Applies to all Schools, Colleges, Divisions, Centers and other units of UW-Madison, including any associated contractors or other entities or persons.
The Restricted Data Security Management policy will initially only apply to UW-Madison Social Security Numbers (SSN’s) during the period from January 1st 2015 through December 31st 2020. The initial period may be extended.
"Restricted Data", (defined at Data Classifications,) includes at least six different kinds of data, one of which is Social Security Number (SSN). “UW-Madison Restricted Data” is Restricted Data for which the institution has an ownership, stewardship or custodial interest. It does not include data which is unrelated to UW-Madison business.
Employees, contractors and associates of each unit are responsible for making computing devices and services that they own, operate, or possess available for inspection if that device or service is used for UW-Madison business.
Some UW-Madison Restricted Data is stored on personally-owned devices or privately-contracted services that are being used for UW-Madison business. UW-Madison is obligated to assure that UW-Madison Restricted Data is appropriately protected, regardless of the ownership or location of the device or service.
The university respects the privacy of individuals and non-university entities. As an alternative to inspection, employees, contractors and associates may provide satisfactory assurances that either:
the device or service is, or soon will be, protected as described by the mandatory portions of the applicable data security standard.
The threshold for “significant use” is specified in the associated implementation procedures.
Management for each unit determines what assurances are satisfactory, consistent with the guidelines provided in the associated implementation procedures, subject to review by higher management in consultation with the Office of Cybersecurity.
The long-term purpose of the Restricted Data Security Management policy is to locate and secure UW-Madison Restricted Data.
In order to identify and manage the highest risk data as quickly as practical, the policy will initially only apply to UW-Madison SSN’s.
Unauthorized access to Restricted Data can have significant detrimental effects on individuals or the institution. Restricted Data can be used for fraud and identity theft. Cyber criminals regularly attack computers and networks in higher education institutions. There have been sizeable information security breaches at institutions that resulted in financial impacts of many hundreds of thousands dollars. Those amounts do not account for the loss of reputation and trust that can have a serious ongoing impact on both instruction and research.
The university is obligated to protect UW-Madison Restricted Data and to report possible incidents. Protection of Restricted Data is governed by a number of different laws and standards, including for example, the Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard (PCI-DSS), and the Wisconsin Data Breach Notification Law.
In order to protect Restricted Data the institution must have up-to-date information about where it is stored. There is a significant reduction in risk if the presence of Restricted Data is reduced to the extent practical. In addition to finding and reporting the presence of the data, the annual discovery and reporting process is a convenient time to consider how the presence of the data can be reduced.
The university’s obligation to protect UW-Madison Restricted Data does not depend upon the location or ownership of the computing device or service which is used to store, transmit or process it. For this reason, the policy and procedures address both UW-Madison-owned and non-UW-Madison-owned computing devices and services that are used for UW-Madison business.
The university respects the privacy of employees, contractors, and associates. The university is obligated to appropriately manage all UW-Madison data no matter how it is stored, transmitted, or processed. The policy and associated implementation procedures include provisions that protect privacy while at the same time enabling the institution to fulfill its obligations.
Issued by the UW-Madison Vice Provost for Information Technology.
Failure to comply may result in appropriate action to enforce compliance, and/or denial of access to UW-Madison Restricted Data or other UW-Madison information resources. In addition:
Please address questions or comments to itpolicy@cio.wisc.edu.
The "IT Policy Glossary" defines a number of terms used in this policy.
There are numerous other policies that govern the protection of UW-Madison Restricted Data. These may vary according to the specific type of Restricted Data, or how that data is collected or used.
The DoIT Knowledge Base (KB) has a document on Getting Started with Identity Finder (now known as Spiron), which includes training and links to other KB articles. There is also an Identity Finder FAQ (now known as Spiron) and a list of all related articles.
12/26/2019