Protection of Sensitive Information during Transmission (ITransmit)
The ITransmit team recommendations are at: ITransmit Recommendations.
To comment on draft documents or any other aspect of IT policy, please add your comments at the bottom of the page in question, or send email to firstname.lastname@example.org. Comments are welcome on any document at any time.
Milestone, Item of interest
|08/15/12||All future implementation activity will be recorded at IEncrypt.|
|08/15/12||PPT Meeting 2012-08-15. PPT decided that Sep 21 would be the target date to publish the revised IEncrypt policy and procedures.|
|08/14/12||Rev C of 2012-07-27 version.|
|08/14/12||ITransmit Meeting 2012-08-14. Discussed forum results, charter for Encryption Futures team. |
Team decided that we should go ahead and publish the policy and procedures in September, and the Encryption Futures team can serve as the implementation team. This is the last ITransmit meeting. Many thanks to the team members!
IT Policy Forum 2012-08. Presented policy and procedures. Discussed what IT staff need in order to implement this policy.
|08/06/12||Rev B of 2012-07-27 version.|
|08/02/12||Presented draft charter of "Encryption Futures" team to UW-MIST meeting.|
|07/30/12||Rev A of 2012-07-27 version.|
|07/27/12||Revised draft policy and procedures. Main change was to add a requirement that restricted data be encrypted on desktop computer. Other changes as well to continue overall improvement of the documents.|
|07/26/12||Consulting with OCIS and DoIT security regarding policy and procedures, recommended tools, need for additional tools, need for team to look at future encryption environment.|
|07/25/12||Special meeting with Policy Planning Team. Discussed forum presentation, questions.|
|07/10/12||ITransmit Meeting 2012-07-10. Reviewed the recommended procedures for faculty, staff and student employees.|
|07/06/12||Clean up of the revised recommended procedures for faculty, staff and student employees. See IEncrypt Policy Drafts|
|06/03/12||Re-write of recommended procedures for faculty, staff and student employees, based on discussion at the ITransmit Meeting 2012-05-22.|
|05/31/12||Minor tweaks for clarity. More significantly, added requirement to encrypt on "cloud services" to the draft of revised policy.|
|05/29/12||Made minor changes to draft of revised policy, suggested at the previous ITranmit meeting.|
|05/22/12||ITransmit Meeting 2012-05-22. Discussed the two tables.|
|05/16/12||New draft documents: summary tables of guidelines for storage/transmission encryption by faculty and staff (two separate docs.) These are for discussion purposes while resolving outstanding questions, and are not entirely consistent with the 4/26 version of the draft revisions and guidelines.|
IT Policy Forum 2012-05. Presented draft policy & procedure revisions at forum. Did not present draft guidelines (team is still discussing them...) Asked for feedback on both policy & procedure revisions and the draft guidelines for fac/staff/students.
|04/26/12||Updated draft revisions to incorporate changes from the ITransmit meeting. The team is still working on the guidelines.|
|04/24/12||ITransmit Meeting 2012-04-24. Review draft revision of IEncrypt policy. Review changes to guidelines for faculty, staff and student employees. Prep for IT policy forum.|
|04/19/12||Updated draft revisions of IEncrypt policy.|
|04/18/12||PPT Meeting 2012-04-18. PPT reviewed draft IEncrypt revisions. Suggested some changes.|
|04/03/12||Updated draft revisions of IEncrypt policy, and guidelines for faculty, staff and student employees.|
|03/27/12||ITransmit Meeting 2012-03-27. Review draft revision of IEncrypt policy. Review new document with guidelines for faculty, staff and student employees.|
|02/28/12||ITransmit Meeting 2012-02-28. Review forum results. Review draft changes to IEncrypt Policy.|
|02/17/12||Began revision of IEncrypt Policy.|
IT Policy Forum 2012-02-07. Presentation at forum.
ITransmit Meeting 2012-01-18. Prep for forum.
Rev A of Recommendations, as presented to CIO, plus additional follow up actions discussed at the Dec 19 meeting.
Final version of recommendations, as presented to the CIO. (Same as 12/07/11, but removed "Draft".)
ITransmit Meeting 2011-12-19 (with CIO). Presented recommedations to the CIO. See meeting notes for additional implementation actions.
Final edits to recommendations
ITransmit Meeting 2011-11-28. Reviewed Recommendations. Prep for meeting with CIO.
ITransmit Meeting 2011-11-14. Reviewed Recommendations.
ITransmit Meeting 2011-10-31. Discussed policy or guidelines?
ITransmit Meeting 2011-10-03. Reviewed Recommendations.
ITransmit Meeting 2011-09-19. Discussed team charter and deliverables.
ITransmit Meeting 2011-08-30. Reviewed Recommendations.
Meeting. Continued brainstorming. Added detail to some issues.
Status report to Office of the CIO, Policy and Security team.
IT Policy Forum, update on status, final call for team members.
Drafting charter, recruiting team members.
PPT Meeting 2011-03-08. PPT reviews results of forum discussion.
IT policy forum. Presentations and discussion of ITransmit. Goal is to measure interest in the community for working on a possible ITransmit policy at this time, and if so, gather community input (and volunteers!)
Arranged speakers to provide background at forum.
Result of feedback: Not sure if policy is needed, but it's worth talking about.
Email inquiry IReport/IEncrypt Joint Implementation Team (IERJIT) requesting input on ITransmit. We need to query the IERJIT team because many of the original members of the IEncrypt team are no longer available for consultation. This also indicates that we will need to form a new team if ITransmit is to proceed.
PPT Meeting 2010-11-10. Discussion of ITransmit. How to proceed. PPT suggests discussing this with the IEncrypt team.
Policy and Planning receives request for development of a policy on encryption of transmitted information. The question therefore arises: should ITransmit be separated from IRM for independent and faster action? Questions to consider include: Is there a compelling need to move forward sooner? Is there support for such policy from the community? Previous discussions (long list below) concluded otherwise, but that was a while ago and opinions may change.
PPT Meeting 2010-03-11. PPT reaffirms the current strategy that protection of transmitted information be addressed as part of the Information Resource Management (IRM) initiative (as part of a standard for protecting sensitive information.) For this reason, ITransmit is consolidated into IRM. There is still no data stewards group, however, and it looks like it could be awhile.
Effective date of IEncrypt policy. Attached compliance standards recommend (but do not mandate) encryption of sensitive information when transmitted. Note however, that PCI DSS and HIPAA do require encryption during transmission under certain conditions.
PPT Meeting 2009-04-23. PPT prioritizes possible IT policy initiatives for FY 2009-2010. When discussing ITransmit, the decision is to delay it until we know whether or not the Information Resource Management (IRM) initiative will result a more general policy that addresses protection of information during transmission. Estimate is that there is good chance IRM will address it, so a separate iniative would be redundant. For this reason ITransmit does not make the "cut" and is included among those initiatives "less likely to become active". See 03/26/2009 PPT discussion for the background on why this was done.
IT Policy forum. Discussion and multi-voting for possible policy initatives for the next fiscal year places ITransmit in the "middle of the pack" with 6% of the votes. Several initiatives receive similar vote totals. See: Discussion Results from the 2009-04-06 Forum
Draft IT policy plan for FY 2009-20010 continues to list ITransmit among possible new initiatives, because we want to know how the community feels about the relative priority of that initiative, and also because the development of high level policy may take considerable time, and want to remain open to the possibility that faster action on ITransmit could be necessary.
PPT Meeting 2009-03-26. Spirited discussion of IT policy strategy. Two schools of thought: (a) development of high level policy first followed (only if necessary) by development of more detailed policy, vs. (b) simultaneous development of high level policy and some more detailed policies. We did not reach consensus. Practical result is to pursue both strategies: attempt to get high level policy first whenever possible, but continue to engage in more detailed policy development when sufficiently compelling needs arise.
ITransmit is included among the policy initiatives in the first draft of the IT Policy Plan for FY 2009-20010.
The team working on a Framework for Protection of Sensitive Information (PSIFramework) presents their recommendations to the CIO. Relevant to ITransmit the recommendations include adoption of a standard for protection of sensitive information, and development of high level data management policy, which is expected to include high level security policy. Of note: an adopted standard would address encryption of sensitive information during transmission. Thus, the question of protection of transmitted information is expected to be resolved as part of the more general discussion of high level policy and adopted standards.
IEncrypt Meeting 2008-12-17. IEncrypt recommendations presented to the CIO. Document suggest that there be a recommendation (not a mandate) under the policy that: "Some form of encryption or secure network connection should be used whenever sensitive information is transmitted. However, there are specific types of sensitive information for which encryption during transmission is required (for example, credit card information under PCI DSS.)"
IEncrypt team continues to discuss encryption of transmitted information. Consensus forms that this should be recommended rather than required, because there will be many cases where it will not be practical to encrypt. Expense of obtaining large numbers of PKI certificates is among the several reasons why a mandate does not appear practical at this time.
IEncrypt Meeting 2008-07-30. Team suggests that: "Confidential information should be not be transmitted over public networks unless it is encrypted to maintain privacy." This is added to the draft recommendations dated 8/11/09.
- ITransmit Brainstorming Results
- ITransmit Charter
- ITransmit Current Questions
- ITransmit Description
- ITransmit Meetings
- ITransmit Recommendations
- ITransmit Status
- ITransmit Use Cases