Cybersecurity Risk Management

Layout for printing
Policy Number:
UW-503
Responsible Office:
Division of Information Technology (DoIT)

University Policy

Rationale/​Purpose:

Cybersecurity is a collective responsibility that requires policy that applies to all components of UW–Madison. Threat, vulnerability, and the likelihood of exploitation are complex and unique to specific business processes and technologies. Cybersecurity risk is measurable depending on quantified or classified aspects of the data; characteristics of the information system; the definitions and characteristics of internal or external threat, system, or environmental vulnerabilities; and the likelihood that the event or situation may manifest itself within a given application, information system or architecture. External threats evolve rapidly and are persistent based on the criminal intent or the resources of the attacker, whether they are criminal or nation-state backed. Internal threats can be accidental or intentional.

The impact of using diverse but competing approaches in implementing security controls applied to information systems tends to elevate overall cybersecurity risk.(2) The management of cybersecurity risk will use a detailed Risk Management Framework to balance academic/business needs, the potential impact of adverse events, and the cost to reduce the likelihood and severity of those events.

The risk management process is established in policy so that the university community can share a common understanding that:

  1. The university is determined to manage cybersecurity risk effectively. Not doing so is likely to have unacceptable consequences to individuals and increase costs to the institution.
  2. This is the university’s mandatory and universally applicable process for managing cybersecurity risk. The process can be tailored to specific technologies, processes, or services.
  3. The process must include policy and procedural controls to ensure that privacy and academic freedom are respected.
Scope:

Applies to all information systems of any kind that store or process data used to accomplish university research, teaching and learning, or administration.

Policy:

Policy

Cybersecurity risk will be managed to ensure that the likelihood and impact of threats and vulnerabilities are minimized to the extent practical. Guided by the principles below, the focus of this policy is the protection of university data and the associated information systems.

The process described in the implementation plan of this policy is the mandatory process for managing the cybersecurity risk associated with all information systems of any kind that store or process data used to accomplish university research, teaching and learning, or administration. Data not owned by the university may fall within the scope of this policy if the data is stored or processed using university assets.

The initial process and any future revisions of the process will be reviewed and approved by IT governance(1). Any IT governance group or the Office of Cybersecurity may initiate a revision by contacting the Policy Analysis Team who will engage IT governance.

The process will be phased in. Restricted data systems will be first, with sensitive and internal then public systems to follow. The activity level to secure a system will be proportional to the data-driven categorization of the information system and the intended level of risk with the system in operation.

  1. Rates for assessing risk or providing a central hosting service that meets many of the risk management requirements will be developed by the service provider, vetted within IT governance, with final determination by senior campus leadership.
  2. Determining funding for risk management activity and compliance matters is the responsibility of each school, college, or division through the use of approved sources.

Research, teaching and learning, or administrative systems that have a short life span (less than one year) and present a low risk, or that temporarily present a moderate risk, may be granted a temporary exception by registering and describing the system through the Risk Management Framework package intake process, or its successor or designee. Each system will be evaluated on a case-by-case basis to determine the system risk category, the estimated duration of the risk, and if granted, the duration of the exception.

The Office of Cybersecurity will provide mandatory cybersecurity training for leaders, managers, system developers, and users. Training will be appropriate to the audience and will be phased in over time.

Principles

UW–Madison is a leading public institution of learning and higher education. As such, our mission is to create and disseminate knowledge and to learn the truth wherever it may be found. Fundamental to this mission is academic freedom, the “fearless sifting and winnowing” process emblazoned at the entrance to Bascom Hall by the class of 1910.

Recognizing that monitoring and analysis employed for network defense against cybersecurity threats can have a significant chilling effect on learning and academic freedom, the Office of Cybersecurity will operate under the following principles:

  1. We respect academic freedom and personal privacy as we help protect the integrity and reputation of the university, and provide a secure and safe computing environment for teaching, research, and outreach.
  2. We understand the value of university information as a product of research, teaching, and learning, including the personal data of our faculty, staff, and students.
  3. We are committed to ensuring the appropriate security of all data, specifically ensuring that faculty, staff, and student data is not placed at undue risk of exposure.
  4. We are accountable to the university community for our deployment and use of network analysis and monitoring tools. Our activity preserves and strengthens the privacy and academic freedom of faculty, staff, students, and other members of our community.
  5. We ensure that risk analysis tools and active filtering methods are used only for the detection of malicious activity and are not used for examining any other content in the data stream.
  6. We evaluate the content of system and network traffic only to the extent necessary to detect known security threats or emerging indications of compromised systems. Specifically:
    1. Our tools and techniques are not used to monitor individual activity. Data generated or collected that may identify individual behavior will be retained no longer than is necessary to identify and evaluate malicious traffic.
    2. Data generated is used only to detect threats, vulnerabilities, and compromises. Any personal or private content captured during the testing and detection process is ignored, and is either not recorded at all, or is eliminated immediately in cases where temporary recording is technologically necessary.
    3. Data collected is accessible only by staff responsible for maintaining the security of computing systems, and only for the purpose of diagnosing and remediating security incidents. This data will not be released for any other purpose, except to comply with legal requests.
  7. We make decisions on network and cybersecurity defensive measures through a defined and shared process that implements the principles above. We will ensure that our process allows for temporary situations where immediate defensive action is needed and reviews those temporary measures to determine if they should become ongoing.
  8. We implement prevailing cybersecurity practices that reduce or eliminate the potential for impacting the availability, integrity, or confidentiality of data and information systems.
  9. The procedures that implement the Risk Management Framework are developed with collaboration in mind and will be revised collaboratively as conditions warrant.

Enforcement

Failure to build and maintain information systems that adhere to the policy and principles or which significantly deviate from the implementation plan will likely increase the risk to university data and information systems. Significant architecture, development, or operating and process deviations that result in elevated risk or impact compliance may result in the following:

  1. Computing services or devices may be denied access to university information resources.
  2. University employees may be subject to disciplinary action up to and including termination of employment.
  3. Contractors or associates may be subject to penalty under the governing agreement. Compliance may be a consideration affecting new or renewed agreements.

Footnotes:

(1) IT Governance is defined at https://it.wisc.edu/it-community/governance/.

(2) From Framework for Improving Critical Infrastructure Cybersecurity, National Institute for Standards and Technology, February 2014.

Related UW–Madison Documents, Web Pages, or Other Resources:

Policy Administration

Approval Authority:
Chief Information Officer & Vice Provost for Information Technology
Policy Manager:
Assistant Director, Cybersecurity Program and Business Services
Contact:
IT Policy Writer and Analyst -- Heather Johnston, itpolicy@cio.wisc.edu
Effective Date:
03-16-2018
Revised Dates:

03-16-2018

Reviewed Dates:

03/16/2018

Retrieved:
04-24-2024 08:03:21