Cybersecurity is a collective responsibility that requires policy that applies to all components of UW–Madison. Threat, vulnerability, and the likelihood of exploitation are complex and unique to specific business processes and technologies. Cybersecurity risk is measurable depending on quantified or classified aspects of the data; characteristics of the information system; the definitions and characteristics of internal or external threat, system, or environmental vulnerabilities; and the likelihood that the event or situation may manifest itself within a given application, information system or architecture. External threats evolve rapidly and are persistent based on the criminal intent or the resources of the attacker, whether they are criminal or nation-state backed. Internal threats can be accidental or intentional.
The impact of using diverse but competing approaches in implementing security controls applied to information systems tends to elevate overall cybersecurity risk.(2) The management of cybersecurity risk will use a detailed Risk Management Framework to balance academic/business needs, the potential impact of adverse events, and the cost to reduce the likelihood and severity of those events.
The risk management process is established in policy so that the university community can share a common understanding that:
Applies to all information systems of any kind that store or process data used to accomplish university research, teaching and learning, or administration.
Cybersecurity risk will be managed to ensure that the likelihood and impact of threats and vulnerabilities are minimized to the extent practical. Guided by the principles below, the focus of this policy is the protection of university data and the associated information systems.
The process described in the implementation plan of this policy is the mandatory process for managing the cybersecurity risk associated with all information systems of any kind that store or process data used to accomplish university research, teaching and learning, or administration. Data not owned by the university may fall within the scope of this policy if the data is stored or processed using university assets.
The initial process and any future revisions of the process will be reviewed and approved by IT governance(1). Any IT governance group or the Office of Cybersecurity may initiate a revision by contacting the Policy Analysis Team who will engage IT governance.
The process will be phased in. Restricted data systems will be first, with sensitive and internal then public systems to follow. The activity level to secure a system will be proportional to the data-driven categorization of the information system and the intended level of risk with the system in operation.
Research, teaching and learning, or administrative systems that have a short life span (less than one year) and present a low risk, or that temporarily present a moderate risk, may be granted a temporary exception by registering and describing the system through the Risk Management Framework package intake process, or its successor or designee. Each system will be evaluated on a case-by-case basis to determine the system risk category, the estimated duration of the risk, and if granted, the duration of the exception.
The Office of Cybersecurity will provide mandatory cybersecurity training for leaders, managers, system developers, and users. Training will be appropriate to the audience and will be phased in over time.
UW–Madison is a leading public institution of learning and higher education. As such, our mission is to create and disseminate knowledge and to learn the truth wherever it may be found. Fundamental to this mission is academic freedom, the “fearless sifting and winnowing” process emblazoned at the entrance to Bascom Hall by the class of 1910.
Recognizing that monitoring and analysis employed for network defense against cybersecurity threats can have a significant chilling effect on learning and academic freedom, the Office of Cybersecurity will operate under the following principles:
Failure to build and maintain information systems that adhere to the policy and principles or which significantly deviate from the implementation plan will likely increase the risk to university data and information systems. Significant architecture, development, or operating and process deviations that result in elevated risk or impact compliance may result in the following:
(2) From Framework for Improving Critical Infrastructure Cybersecurity, National Institute for Standards and Technology, February 2014.