Skip to end of metadata
Go to start of metadata

Storage, Transmission and Encryption of Sensitive Information (IEncrypt)

The policy for Storage and Encryption of Sensitive Information (IEncrypt) requires that sensitive information on workstations, laptops and other portable devices and media be the minimum amount necessary to support operational needs, and that sensitive information that is present on such devices be encrypted or protected by compensating controls. The policy is being revised, and will be renamed as Storage, Transmission and Encryption of Sensitive Information.  Additional Recommended Procedures are also under development. These changes were recommended by the team for Protection of Sensitive Information during Transmission (ITransmit). In addition, the Encryption Futures Task Force has made recommendations to improve the campus sponsored solutions for both storage and transmission.

Policy effective Jun 1, 2009. Last revised Sep 24, 2010. See: http://www.cio.wisc.edu/policies/IEncryptPolicy.pdf.

For draft revisions see IEncrypt Policy Drafts.

The history of the policy and ongoing implementation activities are documented below.

 For earlier meetings see IEncrypt Meetings Archive

Documents

Icon

To comment on draft documents or any other aspect of IT policy, please add your comments at the bottom of the page in question. Comments are welcome on any document at any time. Formal review is a publicized period of time where comments are proactively invited.

 

Status

Current Questions

Current Process Step

Unable to render {include} The included page could not be found.
Currently at IT policy process step 5. Endorsement.
Documents are reviewed and endorsed for issuance by the appropriate executive.

 also

Currently at IT policy process step 8. Revision.

The community provides feedback to the CIOs office to guide periodic review.

History


(tick)Milestones
(info)Items of particular interest

Date

Activity:

10/11/13Final version of Encryption Futures Task Force recommendations delivered to sponsors.
08/06/13

(info) IT Policy Forum 2013-08. Status of Encryption Futures Task Force.

06/11//13Encryption Futures Task Force (EncrypTF) finished scoring possible solutions vs. the requirements.
04/09/13Encryption Futures Task Force (EncrypTF) finished identifying possible solutions for use cases.
03/01/13Encryption Futures Task Force (EncrypTF) finished developing use cases.
12/17/12Encryption Futures Task Force (EncrypTF) finished developing requirements.
11/20/13Encryption Futures Task Force (EncrypTF) finished stakeholder analysis.
10/31/12(info) IT Policy Forum 2012-10. Status of IEncrypt policy revision, Encryption Futures Task Force
10/29/12Minor revisions of the recommended procedures for faculty, staff and student employees. Changes were for clarity and consistency. Draft policy not changed.

10/23/12

Encryption Futures Task Force (EncrypTF) begins meeting.
10/10/12Encryption Futures Task Force (EncrypTF) organizational meeting.
10/16/12(info) MTAG meeting. Asked for endorsement the policy. MTAG suggests waiting until the EncrypTF can improve the recommended procedures.
09/18/12(info) MTAG meeting. Asked for endorsement the policy. MTAG wants to study the policy and make a decision at their Oct. meeting.
09/14/12 Communications meeting. Discussed IEncrypt communications. 
09/07/12 2012-09-07 draft version (with effective date 2012-09-21). Ready for publication. To be presented to MTAG.
09/06/12 Encryptions Futures team status update at UW-MIST
08/15/12PPT Meeting 2012-08-15. PPT decided that Sep 21 would be the target date to publish the revised IEncrypt policy and procedures.
08/15/12Drafted interim recommended procedurs for IT professionals and power users. (Needed so there is a complete package of procedures to accompany the revised policy.)
08/14/12 Rev C of 2012-07-27 draft version.
08/14/12ITransmit Meeting 2012-08-14. Discussed forum results, charter for Encryption Futures team.
(info)Team decided that we should go ahead and publish the policy and procedures in September, and the Encryption Futures team can serve as the implementation team. This is the last ITransmit meeting. Many thanks to the team members!
08/08/12  IT Policy Forum 2012-08. Presented proposed changes to policy and compliance standards. Presented draft of recommended procedures for faculty, staff and student employees. Discussion on implementation.
08/06/12 Rev B of 2012-07-27 draft version.
08/02/12 Presented draft charter of "Encryption Futures" team to UW-MIST meeting.
07/30/12 Rev A of 2012-07-27 draft version.
07/27/12Revised draft policy and procedures. Main change was to add a requirement that restricted data be encrypted on desktop computer. Other changes as well to continue overall improvement of the documents.
07/26/12Consulting with OCIS and DoIT security regarding policy and procedures, recommended tools, need for additional tools, need for team to look at future encryption environment.
07/25/12Special PPT meeting with ITransmit team as guests. Discussed policy and recommended procedures. Talked about the forum discussion questions.
07/10/12 ITransmit Meeting 2012-07-10. Reviewed the recommended procedures for faculty, staff and student employees.
07/06/12 Clean up of the revised recommended procedures for faculty, staff and student employees. See IEncrypt Policy Drafts ArchiveIEncrypt Policy Drafts
06/03/12Re-write of recommended procedures for faculty, staff and student employees, based on discussion at the ITransmit Meeting 2012-05-22.
05/31/12Minor tweaks for clarity. More significantly, added requirement to encrypt on "cloud services" to the draft of revised policy.
05/29/12Made minor changes to draft of revised policy, suggested at the previous ITranmit meeting.
05/22/12ITransmit Meeting 2012-05-22. Discussed the two tables.
05/16/12New draft documents: summary tables of guidelines for storage/transmission encryption by faculty and staff (two separate docs.) These are for discussion purposes while resolving outstanding questions, and are not entirely consistent with the 4/26 version of the draft revisions and guidelines.
05/01/12 IT Policy Forum 2012-05. Presented draft policy & procedure revisions at forum. Did not present draft guidelines (team is still discussing them...) Asked for feedback on both policy & procedure revisions and the draft guidelines for fac/staff/students.
04/26/12Updated draft revisions to incorporate changes from the ITransmit meeting. The team is still working on the guidelines. 
04/24/12ITransmit Meeting 2012-04-24. Review draft revision of IEncrypt policy. Review draft guidelines for faculty, staff ad student employyees. Prep for IT policy forum.
04/20/12 Drafted new document with guidelines for IT professionals and power users.
04/19/12 Updated draft revisions of IEncrypt policy.
04/18/12PPT Meeting 2012-04-18. PPT reviewed draft IEncrypt revisions. Suggested some changes. 
04/06/12 Updated guidelines for faculty, staff and student employees.
04/03/12 Updated draft revisions of IEncrypt policy
03/27/12ITransmit Meeting 2012-03-27. Review draft revision of IEncrypt policy. Review new document with guidelines for faculty, staff and student employees. 
02/28/12ITransmit Meeting 2012-02-28. Review forum results. Review draft changes to IEncrypt Policy
02/17/12(info) Began revision of IEncrypt Policy

02/07/12

IT Policy Forum 2012-02-07. Presentation at forum.

01/18/12

ITransmit Meeting 2012-01-18. Prep for forum.

01/17/12Rev A of Recommendations, as presented to CIO, plus additional follow up actions discussed at the Dec 19 meeting

12/19/11

Final version of recommendations, as presented to the CIO. (Same as 12/07/11, but removed "Draft".)

12/19/11

ITransmit Meeting 2011-12-19 (with CIO). Presented recommedations to the CIO. See meeting notes for additional implementation actions.

12/07/11

Final edits to recommendations

11/28/11

ITransmit Meeting 2011-11-28. Reviewed Recommendations. Prep for meeting with CIO.

11/14/11

ITransmit Meeting 2011-11-14. Reviewed Recommendations.

10/31/11

ITransmit Meeting 2011-10-31. Discussed policy or guidelines?

10/03/11

ITransmit Meeting 2011-10-03. Reviewed Recommendations.

09/19/11

ITransmit Meeting 2011-09-19. Discussed team charter and deliverables.

08/30/11

ITransmit Meeting 2011-08-30. Reviewed Recommendations.

07/26/11

ITransmit Meeting. Reviewed first draft (outline) of the recommendations.

06/28/11

ITransmit Meeting. Continued brainstorming. Added detail to some issues.

05/31/11

First ITrasmit meeting. Charter. Brainstorming results.

05/03/11

Status report to Office of the CIO, Policy and Security team.

04/27/11

IT Policy Forum, update on status, final call for team members.

03/2011 to
04/2011

Drafting charter, recruiting team members.

02/08/11

PPT Meeting 2011-03-08. PPT reviews results of forum discussion.

02/03/11

IT policy forum. Presentations and discussion of ITransmit. Goal is to measure interest in the community for working on a possible ITransmit policy at this time, and if so, gather community input (and volunteers!)

01/20/11

Arranged speakers to provide background at forum.

01/11/11

PPT Meeting 2011-01-11. Decided to add ITransmit discussion to the Feb 3rd IT policy forum agenda.

12/15/10

Result of feedback: Not sure if policy is needed, but it's worth talking about.

11/18/10

Email inquiry IReport/IEncrypt Joint Implementation Team (IERJIT) requesting input on ITransmit. We need to query the IERJIT team because many of the original members of the IEncrypt team are no longer available for consultation. This also indicates that we will need to form a new team if ITransmit is to proceed.

11/10/10

PPT Meeting 2010-11-10. Discussion of ITransmit. How to proceed. PPT suggests discussing this with the IEncrypt team.

11/02/10

(info)Policy and Planning dept. receives request for development of a policy on encryption of transmitted information. The question therefore arises: should ITransmit be separated from IRM for independent and faster action? Questions to consider include: Is there a compelling need to move forward sooner? Is there support for such policy from the community? Previous discussions (long list below) concluded otherwise, but that was a while ago and opinions may change.

03/11/10

PPT Meeting 2010-03-11. PPT reaffirms the current strategy that protection of transmitted information be addressed as part of the Information Resource Management (IRM) initiative (as part of a standard for protecting sensitive information.) For this reason, ITransmit is consolidated into IRM. There is still no data stewards group, however, and it looks like it could be awhile.

 

Above this line, mostly ITransmit (with transmission encryption)

Below this line, mostly the orginal IEncrypt (without transmission encryption)

09/03/09

UW-MIST meeting.

08/06/09

UW-MIST meeting.

08/04/09

IT Policy Forum

06/22/09

(info)Rev B of 6/5/09 version of policy. See: IEncrypt Policy Archive

07/25/09

OCIS Tools page mention storage and encryption. (Cached here)

06/22/09

(info)Rev A of 6/5/09 version of policy. See: IEncrypt Policy Archive

06/26/09

Drafted talking points for a possible article for the earily September edition of Computing@UW.

06/25/09

First IERJIT Meeting.

06/24/09

Communications Meeting. Discussed policy.

06/16/09

Communications Meeting. Discussed policy.

06/09/09

(info)Minor edits to IEncrypt Policy documents. (Noted that compliance dates are TBD. No other changes to the policy or compliance standards.)

06/05/09

The "final" version of the policy. See: IEncrypt Policy Archive

06/04/09

Created Charter and Plan for IEncrypt/IReport Joint Implementation Team.

06/01/09

(tick)(info)Effective date of the policy.

05/17/09

OCIS Prevent Laptop Theft page mentions storage and encryption. (Cached here)

05/15/09

(tick)(info)The "final draft" version that was endorsed by the ITC. See IEncrypt Policy Drafts Archive

05/08/09

Created IEncrypt Plan.

04/15/09

Comment period ends. No comments received.

04/06/09

Announcement at forum requesting comments on draft IEncrypt policy through April 15th.

04/01/09

Email sent requesting comments on the draft policy through April 15th.

03/23/09

OCIS Computing@DoIT article on encryption. (Cached here)

03/20/09

Revised draft policy (based on comments at the ITC meeting.) See: IEncrypt Policy Drafts Archive.

03/20/09

Draft policy version that was initially presented to ITC. ITC will review and revisit it at a future meeting.

03/13/09

Revised draft policy. See: IEncrypt Policy Drafts Archive.

03/03/09

Revised draft policy. See: IEncrypt Policy Drafts Archive.

03/03/09

PSIFramework meeting. Presented final PSIFramwork Reommendations to the CIO.

03/03/09

Initial draft of policy. See: IEncrypt Policy Drafts Archive.

02/02/09

IT Policy Forum PSIFramework on the agenda.

01/29/09

PSIFramework Meeting (joint meeting with IReport). Reviewed draft PSIFramework recommendations.

01/08/09

(tick)(info)IMLG approves the UW-Madison Sensitive Information Definition.

01/07/09

PSIFramework Meeting (joint meeting with IReport.) Reviewed draft PSIFramework recommendations.

12/17/08

Meeting with CIO. Presented final IEncrypt recommendations to the CIO and discussed next steps.

12/03/08

Meeting. Reviewed draft IEncrypt recommendations. Planned for meeting with CIO. Planned for implemnetation team.

11/19/08

Meeting. Reviewed results from the November forum. Reviewed changes to draft IEncrypt recommendations. Planned team activities.

10/29/08

Meeting. Final planning for the November IT policy forum. Reviewed draft PSIFramework Recommendations.

10/23/08

Posted revised draft IEncrypt recommendations. This version to be presented at the November IT policy forum.

10/15/08

Meeting. Planned discussion at the IT policy forum. Reviewed draft IEncrypt recommendations.

10/13/08

Posted revised draft IEncrypt recommendations.

10/01/08

Meeting. Reviewed text of draft IEncrpt recommendations.

09/26/08

Posted revised draft IEncrypt recommendations.

9/10/08

Meeting. Began reviewing text of draft IEncrypt recommendations.

8/19/08

(info)Split off a separate draft document "Preliminary Recommendations for a Framework for Protection of Sensitive Information" which addresses some broader issues that are common to both IReport and IEncrypt. See: PSIFramework. Revised draft IEncrypt recommendations accordingly.

8/13/08

Meeting. Tentatively decided to split document into two parts, one part to be jointly developed with IReport, provided that IReport team concurred at their next meeting.

8/11/08

Brief update at the August IT policy forum.

8/8/08

Posted fourth draft of IEncrypt recommendations, to be presented publically at the IT policy forum.

8/05/08

Posted third draft of IEncrypt recommendations.

7/30/08

Meeting. Reveiwed outline of draft IEncrypt recommendations document. Planned activities for the IT Policy forum.

7/09/08

Meeting. Approved charter. Brainstorming.

6/18/08

Meeting. Background information. Start review of charter.

4/14/08

CIO formally accepts the recommended plan at the April 14th IT policy forum.

2/27/08

Presented recommendations for the IT Policy Process and IT Policy Plan to the CIO.

2/4/08

At the February 4th IT policy forum:

  • Initiative was among the four highest priority new policy initiatives. See: Multi-voting Results (RTF).
  • Input on stakeholders and stakeholder team issues received. See: Discussion Results (RTF).

11/5/07

Included initiative in the IT Policy Plan.

Additional Pages

Contact

 

3 Comments

  1. I would be really careful about casting the net too broadly here. At least on the research side of the house we would be unable to participate in a system that allowed key escrows to exist outside of our unit. Indeed, for some situations in which we encrypt disks or file structures the key escrow has to be the issuing agency (U.S. Dept of Ed, school district, etc.). We would be out of compliance if we allowed even our own IT folks to take on the escrow role. Our data security arrangements often simply don't allow student data to be taken outside of the building for any purposes. It can only reside on secure servers. Several school districts and some state agencies have moved to remote access only - Windows terminal services, mostly. Many of these groups see encryption as a costly, risky set of technologies that does more to employ tech people than it secures data. Many financial and legal services groups use this approach as well. Staff are simply forbidden to have sensitive data on local machines, period. Random audits are used to ensure policy compliance. Encryption actually does nothing if I put the data on a usb drive and carry it off. As for putting data in other formats, in research we have been doing encryption of ids for years to produce analytical datasets. There is no reason that approach could not be used in a university administration setting.

    Chris Thorn
    WCER tech guy

  2. Chris,

    A rather belated Thanks! for commenting. I appeciate it.

    Peace be with you,
    Gary

  3. Chris raises very good points. I think we need to put the use of encryption within the overall context of good data and records management practices. As Chris notes, with regard to certain types of data there should restrictions or practices on how data is accessed, used, whether it can be downloaded or not onto personal machines, etc. It seems to me that we need to first consider the data and or records, their value, then look at appropriate practices to secure them, if necessary, and finally, what tools might be appropriate to use.

    Thanks
    Nancy Kunde
    UW Madison Records Officer