access control provisions) (on bussvc.wisc.edu)
Faculty Senate - Access to Faculty and Staff Electronic Files Policy (main entry: Privacy)
HIPAA (on compliance.wisc.edu)
- 3.8 Minimum Necessary Standard
- 8.9 HIPAA Security System Access
- 8.10 HIPAA Security Remote Access
- 8.12 HIPAA Security Facilities Access
IT Policy
- Access Control Services Policy and Standard
- IT Credentials Policy (planned) (on IT Policy Wiki)
- Guest NetID Policy
- NetID Eligibility Policy
- Password Policy and Standard
UW System (on wisconsin.edu)
- 1030 Authentication Policy
- 1030A Authenticaion Procedures
- 25-3 Acceptable Use of Information Technology Resources (credentials and access provisions)
Related Documents
IT Policy-related
- IT Compliance Agreement (NetID Terms of Use)
- NetID Appropriate Use Standards
- Non-UW-Madison Applications and Services Guidelines (main entry: Acquisition and Development)
Records Management - Electonic Communications Guidance (PDF) (on library.wisc.edu)
Monitoring and Mitigation
Monitoring and Mitigation addresses how IT assets and resources are monitored for vulnerablities or unauthorized access, and how corrective action is taken. The cybersecurity-related policies in this portfolio are mapped to the NIST SP 800-53 control families.
Policies
Accounting Services - Credit Card Merchant Services and PCI Compliance (reconciliation, vulnerability scanning, transaction walk-thru's) (on bussvc.wisc.edu)
DoIT - Incident Reporting and Response Policy (please contact itpolicy@cio.wisc.edu)
HIPAA (on compliance.wisc.edu)
- 8.3 HIPAA Security Auditing Policy
- 8.8 Notification and Reporting Policy
IT Policy
UW System (on wisconin.edu)
- 1033 Information Security: Incident Response
- 25-3 Acceptable Use of Information Technology Resources (privacy and security provisions)
Related Documents
IT Policy-related
- Computer Logging Statement
- Continuous Diagnostics and Mitigation Implementation Plan (under development)
Networking and Telecommunications
Networking and Telecommunications addresses policies related to connecting to, using, and managing the UW-Madison network and telecommunications resources.
Policies
IT Policy
- Endpoint Management and Security Policy (main entry: Configuration and Maintenance)
- Guest NetID Policy (main entry: Identity and Access Management)
- IP version 4 Allocation Policy
- Network Firewall Policy and Implementation Plan (main entry: Monitoring and Mitigation)
- Vulnerability Scanning Policy (main entry: Monitoring and Mitigation)
UW-System (on wisconsin.edu)
Related Documents
- DoIT - Voice Services and Unified Communications Policy
IT Policy-related
- Cloud Services
- Computer Logging Statement (main entry: Monitoring and Mitigation)
- Copyright Infringement (main entry: Copyright and Intellectual Property)
- Mobile Devices
- Personally-owned Devices
Policy Program
The Policy Program addresses development, publication, and revision of policies and related-documents.
Policies
IT Policy
UW-Madison Policy
- UW-Madison Policies (all types) (on wisc.edu)
UW System Policy
- UW System Policies (all types) (on wisconsin.edu)
Related Documents
IT Policy-related
- Cybersecurity Portfolios
- Finding IT Policies (under development) (on it.wisc.edu)
- IT Policy Development (on IT Policy Wiki)
- IT Policy Executive Summary (on IT Policy Wiki)
- IT Policy Forums (on IT Policy Wiki)
- IT Policy Glossary
- List of IT Polices and Related Documents (on it.wisc.edu)
- Policy Planning and Analysis Team (PAT) (on IT Policy Wiki)
- Policy Portfolios (all policies and documents related to IT Policy)
- Published IT Policies and Related Documents
IT Governance
- IT Governance (on it.wisc.edu)
- Information Technology Committee (ITC) (on it.wisc.edu)
- ITC Vision for Campus IT - 2018 through 2023
Other Documents
Privacy
Privacy addresses the protection of privacy in an IT environment. The cybersecurity-related policies in this portfolio are mapped to the NIST SP 800-53 control families.
Policies
Faculty Senate - Access to Faculty and Staff Electronic Files Policy
HIPAA (on compliance.wisc.edu)
- 2.1 Notice of Privacy Practices (NPP)
- 3.2 Uses and Disclosures of Protected Health Information That Require Patient Authorization
- 3.3 Uses and Disclosures of PHI Not Requiring Patient Authorization
- 3.4 Uses and Disclosures of PHI That Require Providing Patient with an Opportunity to Agree or Object
- 3.5 Uses and Disclosures of Protected Health Information for Education and Training
- 3.6 Uses and Disclosures of Protected Health Information for Marketing
- 3.7 Uses and Disclosures of Protected Health Information for Fundraising
- 3.8 Minimum Necessary Standard
- 3.9 Verifying Identity and Authority of Persons Seeking Disclosure of a Patient's PHI
- 3.10 Designated Record Set
- 3.11 Sale of Protected Health Information Generally Prohibited
- 5.1 De-identification of Protected Health Information Under the HIPAA Privacy Rule
- 5.2 Creation of a Limited Data Set Under the HIPAA Privacy Rule
- 7.1 Requests by Patients for an Accounting of Certain Disclosures
- 7.2 Requests by Patients to Amend Protected Health Information
- 7.3 Requests by Patients for Alternative Confidential Communications
- 7.4 Requests by Patients for Access to Inspect and Obtain a Copy of Protected Health Information
- 7.5 Requests by Patients for Restrictions on Uses and Disclosures of Protected Health Information
- 8.5 Security of Faxed, Printed, and Copied Documents Containing Protected Health Information
- 8.6 Email Communication Involving Protected Health Information
- 10.1 Complaints Under the HIPAA Privacy Rule
IT Policy - Collection of Personal Identity Information via Email
UW-Madison IT Professionals - Guidelines, Best Practices, and Advice (on it.wisc.edu)
UW System - 25-3 Acceptable Use of Information Technology Resources (privacy and security provisions) (on wisconsin.edu)
Related Documents
IT Policy-related
- FERPA Description
- HIPAA Descrption
- Non-UW-Madison Applications and Services Guidelines (main entry: Acquisition and Development)
Resource Management
Resource Management addresses how UW-Madison manages IT resources.
Policies
IT Policy
- Access Control Services Policy and Standard (main entry: Identity and Access Management)
- IP version 4 Allocation Policy (main entry: Networking and Telecommunications)
- NetID Eligibility Policy (main entry: Identity and Access Management)
UW System (on wisconsin.edu)
Related Documents
IT Governace (on it.wisc.edu)
IT Policy-related
- Non-UW-Madison Applications and Services Guidelines (main entry: Acquisition and Development)
- Cloud Services
- Personally-owned Devices
Risk Management
Risk Management addresses how the protection of IT assets and resources will be balanced with the likelihood and impact of malicious activity and the ability of UW and its affiliates to carry out their missions. The cybersecurity-related policies in this portfolio are mapped to the NIST SP 800-53 control families.
Policies
Accounting Services - Credit Card Merchant Services and PCI Compliance (annual validation, approvals, roles, responsibilities, sanctions) (on bussvc.wisc.edu)
HIPAA (on compliance.wisc.edu)
- 1.1 Designation of the UW-Madison Health Care Component (UW HCC)
- 1.2 Designation of the University of Wisconsin Affiliated Covered Entity (UW ACE)
- 6.1 Managing Arrangements with Business Associates of the University of Wisconsin-Madison
- 6.2 Managing Business Associate Arrangements When the University of Wisconsin-Madison is the BA
- 6.3 Use of and Safeguards for PHI by UW-Madison Internal Business Support Personnel
- 8.1 HIPAA Security Risk Management
- 8.2 HIPAA Security Oversight
- 10.2 Designation of Unit Privacy and Security Coordinators
IT Policy
- Cybersecurity Risk Management Policy and Implementation Plan
- Data Classification Policy (main entry: Data)
- Restricted Data Security Management Policy and Procedures (main entry: Monitoring and Mitigation)
UW System (on wisconsin.edu)
- 1031 Data Classification Policy and 1031A Data Classification Procedures (main entry: Data)
- 25-3 Acceptable Use of Information Technology Resources (privacy and security provisions)
- 25.4 Strategic Planning for Large or High Risk Projects
- 25-5 Information Technology: Information Security
Related Documents
IT Policy-related
- FERPA Description
- HIPAA Descrption
- Non-UW-Madison Applications and Services Guidelines (main entry: Acquisition and Development)
Contact
Please address questions or comments to itpolicy@cio.wisc.edu.
References
- CIO IT Policies - https://kb.wisc.edu/itpolicy/cio-policies