New UW-Madison Cybersecurity Policies Coming in 2021

Two new UW-Madison IT policies are expected in the second quarter of 2021. The policies will require stricter management and reporting of networked devices, software licenses, and datasets.

Two new UW-Madison IT security policies are expected to be approved and published by early summer 2021. See below for descriptions and drafts.

The policies will help to ensure that UW-Madison is in alignment with the UW System Information Security Program. They will impact L&S departments, faculty, and staff (especially IT staff) who will be accountable for policy compliance and/or tasked with implementation. 

L&S departments will receive further guidance after the policies are published. For more information, contact Susan Weier. scweier@wisc.edu

IT Asset Reporting Policy

DRAFT IT Asset Inventory Reporting Policy (PDF)

UW-Madison divisions and units will be required to inventory their IT assets and report their inventories to a central repository. IT assets generally include devices that can be used on wireless or wired networks, software licenses, and datasets. They do not include non-networked items such as keyboards, mice, or standard monitors. 

A high-level implementation plan will be submitted for approval with the policy. The plan currently includes four phases that will start immediately after the policy is approved. Each phase will last approximately six months, after which all IT assets will be included in the inventory. 

The UW System standard for reporting IT assets can be seen at https://www.wisconsin.edu/uw-policies/uw-system-administrative-policies/information-security-it-asset-management/information-security-it-asset-mangement-standard/. A separate UW-Madison standard is being developed.

Endpoint Management and Security Policy

DRAFT Endpoint Management and Security Policy (PDF)

This policy will provide guidance for managing and protecting all devices, virtual and physical, that are connected to UW System managed networks and/or are used to access, manage, process, or store UW System data. Accountability will rest with divisions and departments/units. Risk executives (the L&S dean, in our case) will be responsible for reviewing risk associated with endpoint management and security. 

The policy will require each device to be intentionally managed to protect the device, its functionality, access to the device, and data on the device. It will specify the creation of a campus standard, currently in development, to manage and secure devices based on a variety of use cases.