General - UW-Madison Libraries, GLS Cybersecurity Policies
Starting in 2021, UW-Madison IT policies require stricter management and reporting of networked devices, software licenses, and datasets.
Two new UW-Madison IT security policies are expected to be approved and published by early summer 2021. See below for descriptions and drafts.
The policies will help to ensure that UW-Madison is in alignment with the UW System Information Security Program. They will impact library staff (especially IT staff) who will be accountable for policy compliance and/or tasked with implementation.
The Library Technology Group (LTG) will finalize any department-specific policies, standards, and procedures after the policies are published. For more information, contact firstname.lastname@example.org
IT Asset Reporting Policy
UW-Madison divisions and units will be required to inventory their IT assets and report their inventories to a central repository. IT assets generally include devices that can be used on wireless or wired networks as well as software licenses. They do not include non-networked items such as keyboards, mice, or standard monitors.
A high-level implementation plan will be submitted for approval with the policy. The plan currently includes four phases that will start immediately after the policy is approved. Each phase will last approximately six months, after which all IT assets will be included in the inventory.
- Phase 1: Finalize standards, procedures, and planning.
- Phases 2-4: Inventory assets according to priority, beginning with easy to collect assets and expensive/critical assets, and ending with assets that are difficult to access or which are relatively low cost.
The UW System standard for reporting IT assets can be seen at https://www.wisconsin.edu/uw-policies/uw-system-administrative-policies/information-security-it-asset-management/information-security-it-asset-mangement-standard/. A separate UW-Madison standard is being developed.
Endpoint Management and Security Policy
This policy will provide guidance for managing and protecting all devices, virtual and physical, that are connected to UW System managed networks and/or are used to access, manage, process, or store UW System data. Accountability will rest with (to be defined). Risk executive(s) will be responsible for reviewing risk associated with endpoint management and security.
The policy will require each device to be intentionally managed to protect the device, its functionality, access to the device, and data on the device. It will specify the creation of a campus standard, currently in development, to manage and secure devices based on a variety of use cases.