Skip to end of metadata
Go to start of metadata

Previous Meeting | Next Meeting (of PSIFramework)

Information Incident Reporting Policy Stakeholder Team (IReport PST)

Thursday Nov 20, 2008, 11:00-12:00 Rm 3139C CS

Notes

Note: This meeting is the formal presentation of the IReport recommendations to the CIO.

  1. Agenda review. (All) OK

  2. Incident reporting as part of a broader framework for protection of sensitive information.

    Action: Continue to work on PSIFramework.

  3. How broad should the reporting requirement be: Only incidents involving sensitive information? Broader?

    Action:
    • At the November forum people raised the issue of reporting incidents other than unauthorized access to sensitive information. The question was: should reporting of all of those types of incidents also be required? In response, the team decided that the IReport initiative focuses specifically on incidents involving unauthorized access to sensitive information, and the proposed poilcy will only mandate reporting of such incidents. The team's recommendations do, however, make explicit that people may voluntarily report any other type of incident or policy violation.
    • Strong policies to increase information security can save the university money that would be spent on monitoring and incident remediation.

  4. Compliance issues:
    • Economic incentives for units to report.

      Action: Ron has been having conversations with faculty members and university leadership regarding the question of economic incentives to improve information security. The basic model for such incentives would be: if the unit takes certain steps or does certain things, then the university will "indemnify" them for up to some high percentage of the cost of responding to a information security incident, but if the unit does not do those things, the university will only indemnify them for a lower percentage.

    • Protection of individuals who report incidents.

      Action: We did not discuss specifics at the meeting, other than to recognized that protection of individuals must also be addressed during drafting and implementation of the policy.

  5. Implementation management:
    • Who owns what parts?

      Action: Possible partnership between Risk Management and CIO office. Also want to get Internal Audit further engaged with OCIS regarding information security.

    • How to coordinate?

      Action: Coordination will be provided by an implementation team, however, certain actions will begin before the implementation team is formed. See next steps below.

    • Further discussions with the campus community?

      Action: See next steps below.
  6. Next steps. (All)

    Action: The following willl occur with the goal of presenting the policy and implementation to the ITC at their January or February meeting.

    Bulleted items will occur in parallel.
    Actions under each bulleted item are sequential.
    • Drafting, vetting and endorsement:
      1. Draft policy language (Gary De Clute)
      2. IReport PST reviews the draft to assure that it conforms to the recommendations, and to suggest improvements to the language
      3. CIO reviews the draft
      4. IMLG reviews the draft
      5. Administrative Council and Vice-chancellors Reporting Group review the draft
      6. ITC reviews the draft
      7. Formalize (TBD)
    • Form implementation Team:
      1. Existing IReport team will serve as the interim implementation team.
      2. Invite someone from Internal Audit and UW PD to serve on the implementation team; other members are any from IReport that want to continue
      3. Schedule first meeting. Assure that all can attend
    • Definition of Sensitive Information:
      1. IMLG will review MSU definition and decide if a modified version will suffice for UW-Madison
      2. CIO will request permission from CIO of MSU to adapt their language for use at UW-Madison
      3. Draft modified version (Who TBD)
      4. CIO reviews draft
      5. IMLG reviews draft
      6. Other groups review draft? (Who TBD)
      7. Formalize (TBD)
    • Compliance incentives:
      1. CIO will continue discussions regarding economic incentives
      2. Draft proposal for incentives (Who TBD)
      3. Review of proposal (Who TBD)
      4. Formalize (Who, how TBD)
    • Communications plan:
      1. Judy Caruso will schedule meeting of IReport team with Brian Rust (IT Communications.)
      2. Further steps (TBD)
    • Reporting procedure:
      1. Jeff Savoy will propose a reporting procedure
      2. Review (Who TBD)
      3. Include reporting procedure in "implementation" section of the policy language.

  7. Other? None

Future meetings:

Attachments

  File Modified
Microsoft Word 97 Document
IReport_Recommendations-2008-11-20(… 2008-11-20 Information Incident Reporting Recommendations (Final) (RTF)
Nov 20, 2008 by GARY W DECLUTE
Microsoft Word 97 Document
IReport_Recommendations-2008-11-13a… 2008-11-13 Final draft of Information Incident Reporting Recommendations (RTF)
Nov 18, 2008 by GARY W DECLUTE
Microsoft Excel Sheet
IncResponseSensitve20081113.xls 2008-11-13 UW-Madison Information Incident Response Template (XLS)
Nov 13, 2008 by GARY W DECLUTE
JPEG File
Information_Incident_Flowchart-2008… 2008-11-13 UW-Madison Information Incident Response Flowchart (JPG)
Nov 13, 2008 by GARY W DECLUTE

See also: IReport Recommendations

Previous Meeting | Next Meeting (of PSIFramework)

Contact

  • No labels