UW-Madison - IT - Cybersecurity Risk Management Memorandum

Applies to all information systems of any kind that store or process data used to accomplish University research, teaching and learning, or administration.

The Policy requires application of the currently approved Implementation Plan to all covered systems.



April 11, 2018

To Campus Leadership:

I am writing to let you know the UW-Madison Information Technology Policy for Cybersecurity Risk Management is being implemented.

This policy and the accompanying Implementation Plan were approved by the Information Technology Committee on March 16, 2018 and forwarded to the University Committee. It was presented to the Faculty Senate on April 3rd, 2018 for information.

The policy shows the principles the Office of Cybersecurity will use to manage risk and to ensure that the likelihood and impact of threats and vulnerabilities are minimized to the extent practical. The focus of this policy is the protection of University data and the associated information systems. UW-Madison’s success in this effort requires continual coordination and feedback. The Chief Information Security Officer and the Governance, Risk Management and Compliance team are posting relevant process guides, templates and reference materials at https://it.wisc.edu/about/cybersecurity/ and will be making announcements as the materials are made available and updated.

The Implementation Plan of this policy describes the process for managing the cybersecurity risk associated with all information systems of any kind that store or process data used to accomplish University research, teaching and learning, or administration. Data not owned by the University may fall within the scope of this policy if the data is stored or processed using University assets.

The CISO will be contacting Risk Executives to arrange group or one-on-one training on the responsibilities of the new role. The Office of Cybersecurity will be holding group sessions to assist the information system owners and developers with navigating the process and templates.

Questions on this policy and the implementation plan can be directed to the Policy Analysis Team which reports to the Information Technology Committee. Inquiries may be sent by e-mail to itpolicy@cio.wisc.edu. Additional assistance is also available from the Office of Cybersecurity by e-mailing grc-cybersecurity@cio.wisc.edu.

Michael Lehman

Interim Chief Information Officer