Please report any problems to the Shared Tools Team at    Broken Links? Missing Macros? WIKI Retiring Plugins
Child pages
  • IEncrypt Charter
Skip to end of metadata
Go to start of metadata

Charter for Protection of Sensitive Information by Encryption (Final Draft)

Charter for
Protection of Sensitive Information by Encryption
Policy Stakeholders Team (IEncrypt PST)
7/9/08 version (as approved by the team and submitted to the CIO for review)


Policy Stakeholders Team (PST), temporary

IT Policy Initiative

Protection of Sensitive Information by Encryption

A policy requiring encryption of sensitive information on workstations, laptops and other portable devices and media would seek to prevent accidental disclosure of the information in the event the device is lost, stolen or hacked. Lost and stolen laptops, CD's and other portable media are a frequent cause of major information security breaches. Workstations might be included because they are at significantly greater risk of compromise compared to servers.

Compelling Need

Privacy and "Notification" laws
These laws require the university to protect personal data and to notify the affected persons when there is a compromise of certain information. The potential consequences to the institution are large.

Issuing Exec.

Chief Information Officer (CIO)


Chief Information Officer (CIO) or Information Technology Committee (ITC)

Advisory Group

Information incident response leadership team

Other Advisory Group(s)

Office of Campus Information Security (OCIS)


Chief Information Officer (CIO)


From 2/4 IT Policy Forum, with some additions:

  • data custodians
  • Archives and Records Management Services (ARMS)
  • IT staff
  • people who data is about
  • people who view/edit data
  • UW-Madison (institution)




Report desired outcomes and implementation considerations to the CIO.

Interim Report by
October 17 2008

For purposes of review and early implementation planning the team should report:

  • Why do we need to take action as an institution? Upside? Downside?
  • Goals to be accomplished. Rationale?
  • In general terms, what would a policy require, (including notable exceptions.)
  • In general terms, what would be recommended but optional.
  • Significant features that the implementation should include or exclude that would enhance the likelihood of success.

Full Report by
January 16 2009

The full report should include the above (revised) and also address:

  • Communications. How to increase awareness? How to encourage compliance?

Review of Drafts

Advise and assist the CIO and Policy and Planning regarding:

  • Review of the early draft(s).
  • Vetting of the revised draft in the broader campus community.

Deferred issues

The PST should not address:

  • Technical details of encryption. How strong? What product?

Referred issues

Refer other issues to the CIO:

  • The team should note other significant issues that appear to be out-of-scope, and should forward these separately to the CIO so they may be addressed.




The PST is working within the context of the UW-Madison IT Policy Process. The process is outlined in Appendix B of the process recommendations. The team's methods of deliberation and resulting recommendations should be consistent with the Key Success Factors of the process:

  • Campus buy-in
    Inclusive and transparent process with good communications.
  • Appropriate review and revision
    Initial review must be broad and thorough. There must be on-going review and revision.
  • Practical implementation
    Well communicated, cost-effective and enforceable. Can be accomplished with the resources available for the purpose.


Assumed outcome:

  • The general assumption is that the initiative will result in a campus-wide IT policy or policies along with supporting guidelines, procedures, standards and principles. The PST may, however, recommend otherwise.


The recommendations of the PST must be consistent with:

  • State or federal laws with encryption requirements.
  • Applicable UW System or UW-Madison policies.
  • Public records rules.
  • UW Internal Audit recommendations.
  • PCI DSS standard


Care should be taken to avoid:

  • Scope creep.
  • Too much time spent on deferred or referred issues.

Communications & collaboration

The team should coordinate its efforts and recommendations as practical with the following:


This charter may be amended in consultation with the sponsors:

  • The team should initially review the charter and consult with the sponsors regarding any recommended changes.
  • The team may consult with the sponsors regarding later amendment  of the deadlines, deliverables, team membership or other issues.


CIO website


Desktop Encryption Project


Information Incident Reporting


IT Policy Plan


IT Policy Process


IT Policy Wiki






Protection of Sensitive Information by Encryption

Team Membership



Judy Caruso

CIO Office

CIO Office and Information Incident Reporting

Gary De Clute

CIO Office

Staff (role)

Rick Keir


OCIS and Desktop Encryption Team

Rick Konopaki

Med School


Nan Kunde


ARMS (Archives and Records Management)

David Null


University Archives

Jim Leinweber



Bonnie Sundal


IT Staff


  • No labels