Skip to end of metadata
Go to start of metadata

UW-Madison Information Incident Reporting and Response Policy (IReport)

The UW-Madison Information Incident Reporting and Response Policy (IReport) requires employees, contractors and users of UW-Madison information resources to report possible unauthorized access to sensitive information. This allows the institution to investigate and respond appropriately.

The policy is published at: http://www.cio.wisc.edu/policies/IReportPolicy.pdf.

Draft revisions (if any) are at: IReport Policy Drafts (login required)

The history of the policy and ongoing implementation activities are documented below.

Icon

To comment on draft documents or any other aspect of IT policy, please add your comments at the bottom of the page in question. Comments are welcome on any document at any time. Formal review is a publicized period of time where comments are proactively invited.

History

(tick) Milestones, (info) Items of particular interest

Date

Activity

10/03/12Revision initiative complete. Communications will continue.
08/10/12 (tick) Published 2012-08-10 version of IReport Policy and associated procedures, (effective as of that date)
08/08/12(info) Presented revisions to the IT Policy Forum. Q&A.
08/03/12 Finished final changes to IReport policy and associated procedures. Will be published on Aug 10.
07/16/12More changes suggested by PPT and others. Made one small change to the policy language to further clarify that the policy applies to non-UW-Madison owned resources when they are used for university business. Made many changes to the procedures, to make them more directly usable by departments, so departments are less likely to need to develop local procedures.
06/20/12Changes to the procedures, suggested by UW-MIST policy update and education team, OCIS, and UW PD.
06/19/12 (tick) MTAG review of draft policy revisions.
06/19/12 Rev A if draft for MTAG. (Needed to change one word – a missing "not".)
06/11/12Final draft of policy revisions, for MTAG. (Summary table not yet updated.)
05/16/12Minor changes for clarity to draft policy revisions. Released a new draft document: a table sumarizing the policy and procedures, compatible with the template departmental procedures.
05/04/12Draft revised to incorporate changes suggested at UW-MIST. See IReport Policy Drafts Archive.
05/03/12Draft revised to incorporate changes suggested at the forum. See IReport Policy Drafts Archive. Met with UW-MIST.
05/01/12Discussed at IT Policy Forum 2012-05
04/19/12 Changes to the draft of revised policy to better distinguish exceptional cases, remove examples, and some minor changes. Small improvements to the template departmental procedures.
04/18/12Discussed the draft of the revised policy and the summary of major changes at the Policy Planning Team meeting, PPT Meeting 2012-04-18.
04/05/12Discussed the draft of the revised policy at UW-MIST. Discussion was very short, and will continue at the next UW-MIST meeting on May 17th.
04/03/12Draft of revised policy. New document: summary of major changes. Discussed at DoIT Policy and Security Meeting. Later, added template procedure for departments.
03/15/12Draft of revised policy, procedure and response flowchart. Discussed at DoIT Policy and Security Meeting. See IReport Policy Drafts
03/13/12 Initial draft changes to policy, procedure and flowchart. Reviewed by OCIS and Policy and Planning.
03/07/12OCIS and Policy and Planning discussed the summary of changes with CIO.
03/02/12Summary of proposed revisions to flowchart and policy. 
03/01/12Discussion at UW-MIST regarding need for changes in how incidents involving restricted data are reported. 

08/03/11

Rev D of 9/24/10 version. Minor change to flowchart. See also: IRespond. Published to CIO web. Did not update date on CIO web. Deleted all the redundant RTF versions from the archives.

07/13/11

Rev C of 9/24/10 version. Minor changes. Revised flowchart. Now version 2011-07-12 (Rev C). Added comment on the decision to proceed to steps 5 and 6. Removed references to the template spreadsheet. Template spreadsheet is retired, and will no longer be updated. Revised procedure to include updated flowchart. Did not update revision date on CIO web page. Also, shortened links in metadata. See also: IRespond.

12/17/10

(info) Rev B of 9/24/10 version. Changed policy text from: "special policies and reporting requirements" to "additional policies or reporting requirements", and added human subjects research as an additional example. Updated the revision date of the policy on the CIO policies page, (really should have done this on 9/24/10). Also: In procedure put UW PD emergency contact (911) ahead of the non-emergency contact. Added metadata link to published policy document. Minor format changes.

12/02/10

Rev A of 9/24/10 version. Did not update revision date on CIO web page. Minor format changes. Added link to history.*

11/30/10

Trivial revision of procedures to remove "DRAFT" from the Information Incident Reporting and Response Flowchart. See IRespond.

11/30/10

Updated Information Incident Reporting and Response Template for consistency with proposed changes to the Template Information Incident Triage Procedures. New template triage procedures are still being reviewed and are not yet published. See: IRespond.

10/19/10

Com Meeting 2010-10-19. Discussed IReport.

09/24/10

PSIFramework Meeting 2009-01-07 09/24/10 version. Minor revisions to the policy for readability, brevity, consistency, etc. Removed the template triage procedures, which will be maintained as a separate document. Removed the copy of the Sensitive Data Definiteion, and added a link to it instead. Did not update the revision date on http://www.cio.wisc.edu/policies because no substantial change occured that would affect compliance.

09/23/10

IERJIT Meeting to discuss revisions.

09/20/10

Draft revisions.

08/12/10

All IERJIT team members willing to meet.

08/03/10

Asked IERJIT team if they would be willing to meet again to discussion IEncrypt revisions.

07/19/10

IT Policy Review Schedule. Policy due for revision.

06/22/10

(info) Rev C of 6/5/09 version of policy. Updated links to related documents. Updated the attached definition of sensitive information.

06/08/10

Communications meeting.

04/26/10

IT Policy Forum

04/22/10

Communications meeting.

03/09/10

Communications meeting.

02/04/10

IT Policy Forum

01/28/10

IT Policy met with Medical School IT staff to discuss IEncrypt, IReport and other policies.

12/15/09

Communications meeting.

11/11/09

IT Policy Forum

10/08/09

New IT Policies presentation at Red Gym.

09/15/09

Communications meeting .

09/03/09

UW-MIST meeting.

08/06/09

UW-MIST meeting.

08/04/09

IT Policy Forum

06/25/09

PSIFramework Meeting 2009-01-07 First IERJIT Meeting.

06/24/09

Communications Meeting. Discussed policy.

06/16/09

Communications Meeting. Discussed policy.

06/09/09

Minor edits on IReport Policy documents. (No changes to policy or procedures text.)

06/05/09

(info) Rev B, the "final" version of IReport Policy

06/04/09

Created Charter  for IEncrypt/IReport Joint Implementation Team.

06/01/09

(tick) Effective date of IReport Policy.

05/15/09

Policy was endorsed by the ITC.

05/08/09

Created IReport Plan.

04/15/09

Comment period ends.

04/06/09

PSIFramework Meeting 2009-01-07 Announcement at forum requesting comments on final draft of IReport policy through April 15th.

04/01/09

Email sent requesting comments on IReport Policy through April 15th.

03/20/09

 Final draft of IReport policy presented to ITC

03/13/09

 PSIFramework meeting with CIO.

02/18/09

Revised draft IReport policy

02/18/09

Meeting with Office of the CIO, Communications department.

02/02/09

IT Policy Forum. IReport draft policy on the agenda.

01/29/09

PSIFramework meeting.

01/22/09

Revised draft IReport policy. Incorporates feedback from IReport team.

01/09/09

First draft IReport policy.

01/08/09

IMLG approves the UW-Madison Sensitive Information Definition.

01/07/09

PSIFramework Meeting 2009-01-07 First  PSIFramework meeting.

11/20/08

 Meeting. Presented recommendations to the CIO. Discussion of outstanding issues and next steps.

11/13/08

Meeting. Reviewed draft, made some changes. Result is the final draft to be submitted to the CIO. See notes from meeting.

11/03/08

(info) Presented 10/23 version of the recommendations at the IT Policy Forum. Received some feedback during Q&A and after the meeting.

10/23/08

Meeting. Published 10/23 version of the recommendations that will be presented at the forum and reviewed by the community (comments due 11/10.)

10/15/08

Revised draft recommendations.

10/09/08

Meeting. Reviwed draft recommendations. Planned for presentation at the upcoming forum.

10/02/08

Revised draft recommendations.

9/25/08

Meeting. Reviewed draft recommendations.

9/22/08

Revised draft recommendations. Text now written for all sections. Needs work.

9/11/08

Meeting. Reviewed and updated draft recommendations.

8/28/08

Meeting. Reviewed results of IT policy forum. Reviewed draft recommendations.

8/25/08

Revised draft recommendations. Includes comments in all sections, draft text in some sections.

8/19/08

(info) Split off a separate draft document "Preliminary Recommendations for a Framework for Protection of Sensitive Information" which addresses some broader issues that are common to both IReport and IEncrypt. See: PSIFramework. Revised draft IReport recommendations accordingly.

8/14/08

Meeting. Revised draft recommendations. Decided to split them into two parts.

8/11/08

(info) Small group discussion at IT policy forum. Discussion results.

8/8/08

Posted revised draft of recommendations.

7/31/08

Meeting. Reviewed and continued expanding upon draft recommendations.

7/17/08

Meeting. Reviewed brainstorming results. Reviewed outline of recommendations documents.

7/03/08

Meeting. Approved charter. Brainstorming.

6/12/08

Meeting. Background information. Start review of charter.

5/15/08

Posted draft of the charter for the Policy Stakeholders Team

4/14/08

(info) CIO formally accepts the recommendations at the April 14th IT policy forum.

2/27/08

Presented recommendations for the IT Policy Process and IT Policy Plan to the CIO.

2/4/08

(info) At the February 4th IT policy forum:

  • Initiative voted as highest priority among possible new policy initiatives. See: Multi-voting Results (RTF).
  • Input on stakeholders and stakeholder team issues received. See: Discussion Results (RTF).

11/5/07

Included initiative in the IT Policy Plan.

Contact