Skip to end of metadata
Go to start of metadata

Storage, Transmission and Encryption of Sensitive Information (IEncrypt)

The policy for Storage and Encryption of Sensitive Information (IEncrypt) requires that sensitive information on workstations, laptops and other portable devices and media be the minimum amount necessary to support operational needs, and that sensitive information that is present on such devices be encrypted or protected by compensating controls.

The policy is being revised, and will be renamed as Storage, Transmission and Encryption of Sensitive Information.  Additional Recommended Procedures are also under development. These changes were recommended by the team for Protection of Sensitive Information during Transmission (ITransmit). In addition, the Encryption Futures Task Force has made recommendations to improve the campus sponsored solutions for both storage and transmission.

Policy effective Jun 1, 2009. Last revised Sep 24, 2010. See:

For draft revisions see IEncrypt Policy Drafts.

The history of the policy and ongoing implementation activities are documented below.


 For meeting notes see:




(info)Items of particular interest



31/07/15Published Rev A of Draft of Storage, Transmission and Encryption of Sensitive Information. Also published Rev A of Interim Recommended Procedures for Faculty, Staff and Student Employees, and Interim Recommended Procedures for IT Professional and Power Users.  Looks like all three of them got lost in the transition of the CIO site to Word Press. See: IEncrypt Policy Drafts. Archived the 10/23/13 original versions. See IEncrypt Policy Drafts Archive.
11/2013 to 06/2015Gradual activity to implement a campus sponsored solution for full disk encryption and file/folder encryption. Slowed by turn-over of IT security staff, and slow response or lack of responsiveness from vendors. Did not track this activity in detail.
10/23/13Published most recent draft of Storage, Transmission and Encryption of Sensitive Information. Also published Interim Recommended Procedures for Faculty, Staff and Student Employees, and Interim Recommended Procedures for IT Professional and Power Users. Included changes based on recommendations of Encryption Futures Task Force. See IEncrypt Policy Drafts Archive
10/11/13Final version of Encryption Futures Task Force recommendations delivered to sponsors.

(info) IT Policy Forum 2013-08. Status of Encryption Futures Task Force.

06/11//13Encryption Futures Task Force (EncrypTF) finished scoring possible solutions vs. the requirements.
04/09/13Encryption Futures Task Force (EncrypTF) finished identifying possible solutions for use cases.
03/01/13Encryption Futures Task Force (EncrypTF) finished developing use cases.
12/17/12Encryption Futures Task Force (EncrypTF) finished developing requirements.
11/20/13Encryption Futures Task Force (EncrypTF) finished stakeholder analysis.
10/31/12(info) IT Policy Forum 2012-10. Status of IEncrypt policy revision, Encryption Futures Task Force
10/29/12Minor revisions of the recommended procedures for faculty, staff and student employees. Changes were for clarity and consistency. Draft policy not changed.


Encryption Futures Task Force (EncrypTF) begins meeting.
10/10/12Encryption Futures Task Force (EncrypTF) organizational meeting.
10/16/12(info) MTAG meeting. Asked for endorsement the policy. MTAG suggests waiting until the EncrypTF can improve the recommended procedures.
09/18/12(info) MTAG meeting. Asked for endorsement the policy. MTAG wants to study the policy and make a decision at their Oct. meeting.
09/14/12 Communications meeting. Discussed IEncrypt communications. 
09/07/12 2012-09-07 draft version (with effective date 2012-09-21). Ready for publication. To be presented to MTAG.
09/06/12 Encryptions Futures team status update at UW-MIST
08/15/12PPT Meeting 2012-08-15. PPT decided that Sep 21 would be the target date to publish the revised IEncrypt policy and procedures.
08/15/12Drafted interim recommended procedurs for IT professionals and power users. (Needed so there is a complete package of procedures to accompany the revised policy.)
08/14/12 Rev C of 2012-07-27 draft version.
08/14/12ITransmit Meeting 2012-08-14. Discussed forum results, charter for Encryption Futures team.
(info)Team decided that we should go ahead and publish the policy and procedures in September, and the Encryption Futures team can serve as the implementation team. This is the last ITransmit meeting. Many thanks to the team members!
08/08/12  IT Policy Forum 2012-08. Presented proposed changes to policy and compliance standards. Presented draft of recommended procedures for faculty, staff and student employees. Discussion on implementation.
08/06/12 Rev B of 2012-07-27 draft version.
08/02/12 Presented draft charter of "Encryption Futures" team to UW-MIST meeting.
07/30/12 Rev A of 2012-07-27 draft version.
07/27/12Revised draft policy and procedures. Main change was to add a requirement that restricted data be encrypted on desktop computer. Other changes as well to continue overall improvement of the documents.
07/26/12Consulting with OCIS and DoIT security regarding policy and procedures, recommended tools, need for additional tools, need for team to look at future encryption environment.
07/25/12Special PPT meeting with ITransmit team as guests. Discussed policy and recommended procedures. Talked about the forum discussion questions.
07/10/12 ITransmit Meeting 2012-07-10. Reviewed the recommended procedures for faculty, staff and student employees.
07/06/12 Clean up of the revised recommended procedures for faculty, staff and student employees. See IEncrypt Policy Drafts ArchiveIEncrypt Policy Drafts
06/03/12Re-write of recommended procedures for faculty, staff and student employees, based on discussion at the ITransmit Meeting 2012-05-22.
05/31/12Minor tweaks for clarity. More significantly, added requirement to encrypt on "cloud services" to the draft of revised policy.
05/29/12Made minor changes to draft of revised policy, suggested at the previous ITranmit meeting.
05/22/12ITransmit Meeting 2012-05-22. Discussed the two tables.
05/16/12New draft documents: summary tables of guidelines for storage/transmission encryption by faculty and staff (two separate docs.) These are for discussion purposes while resolving outstanding questions, and are not entirely consistent with the 4/26 version of the draft revisions and guidelines.
05/01/12 IT Policy Forum 2012-05. Presented draft policy & procedure revisions at forum. Did not present draft guidelines (team is still discussing them...) Asked for feedback on both policy & procedure revisions and the draft guidelines for fac/staff/students.
04/26/12Updated draft revisions to incorporate changes from the ITransmit meeting. The team is still working on the guidelines. 
04/24/12ITransmit Meeting 2012-04-24. Review draft revision of IEncrypt policy. Review draft guidelines for faculty, staff ad student employyees. Prep for IT policy forum.
04/20/12 Drafted new document with guidelines for IT professionals and power users.
04/19/12 Updated draft revisions of IEncrypt policy.
04/18/12PPT Meeting 2012-04-18. PPT reviewed draft IEncrypt revisions. Suggested some changes. 
04/06/12 Updated guidelines for faculty, staff and student employees.
04/03/12 Updated draft revisions of IEncrypt policy
03/27/12ITransmit Meeting 2012-03-27. Review draft revision of IEncrypt policy. Review new document with guidelines for faculty, staff and student employees. 
02/28/12ITransmit Meeting 2012-02-28. Review forum results. Review draft changes to IEncrypt Policy
02/17/12(info) Began revision of IEncrypt Policy


IT Policy Forum 2012-02-07. Presentation at forum.


ITransmit Meeting 2012-01-18. Prep for forum.

01/17/12Rev A of Recommendations, as presented to CIO, plus additional follow up actions discussed at the Dec 19 meeting


Final version of recommendations, as presented to the CIO. (Same as 12/07/11, but removed "Draft".)


ITransmit Meeting 2011-12-19 (with CIO). Presented recommedations to the CIO. See meeting notes for additional implementation actions.


Final edits to recommendations


ITransmit Meeting 2011-11-28. Reviewed Recommendations. Prep for meeting with CIO.


ITransmit Meeting 2011-11-14. Reviewed Recommendations.


ITransmit Meeting 2011-10-31. Discussed policy or guidelines?


ITransmit Meeting 2011-10-03. Reviewed Recommendations.


ITransmit Meeting 2011-09-19. Discussed team charter and deliverables.


ITransmit Meeting 2011-08-30. Reviewed Recommendations.


ITransmit Meeting. Reviewed first draft (outline) of the recommendations.


ITransmit Meeting. Continued brainstorming. Added detail to some issues.


First ITrasmit meeting. Charter. Brainstorming results.


Status report to Office of the CIO, Policy and Security team.


IT Policy Forum, update on status, final call for team members.

03/2011 to

Drafting charter, recruiting team members.


PPT Meeting 2011-03-08. PPT reviews results of forum discussion.


IT policy forum. Presentations and discussion of ITransmit. Goal is to measure interest in the community for working on a possible ITransmit policy at this time, and if so, gather community input (and volunteers!)


Arranged speakers to provide background at forum.


PPT Meeting 2011-01-11. Decided to add ITransmit discussion to the Feb 3rd IT policy forum agenda.


Result of feedback: Not sure if policy is needed, but it's worth talking about.


Email inquiry IReport/IEncrypt Joint Implementation Team (IERJIT) requesting input on ITransmit. We need to query the IERJIT team because many of the original members of the IEncrypt team are no longer available for consultation. This also indicates that we will need to form a new team if ITransmit is to proceed.


PPT Meeting 2010-11-10. Discussion of ITransmit. How to proceed. PPT suggests discussing this with the IEncrypt team.


(info)Policy and Planning dept. receives request for development of a policy on encryption of transmitted information. The question therefore arises: should ITransmit be separated from IRM for independent and faster action? Questions to consider include: Is there a compelling need to move forward sooner? Is there support for such policy from the community? Previous discussions (long list below) concluded otherwise, but that was a while ago and opinions may change.


PPT Meeting 2010-03-11. PPT reaffirms the current strategy that protection of transmitted information be addressed as part of the Information Resource Management (IRM) initiative (as part of a standard for protecting sensitive information.) For this reason, ITransmit is consolidated into IRM. There is still no data stewards group, however, and it looks like it could be awhile.


Above this line, mostly ITransmit (with transmission encryption)

Below this line, mostly the orginal IEncrypt (without transmission encryption)


UW-MIST meeting.


UW-MIST meeting.


IT Policy Forum


(info)Rev B of 6/5/09 version of policy. See: IEncrypt Policy Archive


OCIS Tools page mention storage and encryption. (Cached here)


(info)Rev A of 6/5/09 version of policy. See: IEncrypt Policy Archive


Drafted talking points for a possible article for the earily September edition of Computing@UW.


First IERJIT Meeting.


Communications Meeting. Discussed policy.


Communications Meeting. Discussed policy.


(info)Minor edits to IEncrypt Policy documents. (Noted that compliance dates are TBD. No other changes to the policy or compliance standards.)


The "final" version of the policy. See: IEncrypt Policy Archive


Created Charter and Plan for IEncrypt/IReport Joint Implementation Team.


(tick)(info)Effective date of the policy.


OCIS Prevent Laptop Theft page mentions storage and encryption. (Cached here)


(tick)(info)The "final draft" version that was endorsed by the ITC. See IEncrypt Policy Drafts Archive


Created IEncrypt Plan.


Comment period ends. No comments received.


Announcement at forum requesting comments on draft IEncrypt policy through April 15th.


Email sent requesting comments on the draft policy through April 15th.


OCIS Computing@DoIT article on encryption. (Cached here)


Revised draft policy (based on comments at the ITC meeting.) See: IEncrypt Policy Drafts Archive.


Draft policy version that was initially presented to ITC. ITC will review and revisit it at a future meeting.


Revised draft policy. See: IEncrypt Policy Drafts Archive.


Revised draft policy. See: IEncrypt Policy Drafts Archive.


PSIFramework meeting. Presented final PSIFramwork Reommendations to the CIO.


Initial draft of policy. See: IEncrypt Policy Drafts Archive.


IT Policy Forum PSIFramework on the agenda.


PSIFramework Meeting (joint meeting with IReport). Reviewed draft PSIFramework recommendations.


(tick)(info)IMLG approves the UW-Madison Sensitive Information Definition.


PSIFramework Meeting (joint meeting with IReport.) Reviewed draft PSIFramework recommendations.


Meeting with CIO. Presented final IEncrypt recommendations to the CIO and discussed next steps.


Meeting. Reviewed draft IEncrypt recommendations. Planned for meeting with CIO. Planned for implemnetation team.


Meeting. Reviewed results from the November forum. Reviewed changes to draft IEncrypt recommendations. Planned team activities.


Meeting. Final planning for the November IT policy forum. Reviewed draft PSIFramework Recommendations.


Posted revised draft IEncrypt recommendations. This version to be presented at the November IT policy forum.


Meeting. Planned discussion at the IT policy forum. Reviewed draft IEncrypt recommendations.


Posted revised draft IEncrypt recommendations.


Meeting. Reviewed text of draft IEncrpt recommendations.


Posted revised draft IEncrypt recommendations.


Meeting. Began reviewing text of draft IEncrypt recommendations.


(info)Split off a separate draft document "Preliminary Recommendations for a Framework for Protection of Sensitive Information" which addresses some broader issues that are common to both IReport and IEncrypt. See: PSIFramework. Revised draft IEncrypt recommendations accordingly.


Meeting. Tentatively decided to split document into two parts, one part to be jointly developed with IReport, provided that IReport team concurred at their next meeting.


Brief update at the August IT policy forum.


Posted fourth draft of IEncrypt recommendations, to be presented publically at the IT policy forum.


Posted third draft of IEncrypt recommendations.


Meeting. Reveiwed outline of draft IEncrypt recommendations document. Planned activities for the IT Policy forum.


Meeting. Approved charter. Brainstorming.


Meeting. Background information. Start review of charter.


CIO formally accepts the recommended plan at the April 14th IT policy forum.


Presented recommendations for the IT Policy Process and IT Policy Plan to the CIO.


At the February 4th IT policy forum:

  • Initiative was among the four highest priority new policy initiatives. See: Multi-voting Results (RTF).
  • Input on stakeholders and stakeholder team issues received. See: Discussion Results (RTF).


Included initiative in the IT Policy Plan.

Additional Pages