February University Policy Distribution & SYS Policy Approvals

Friday, February 21, 2025

February University Policy Distribution

 

The February university policy distribution contains one (1) new policy.

New Policy

Click on the link above to view the draft and ensure that your feedback is captured for review during the post-comment period. Comments can include attachments, including word documents and PDFs.

Comments are due by 5:00pm on Friday, March 14. 

 

DRAFT NEW POLICY

SYS 641, Prohibition on Participation in Malign Foreign Talent Recruitment Programs

This policy will be effective upon signature by the president. 

Summary of Policy and Policy Revisions

  • This new policy is responsive to a requirement in the CHIPS and Science Act that individuals seeking federal grants report their participation in Foreign Talent Recruitment Programs and not participate in Malign Foreign Talent Recruitment Programs. Specific provisions include:
    • Covered individuals must comply with all sponsor policies and certifications regarding malign foreign talent recruitment programs, and provide true, complete, and accurate disclosures.
    • All employees must affirm in their Outside Activities Report that they do not participate in a malign foreign talent recruitment program and that they are aware of their obligations to report such participation to their research sponsor agency.

 

SYS Policy Approvals 

On February 11, President Rothman approved the substantive revisions to SYS 1037, Information Security: IT Disaster Recovery. On February 11, Vice President Gordon also approved the new procedure, SYS 1037.A, Information Security: IT Disaster Recovery Standard.

On February 12, President Rothman approved the substantive revisions to SYS 334, Accountability for Capital Equipment.

On February 17, President Rothman approved the substantive revisions to SYS 820, Segregated University Fees.

See below for a brief summary of these items.

 

SYS 1037, Information Security: IT Disaster Recovery

SYS 1037.A, Information Security: IT Disaster Recovery Standard

This revised policy and the new procedure will be effective on August 1, 2025.

Summary of Policy and Policy Revisions

  • This policy establishes the minimum requirements for Information Technology (IT) Disaster Recovery (DR) efforts for University of Wisconsin (UW) institutions and is designed to assist in executing recovery processes in response to a disaster or significant IT disruption. This policy covers all High Impact Systems and mission-critical IT operations under the direct control of UW institutions, but does not apply to software-as-a-service (SaaS) solutions that are managed or operated entirely by external vendors and are not under UW operational control. The following revisions were made to the policy:
    • Specific elements required for institutions to incorporate into their IT DR plans have been moved into the accompanying SYS 1037.A, Information Security: IT Disaster Recovery Plan Standard. These elements were further grouped and additional context provided to assist institutions in interpretation.
    • Added a requirement to review and update IT DR plans annually to reflect changes in technology and business requirements
    • Adjusted specific requirements related to frequency, validation, and testing of IT backups for High Impact Systems. This includes:
      • Requiring all High Impact Systems to be backed up in alignment with the institutional operational needs and Recovery Point Objectives, not to exceed 28 days
      • Verification of backups for High Impact Systems on a quarterly basis to ensure no data has been missed during the backup process
      • A recommendation to perform full recovery tests for each High Impact System on an annual basis to ensure backup and recovery processes work as intended
    • Added a requirement to document all backup and testing activities
    • Added a requirement to evaluate, upon activation of the IT DR plan, the effectiveness of the institution’s recovery efforts and update DR plans to address any gaps or weaknesses identified.
    • General enhancements to policy purpose and background to reflect the importance of IT DR efforts.
    • Updated formatting and layout of the policy.
  • The following resources were used to inform these revisions:
    • Interim campus and stakeholder feedback
    • Recommendations and observations resulting from a 2022 Internal Audit of Information Technology Disaster Recovery processes throughout UW System
    • 2021 IS Actions Memo, Disaster Recovery Effort (Now Rescinded)
    • NIST Cybersecurity Framework 2.0, specifically IT Disaster Recovery components spread across several areas of the framework, particularly under the “Recovery” function
    • NIST SP 800-171, which outlines specific requirements related to IT DR within the broader context of protecting data on non-federal systems

University Comments and Concerns

  • SYS 1037, Section 3 (Policy Scope): A recommendation was made to exclude, from the scope of this policy, Software as a Service solutions under the control of third parties.
    • This recommendation was accepted; we revised the scope to reflect the policy being limited to systems and operations under the direct control of UW institutions.
  •  SYS 1037, Section 6.A.I: Feedback was received that it may not be feasible to require all institutional Emergency Operation Plans, Incident Response Plans, or departmental Continuity of Operations Plans to be integrated or directly linked with the Disaster Recovery Plan. This was originally proposed to ensure a coordinated approach to recovery.
    • This recommendation was accepted; the requirement was changed from a ‘must’ to a ‘should’, where feasible.
  • SYS 1037.A, Section 4.A.II.1-2: A recommendation was made to clarify requirements around identifying DR member roles and responsibilities.
    • This recommendation was accepted; DR roles are to be identified, and a resource or reference maintained with up to date contact information of members filling these roles.
  • SYS 1037.A, Section 4.A.II.3 A recommendation was made to expand the examples of IT DR member responsibilities.
    • This change was partially accepted; ‘including but not limited to’ was added to the example list.
  • SYS 1037.A, Section 4.A.I.2 and 4.A.III.1: A recommendation was made to clarify the distinction between two sections.
    • This change was accepted; revisions were made to highlight the requirements for documenting broad coverage and scope of an IR plan and the specific identification of business critical items.
  • SYS 1037.A, Section 4.A.III.2: A recommendation was made to provide institutional flexibility to develop a recovery strategy that accounts for dependencies rather than a specific restoration order of priority.
    • This change was accepted and made as part of resolving the previous recommendation.

 

SYS 334, Accountability for Capital Equipment

Summary of Policy and Policy Revisions

  • This policy establishes systemwide parameters to maintain accountability for capital equipment. These include parameters for maintaining an inventory of capital equipment and performing financial reporting and indirect cost calculations, as well as provisions for property purchased either in whole or in part with federal funds.
  • The following revisions are being made to be in compliance with recent OMB changes:
    • Removed the reference to “capital lease” as GASB 87 eliminates that terminology.
    • In Section 5 within the definition of Capital equipment, language regarding useful life was revised to match the language used in the Annual Financial Report.
    • In Section 6.C, the basis for audit levels was updated.
    • $10,000 replaced with $20,000.

University Comments and Concerns

  • UW-Madison and UW-Milwaukee noted that revisions originally included in the distributed draft policy to change the threshold for capital equipment from $5,000 to $10,000 would conflict with UW-Madison’s currently negotiated F&A rate agreement. This agreement currently defines equipment as having a $5,000 threshold and will be in place until at least June 30, 2026.
    • In response to the feedback, the proposed changes to the threshold were removed from the draft policy and the proposed changes to Form A: Capital Equipment Useful Life/Depreciation Schedule were withdrawn. The threshold will be re-addressed after UW-Madison’s current agreement expires.

 

SYS 820, Segregated University Fees

Summary of Policy and Policy Revisions

  • This policy sets forth legal and policy principles applicable to the administration of segregated university fees.
    • Updated the formatting throughout the policy to follow the new policy formats, including adding Section 4 for Background and updating the numbering scheme throughout the policy.
    • Updated references to other policies, and the internal references to other sections within this policy.
    • Section 6.A.I.2.e.viii was added to allow segregated fees to be used for food and other operating costs for a campus-based student food pantry.
    • Section 6.A.I.6.b.iii was updated to remove language about debt service and operating contingencies, which are no longer defined in statute as part of a reserve policy.

University Comments and Concerns

  • There were no comments received from the institutions during the feedback period.