The long-term purpose of this policy is to locate and secure UW–Madison restricted data. In order to identify and manage the highest risk data as quickly as practical, the policy will initially only apply to UW–Madison Social Security numbers (SSNs).
Unauthorized access to restricted data can have significant detrimental effects on individuals or the institution. Restricted data can be used for fraud and identity theft. Cybercriminals regularly attack computers and networks in higher education institutions. There have been sizeable information security breaches at institutions that resulted in financial impacts of many hundreds of thousands of dollars. Those amounts do not account for the loss of reputation and trust that can have a serious ongoing impact on both instruction and research.
The university is obligated to protect UW–Madison restricted data and to report possible incidents. Protection of restricted data is governed by a number of different laws and standards, including, for example, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Payment Card Industry Data Security Standard (PCI-DSS), and the Wisconsin Data Breach Notification Law.
To protect restricted data, the institution must have up-to-date information about where it is stored. There is a significant reduction in risk if the presence of restricted data is reduced to the extent practical. In addition to finding and reporting the presence of the data, the annual discovery and reporting process is a convenient time to consider how the presence of the data can be reduced.
The university’s obligation to protect UW–Madison restricted data does not depend upon the location or ownership of the computing device or service that is used to store, transmit or process it. For this reason, the policy and procedures address both UW–Madison-owned and non-UW–Madison-owned computing devices and services that are used for UW–Madison business.
The university respects the privacy of employees, contractors, and associates. The university is obligated to appropriately manage all UW–Madison data no matter how it is stored, transmitted, or processed. The policy and associated implementation procedures include provisions that protect privacy while at the same time enabling the institution to fulfill its obligations.
This policy applies to all schools, colleges, divisions, centers, and other units of UW–Madison, including any associated contractors or other entities or persons.
This policy applies to all computing devices and services that are used for UW–Madison business, regardless of who owns, operates, or possesses them, including both UW–Madison-owned and non-UW–Madison-owned devices and services. The associated implementation procedures provide guidance on how to address personally-owned devices and privately-contracted services in a manner that respects the privacy of individuals and non-university entities.
This policy applies to graduate and undergraduate student employees in the performance of their job duties. Students are otherwise exempt from this policy.
Exceptions are described in the associated implementation procedures.
This policy will initially only apply to UW–Madison Social Security numbers (SSNs) during the period from January 1, 2015, through December 31, 2020. The initial period may be extended.
"Restricted Data" (defined at Data Classifications) includes at least six different kinds of data, one of which is SSNs. “UW-Madison Restricted Data” is restricted data for which the institution has ownership, stewardship, or custodial interest. It does not include data that is unrelated to UW–Madison business.
Employees, contractors, and associates of each unit are responsible for making computing devices and services that they own, operate, or possess available for inspection if that device or service is used for UW–Madison business.
Some UW–Madison restricted data is stored on personally-owned devices or privately-contracted services that are being used for UW–Madison business. UW–Madison is obligated to ensure that its restricted data is appropriately protected, regardless of the ownership or location of the device or service.
The university respects the privacy of individuals and non-university entities. As an alternative to inspection, employees, contractors, and associates may provide satisfactory assurances that either:
The device or service is, or soon will be, protected as described by the mandatory portions of the applicable data security standard.
The threshold for “significant use” is specified in the associated implementation procedures.
Management for each unit determines what assurances are satisfactory, consistent with the guidelines provided in the associated implementation procedures, subject to review by higher management in consultation with the Office of Cybersecurity.
Failure to comply may result in appropriate action to enforce compliance, and/or denial of access to UW-Madison Restricted Data or other UW-Madison information resources. In addition: