Skip to end of metadata
Go to start of metadata

Information Incident Reporting Policy Stakeholders Team Charter (Final Draft)

Charter for
Information Incident Reporting
Policy Stakeholders Team (IReport PST) 
7/3/08 version (as approved by team and submitted to CIO for review) Membership list revised: 7/23/08.


Policy Stakeholders Team (PST) and implementation team, temporary

IT Policy Initiative

Information Incident Reporting (IReport)

An information incident reporting policy would require employees to report unauthorized access to sensitive information or when media or devices that might contain sensitive information are lost or stolen. Such reporting would allow the institution to investigate and respond appropriately. Sensitive information consists of Restricted Information and other information that might be damaging to individuals or the institution if it were accessed by unauthorized persons.

Compelling Need

Privacy and "Notification" laws
These laws require the university to protect personal data and to notify the affected persons when there is a compromise of certain information. The potential consequences to the institution are large.

Issuing Exec.

Chief Information Officer (CIO)


Chief Information Officer (CIO) or Information Technology Committee (ITC)

Advisory Group

Information incident response leadership team

Other Advisory Groups

Badger Incident Response Team (BadgIRT)
Office of Campus Information Security (OCIS)


Chief Information Officer (CIO)


From 2/4 IT Policy Forum:

  • Deans offices
  • Division of Enrollment Management (student data)
  • Division of Information Technology (enterprise systems)
  • Office of Campus Information Security
  • Office of Human Resources (employee data)
  • HIPAA HCC departments (medical data)
  • IRB's (research data from human subjects research)
  • Legal Services
  • Risk Management
  • University Communications
  • ANY person who handles sensitive data




Phase I. Elaboration

(by Aug 1, 2008)

Report desired outcomes and implementation considerations to the CIO. The team should report:

  • operational or technical goals to be accomplished, and related goals that appear to be out-of-scope.
  • a vision for what success might look like, including the hoped for impact on the institution.
  • the recommended mix of policies, guidelines, procedures, standards and principles, and the rationale for this mix.
  • significant operational or technical features that the implementation should include or exclude that would enhance the likelihood of success.
  • possible desirable or undesirable side-effects and how these might be enhanced or reduced by the implementation.


For purposes of review and implementation planning the report should specifically address:

  • Definitions. What is a reportable incident? Other necessary definitions?
  • Comments on the Information Incident Response Process, up through step 7, (and step 14 when it immediately follows step 7.) In this role the team is completing the work remaining on the Information Incident Response process ( ).
  • How to encourage compliance?
  • How to protect individuals who report incidents?
  • Communications. How to increase awareness?
  • Other considerations that affect the ability and willingness of individuals to report an incident.


Phase II. Drafting

(as needed)

Advise and assist the CIO and Policy and Planning regarding:

  • Review of the draft policy at IT policy forums.
  • Vetting of the revised draft to the broader campus community.


Phase III. Implementation

(as needed)

Advise the CIO, Policy and Planning and others regarding:

  • Implementation plan.
  • Communications plan.

Deferred issues

The PST should not address:

  • What office, in particular, is the custodian of what data.
  • Details of the Information Incident Response Process, steps 9 through 13, (and 14 that follows 13.)

Referred issues

Refer other issues to the CIO:

  • The team should note other significant issues that appear to be out-of-scope, and should forward these separately to the CIO so they may be addressed.




The PST is working within the context of the UW-Madison IT Policy Process. The process is outlined in Appendix B of the process recommendations. The team's methods of deliberation and resulting recommendations should be consistent with the Key Success Factors of the process:

  • Campus buy-in
    Inclusive and transparent process with good communications.
  • Appropriate review and revision
    Initial review must be broad and thorough. There must be on-going review and revision.
  • Practical implementation
    Well communicated, cost-effective and enforceable. Can be accomplished with the resources available for the purpose.


Assumed outcome:

  • The general assumption is that the initiative will result in a campus-wide IT policy or policies along with supporting guidelines, procedures, standards and principles. The PST may, however, recommend otherwise.


The recommendations of the PST must be consistent with:

  • The Wisconsin notification law 895.507, and any information incident reporting requirements of FERPA, HIPAA or other relevant state or federal laws.
  • State or federal laws or regulations regarding investigation of information incidents. (Specifics TBD)
  • Applicable UW System or UW-Madison policies. (Specifics TBD)


Care should be taken to avoid:

  • Scope creep.
  • Too much time spent on deferred or referred issues.

Communications & collaboration

The team should coordinate its efforts and recommendations:


This charter may be amended in consultation with the sponsors:

  • The team should initially review the charter and consult with the sponsors regarding any recommended changes.
  • The team may consult with the sponsors regarding later amendment  of the deadlines, deliverables, team membership or other issues.






IT Policy Plan


IT Policy Process


IT Policy Wiki






Restricted Information

Team Membership



Judy Caruso

CIO Office

CIO Office

Nichelle Cobb

School of Medicine


Jeanine Critchley

Risk Mgt.

Risk Mgt.

Gary De Clute

CIO Office

Staff (role)

Dave De Coster


IT staff, BadgIRT

Mary Kirk


OHR, employee data

Marilyn McIntyre


Student data

Jeff Savoy


OCIS, law enforcement

Eric Straavaldsen


IT staff