Policy
On December 15, 2023, President Rothman approved an new policy to replace this current policy. The updated policy will become effective on December 1, 2024. Please review the newly approved policy SYS 1030 ,Information Security: Identity and Access Management and the corresponding procedure, SYS 1030.A, Information Security: Identity and Access Management Standard to prepare prior to the effective date.
Original Issuance Date: September 14, 2016
Last Revision Date: March 11, 2021
1. Policy Purpose
The purpose of this policy is to establish specific minimum standards for authentication across the University of Wisconsin System. This policy is designed to ensure that the UW System manages authentication in a consistent manner and to appropriately safeguard account-based access to information assets.
2. Responsible UW System Officer
Associate Vice President (AVP) for Information Security
3. Scope
This policy applies to all authentication administered throughout the UW System, whether centrally managed, managed in a distributed fashion, or departmentally managed. This policy applies to all individuals and entities who intend to access the UW System’s information systems and data. To the extent possible, the elements of Section 6. Policy Statement of this policy should be incorporated into contracts with third party providers.
4. Background
The President of the University of Wisconsin System is empowered to establish information security polices under Regent Policy Document 25-5, Information Technology: Information Security. The UW System is committed to a secure information technology (IT) environment in support of its mission. This policy is designed to help ensure strong and consistent authentication standards throughout the computing environments of the UW System.
5. Definitions
Please see SYS 1000, Information Security: General Terms and Definitions, for a list of general terms and definitions. Terms and definitions found within this policy include:
- Authentication
- Multi-Factor Authentication (MFA)
- Low Risk
- Moderate Risk
- High Risk
6. Policy Statement
Authentication methods for moderate and high risk data shall meet the standards outlined in UW System Administrative Procedure 1030.A, Information Security: Authentication Procedure .
Access to view low risk data does not require authentication. However, access to modify low risk data shall use authentication methods that meet the requirements for accessing moderate risk data.
7. Related Documents
Regent Policy Document 25-5, Information Technology: Information Security
UW System Administrative Procedure 1030.A, Information Security: Authentication Procedure
UW System Administrative Policy 1031, Information Security: Data Classification and Protection
UW System Information Security Program
8. Policy History
Revision 5: March 11, 2021
Revision 4: November 13, 2020
Revision 3: September 17, 2019
Revision 2: January 9, 2019
Revision 1: July 31, 2017
First approved: September 14, 2016
9. Scheduled Review
March 2022