Skip to end of metadata
Go to start of metadata

Information Incident Reporting Policy Stakeholders Team Charter (Final Draft)

Charter for
Information Incident Reporting
Policy Stakeholders Team (IReport PST) 
7/3/08 version (as approved by team and submitted to CIO for review) Membership list revised: 7/23/08.

Type

Policy Stakeholders Team (PST) and implementation team, temporary

IT Policy Initiative

Information Incident Reporting (IReport)
(

https://wiki.doit.wisc.edu/confluence/x/vwdn

)
An information incident reporting policy would require employees to report unauthorized access to sensitive information or when media or devices that might contain sensitive information are lost or stolen. Such reporting would allow the institution to investigate and respond appropriately. Sensitive information consists of Restricted Information and other information that might be damaging to individuals or the institution if it were accessed by unauthorized persons.

Compelling Need

Privacy and "Notification" laws
These laws require the university to protect personal data and to notify the affected persons when there is a compromise of certain information. The potential consequences to the institution are large.

Issuing Exec.

Chief Information Officer (CIO)

Endorsement

Chief Information Officer (CIO) or Information Technology Committee (ITC)

Advisory Group

Information incident response leadership team

Other Advisory Groups

Badger Incident Response Team (BadgIRT)
Office of Campus Information Security (OCIS)

Sponsorship

Chief Information Officer (CIO)

Stakeholders

From 2/4 IT Policy Forum:

  • Deans offices
  • Division of Enrollment Management (student data)
  • Division of Information Technology (enterprise systems)
  • Office of Campus Information Security
  • Office of Human Resources (employee data)
  • HIPAA HCC departments (medical data)
  • IRB's (research data from human subjects research)
  • Legal Services
  • Risk Management
  • University Communications
  • ANY person who handles sensitive data

 

 

Deliverables

Phase I. Elaboration

(by Aug 1, 2008)

Report desired outcomes and implementation considerations to the CIO. The team should report:

  • operational or technical goals to be accomplished, and related goals that appear to be out-of-scope.
  • a vision for what success might look like, including the hoped for impact on the institution.
  • the recommended mix of policies, guidelines, procedures, standards and principles, and the rationale for this mix.
  • significant operational or technical features that the implementation should include or exclude that would enhance the likelihood of success.
  • possible desirable or undesirable side-effects and how these might be enhanced or reduced by the implementation.

 

For purposes of review and implementation planning the report should specifically address:

  • Definitions. What is a reportable incident? Other necessary definitions?
  • Comments on the Information Incident Response Process, up through step 7, (and step 14 when it immediately follows step 7.) In this role the team is completing the work remaining on the Information Incident Response process ( https://wiki.doit.wisc.edu/confluence/x/DQhn ).
  • How to encourage compliance?
  • How to protect individuals who report incidents?
  • Communications. How to increase awareness?
  • Other considerations that affect the ability and willingness of individuals to report an incident.

Deliverables

Phase II. Drafting

(as needed)

Advise and assist the CIO and Policy and Planning regarding:

  • Review of the draft policy at IT policy forums.
  • Vetting of the revised draft to the broader campus community.

Deliverables

Phase III. Implementation

(as needed)

Advise the CIO, Policy and Planning and others regarding:

  • Implementation plan.
  • Communications plan.

Deferred issues

The PST should not address:

  • What office, in particular, is the custodian of what data.
  • Details of the Information Incident Response Process, steps 9 through 13, (and 14 that follows 13.)

Referred issues

Refer other issues to the CIO:

  • The team should note other significant issues that appear to be out-of-scope, and should forward these separately to the CIO so they may be addressed.

 

 

Process

The PST is working within the context of the UW-Madison IT Policy Process. The process is outlined in Appendix B of the process recommendations. The team's methods of deliberation and resulting recommendations should be consistent with the Key Success Factors of the process:

  • Campus buy-in
    Inclusive and transparent process with good communications.
  • Appropriate review and revision
    Initial review must be broad and thorough. There must be on-going review and revision.
  • Practical implementation
    Well communicated, cost-effective and enforceable. Can be accomplished with the resources available for the purpose.

Assumptions

Assumed outcome:

  • The general assumption is that the initiative will result in a campus-wide IT policy or policies along with supporting guidelines, procedures, standards and principles. The PST may, however, recommend otherwise.

Constraints

The recommendations of the PST must be consistent with:

  • The Wisconsin notification law 895.507, and any information incident reporting requirements of FERPA, HIPAA or other relevant state or federal laws.
  • State or federal laws or regulations regarding investigation of information incidents. (Specifics TBD)
  • Applicable UW System or UW-Madison policies. (Specifics TBD)

Risks

Care should be taken to avoid:

  • Scope creep.
  • Too much time spent on deferred or referred issues.

Communications & collaboration

The team should coordinate its efforts and recommendations:

Amendment

This charter may be amended in consultation with the sponsors:

  • The team should initially review the charter and consult with the sponsors regarding any recommended changes.
  • The team may consult with the sponsors regarding later amendment  of the deadlines, deliverables, team membership or other issues.

References

BadgIRT

http://www.cio.wisc.edu/security/report/


 

CIO

http://www.cio.wisc.edu/


 

IT Policy Plan

https://wiki.doit.wisc.edu/confluence/x/AgVU


 

IT Policy Process

https://wiki.doit.wisc.edu/confluence/x/-QRU


 

IT Policy Wiki

https://wiki.doit.wisc.edu/confluence/x/3JA-/


 

ITC

http://itc.wisc.edu/


 

OCIS

http://www.cio.wisc.edu/security/


 

Restricted Information

http://www.cio.wisc.edu/security/uwdata.aspx#restricted

Team Membership

Unit

Represents

Judy Caruso

CIO Office

CIO Office

Nichelle Cobb

School of Medicine

IRB's

Jeanine Critchley

Risk Mgt.

Risk Mgt.

Gary De Clute

CIO Office

Staff (role)

Dave De Coster

Engr

IT staff, BadgIRT

Mary Kirk

HR

OHR, employee data

Marilyn McIntyre

DEM

Student data

Jeff Savoy

OCIS

OCIS, law enforcement

Eric Straavaldsen

SAA

IT staff

Contact