UW-Madison Information Incident Reporting and Response Policy (IReport)
The UW-Madison Information Incident Reporting and Response Policy (IReport) requires employees, contractors and users of UW-Madison information resources to report possible unauthorized access to sensitive information. This allows the institution to investigate and respond appropriately.
The policy is published at: http://www.cio.wisc.edu/policies/IReportPolicy.pdf.
Draft revisions (if any) are at: IReport Policy Drafts (login required)
The history of the policy and ongoing implementation activities are documented below.
Policy Stakeholders Team (07/08)
Policy Stakeholders Team (08/09)
Milestones, Items of particular interest
|10/03/12||Revision initiative complete. Communications will continue.|
|08/10/12||Published 2012-08-10 version of IReport Policy and associated procedures, (effective as of that date)|
|08/08/12||Presented revisions to the IT Policy Forum. Q&A.|
|08/03/12||Finished final changes to IReport policy and associated procedures. Will be published on Aug 10.|
|07/16/12||More changes suggested by PPT and others. Made one small change to the policy language to further clarify that the policy applies to non-UW-Madison owned resources when they are used for university business. Made many changes to the procedures, to make them more directly usable by departments, so departments are less likely to need to develop local procedures.|
|06/20/12||Changes to the procedures, suggested by UW-MIST policy update and education team, OCIS, and UW PD.|
|06/19/12||MTAG review of draft policy revisions.|
|06/19/12||Rev A if draft for MTAG. (Needed to change one word – a missing "not".)|
|06/11/12||Final draft of policy revisions, for MTAG. (Summary table not yet updated.)|
|05/16/12||Minor changes for clarity to draft policy revisions. Released a new draft document: a table sumarizing the policy and procedures, compatible with the template departmental procedures.|
|05/04/12||Draft revised to incorporate changes suggested at UW-MIST. See IReport Policy Drafts Archive.|
|05/03/12||Draft revised to incorporate changes suggested at the forum. See IReport Policy Drafts Archive. Met with UW-MIST.|
|05/01/12||Discussed at IT Policy Forum 2012-05|
|04/19/12||Changes to the draft of revised policy to better distinguish exceptional cases, remove examples, and some minor changes. Small improvements to the template departmental procedures.|
|04/18/12||Discussed the draft of the revised policy and the summary of major changes at the Policy Planning Team meeting, PPT Meeting 2012-04-18.|
|04/05/12||Discussed the draft of the revised policy at UW-MIST. Discussion was very short, and will continue at the next UW-MIST meeting on May 17th.|
|04/03/12||Draft of revised policy. New document: summary of major changes. Discussed at DoIT Policy and Security Meeting. Later, added template procedure for departments.|
|03/15/12||Draft of revised policy, procedure and response flowchart. Discussed at DoIT Policy and Security Meeting. See IReport Policy Drafts.|
|03/13/12||Initial draft changes to policy, procedure and flowchart. Reviewed by OCIS and Policy and Planning.|
|03/07/12||OCIS and Policy and Planning discussed the summary of changes with CIO.|
|03/02/12||Summary of proposed revisions to flowchart and policy.|
|03/01/12||Discussion at UW-MIST regarding need for changes in how incidents involving restricted data are reported.|
Rev D of 9/24/10 version. Minor change to flowchart. See also: IRespond. Published to CIO web. Did not update date on CIO web. Deleted all the redundant RTF versions from the archives.
Rev C of 9/24/10 version. Minor changes. Revised flowchart. Now version 2011-07-12 (Rev C). Added comment on the decision to proceed to steps 5 and 6. Removed references to the template spreadsheet. Template spreadsheet is retired, and will no longer be updated. Revised procedure to include updated flowchart. Did not update revision date on CIO web page. Also, shortened links in metadata. See also: IRespond.
Rev B of 9/24/10 version. Changed policy text from: "special policies and reporting requirements" to "additional policies or reporting requirements", and added human subjects research as an additional example. Updated the revision date of the policy on the CIO policies page, (really should have done this on 9/24/10). Also: In procedure put UW PD emergency contact (911) ahead of the non-emergency contact. Added metadata link to published policy document. Minor format changes.
Rev A of 9/24/10 version. Did not update revision date on CIO web page. Minor format changes. Added link to history.*
Trivial revision of procedures to remove "DRAFT" from the Information Incident Reporting and Response Flowchart. See IRespond.
Updated Information Incident Reporting and Response Template for consistency with proposed changes to the Template Information Incident Triage Procedures. New template triage procedures are still being reviewed and are not yet published. See: IRespond.
Com Meeting 2010-10-19. Discussed IReport.
PSIFramework Meeting 2009-01-07 09/24/10 version. Minor revisions to the policy for readability, brevity, consistency, etc. Removed the template triage procedures, which will be maintained as a separate document. Removed the copy of the Sensitive Data Definiteion, and added a link to it instead. Did not update the revision date on http://www.cio.wisc.edu/policies because no substantial change occured that would affect compliance.
IERJIT Meeting to discuss revisions.
All IERJIT team members willing to meet.
Asked IERJIT team if they would be willing to meet again to discussion IEncrypt revisions.
IT Policy Review Schedule. Policy due for revision.
Rev C of 6/5/09 version of policy. Updated links to related documents. Updated the attached definition of sensitive information.
IT Policy met with Medical School IT staff to discuss IEncrypt, IReport and other policies.
New IT Policies presentation at Red Gym.
Communications Meeting. Discussed policy.
Communications Meeting. Discussed policy.
Minor edits on IReport Policy documents. (No changes to policy or procedures text.)
Rev B, the "final" version of IReport Policy
Effective date of IReport Policy.
Comment period ends.
Email sent requesting comments on IReport Policy through April 15th.
Revised draft IReport policy
Meeting with Office of the CIO, Communications department.
IT Policy Forum. IReport draft policy on the agenda.
Revised draft IReport policy. Incorporates feedback from IReport team.
First draft IReport policy.
IMLG approves the UW-Madison Sensitive Information Definition.
Meeting. Reviewed draft, made some changes. Result is the to be submitted to the CIO. See notes from meeting.
Revised draft recommendations.
Revised draft recommendations.
Revised draft recommendations. Text now written for all sections. Needs work.
Revised draft recommendations. Includes comments in all sections, draft text in some sections.
Split off a separate draft document "Preliminary Recommendations for a Framework for Protection of Sensitive Information" which addresses some broader issues that are common to both IReport and IEncrypt. See: PSIFramework. Revised draft IReport recommendations accordingly.
Posted revised draft of recommendations.
CIO formally accepts the recommendations at the April 14th IT policy forum.
At the February 4th IT policy forum:
Included initiative in the IT Policy Plan.