Please report any problems to the Shared Tools Team at st-help@doit.wisc.edu    Broken Links? Missing Macros? WIKI Retiring Plugins
Child pages
  • IEncrypt Charter
Skip to end of metadata
Go to start of metadata

Charter for Protection of Sensitive Information by Encryption (Final Draft)

Charter for
Protection of Sensitive Information by Encryption
Policy Stakeholders Team (IEncrypt PST)
7/9/08 version (as approved by the team and submitted to the CIO for review)

Type

Policy Stakeholders Team (PST), temporary

IT Policy Initiative

Protection of Sensitive Information by Encryption

https://wiki.doit.wisc.edu/confluence/display/POLICY/Protection+of+Sensitive+Information+%28Encryption%29


A policy requiring encryption of sensitive information on workstations, laptops and other portable devices and media would seek to prevent accidental disclosure of the information in the event the device is lost, stolen or hacked. Lost and stolen laptops, CD's and other portable media are a frequent cause of major information security breaches. Workstations might be included because they are at significantly greater risk of compromise compared to servers.

Compelling Need

Privacy and "Notification" laws
These laws require the university to protect personal data and to notify the affected persons when there is a compromise of certain information. The potential consequences to the institution are large.

Issuing Exec.

Chief Information Officer (CIO)

Endorsement

Chief Information Officer (CIO) or Information Technology Committee (ITC)

Advisory Group

Information incident response leadership team

Other Advisory Group(s)

Office of Campus Information Security (OCIS)

Sponsorship

Chief Information Officer (CIO)

Stakeholders

From 2/4 IT Policy Forum, with some additions:

  • data custodians
  • Archives and Records Management Services (ARMS)
  • IT staff
  • people who data is about
  • people who view/edit data
  • UW-Madison (institution)

 

 

Deliverables

Report desired outcomes and implementation considerations to the CIO.

Interim Report by
October 17 2008

For purposes of review and early implementation planning the team should report:

  • Why do we need to take action as an institution? Upside? Downside?
  • Goals to be accomplished. Rationale?
  • In general terms, what would a policy require, (including notable exceptions.)
  • In general terms, what would be recommended but optional.
  • Significant features that the implementation should include or exclude that would enhance the likelihood of success.

Full Report by
January 16 2009

The full report should include the above (revised) and also address:

  • Communications. How to increase awareness? How to encourage compliance?

Review of Drafts

Advise and assist the CIO and Policy and Planning regarding:

  • Review of the early draft(s).
  • Vetting of the revised draft in the broader campus community.

Deferred issues

The PST should not address:

  • Technical details of encryption. How strong? What product?

Referred issues

Refer other issues to the CIO:

  • The team should note other significant issues that appear to be out-of-scope, and should forward these separately to the CIO so they may be addressed.

 

 

Process

The PST is working within the context of the UW-Madison IT Policy Process. The process is outlined in Appendix B of the process recommendations. The team's methods of deliberation and resulting recommendations should be consistent with the Key Success Factors of the process:

  • Campus buy-in
    Inclusive and transparent process with good communications.
  • Appropriate review and revision
    Initial review must be broad and thorough. There must be on-going review and revision.
  • Practical implementation
    Well communicated, cost-effective and enforceable. Can be accomplished with the resources available for the purpose.

Assumptions

Assumed outcome:

  • The general assumption is that the initiative will result in a campus-wide IT policy or policies along with supporting guidelines, procedures, standards and principles. The PST may, however, recommend otherwise.

Constraints

The recommendations of the PST must be consistent with:

  • State or federal laws with encryption requirements.
  • Applicable UW System or UW-Madison policies.
  • Public records rules.
  • UW Internal Audit recommendations.
  • PCI DSS standard

Risks

Care should be taken to avoid:

  • Scope creep.
  • Too much time spent on deferred or referred issues.

Communications & collaboration

The team should coordinate its efforts and recommendations as practical with the following:

Amendment

This charter may be amended in consultation with the sponsors:

  • The team should initially review the charter and consult with the sponsors regarding any recommended changes.
  • The team may consult with the sponsors regarding later amendment  of the deadlines, deliverables, team membership or other issues.

References

CIO website

http://www.cio.wisc.edu/

 

Desktop Encryption Project

http://www.cio.wisc.edu/security/initiatives/encryption.aspx

 

Information Incident Reporting

https://wiki.doit.wisc.edu/confluence/display/POLICY/Information+Incident+Reporting

 

IT Policy Plan

https://wiki.doit.wisc.edu/confluence/display/POLICY/IT+Policy+Plan

 

IT Policy Process

https://wiki.doit.wisc.edu/confluence/display/POLICY/IT+Policy+Process

 

IT Policy Wiki

https://wiki.doit.wisc.edu/confluence/display/POLICY/Home

 

ITC

http://itc.wisc.edu/

 

OCIS

http://www.cio.wisc.edu/security/


 

Protection of Sensitive Information by Encryption

https://wiki.doit.wisc.edu/confluence/display/POLICY/Protection+of+Sensitive+Information+by+Encryption

Team Membership

Unit

Represents

Judy Caruso

CIO Office

CIO Office and Information Incident Reporting

Gary De Clute

CIO Office

Staff (role)

Rick Keir

OCIS

OCIS and Desktop Encryption Team

Rick Konopaki

Med School

HIPAA HCC

Nan Kunde

ARMS

ARMS (Archives and Records Management)

David Null

Archives

University Archives

Jim Leinweber

SLH

HIPAA HCC

Bonnie Sundal

OED

IT Staff

Contact

  • No labels