Please report any problems to the Shared Tools Team at st-help@doit.wisc.edu    Broken Links? Missing Macros? WIKI Retiring Plugins
Child pages
  • ITransmit Charter
Skip to end of metadata
Go to start of metadata

Charter for Protection of Sensitive Information during Transmission

5/2/2011

Type

Policy Stakeholders Team (PST), temporary

IT Policy Initiative

Protection of Sensitive Information during Transmission See: https://wiki.doit.wisc.edu/confluence/display/POLICY/ITransmit/

Executive Summary

  • The team will make recommendations to the CIO regarding guidelines for protection of sensitive information during transmission.
  • As directed by the CIO, the recommendations will be used to create draft guidelines. The draft will be reviewed by the team, UW-MIST, and others. We anticipate that the result will be guidelines (recommendations) rather than policy (mandates.)
  • When approved by the CIO, the guidelines will be published by the Office of the CIO.
  • Follow up activity will include communicating the guidelines to campus and encouraging the development of supporting infrastructure.

Background:

  • At the Feb 3, 2011 IT Policy forum, the participants discussed the overall strategy for protecting sensitive information during transmission.
  • The general consensus was to focus on guidelines rather than policy, and to follow up with awareness and communication of those guidelines.
  • Encryption of HIPAA and payment card data during transmission is required under some circumstances, but similar protection of other sensitive information is not required by law, regulation or contract (that we are currently aware of.)
  • Guidelines seem more appropriate in an environment where the decision to encrypt or otherwise protect sensitive information can be left to the individual departments or units.

Compelling Need

  • It appears to be prudent to encrypt or otherwise protect sensitive information during transmission under some circumstances where those protections are not already required.
  • Those additional circumstances are complex, as are the methods available for implementation.
    • The amount of information, frequency of transmission, degree of possible harm, and cost of implementation may be considered.
    • There are a mix of secure protocols, secure network channels, secure and less secure networks and subnets, and a variety of encryption tools or resources such as digital certificates, and the built-in capability already present in web browsers, email, and other clients.
  • By making it easier to identify the above circumstances and solutions, it becomes more practical to implement the additional controls.
  • Guidelines would also serve as a resource in those circumstances where encryption is already required.

Issuing Exec.

The Vice-provost for Information Technology (VP-IT) and Chief Information Officer (CIO)

Sponsorship

Chief Information Officer (CIO)

Stakeholders

In general terms, stakeholders include at least:

  • Those who are required to encrypt or otherwise protect sensitive information during transmission, and could therefore benefit from guidelines as they deploy solutions.
  • Stewards and custodians of data and/or processes that involve transmission of sizeable amounts of sensitive information.
  • Others who find it necessary transmit sensitive information over less-secure networks or other facilities.
  • IT staff who need to identify and implement solutions.
  • Information security staff who assist others in identifying and implementing solutions.

Deliverables

Report recommendations for guidelines to the CIO.
The team should consider the following:

  • Why do we need to take action as an institution? Upside? Downside?
  • Identifiable circumstances under which encryption of sensitive information would be recommended.
  • The current practical means available to encrypt under those circumstances.
  • The practical experiences of others from who the campus may gain additional insight.
  • Gaps in the mix of available solutions.
  • Circumstances in which encryption or other protection could be implemented quickly and/or with small expense (i.e the low hanging fruit.)
  • How to approach awareness and communications.

Review of Drafts

Advise and assist the CIO and Policy and Planning regarding:

  • Review of the early draft(s).
  • Vetting of later draft to the broader campus community.

Deferred issues

The PST should not address:

  • Implementation of specific encryption solutions (beyond identifying gaps as described above.)
  • Implementation of encryption stategies in specific departments or units, other than to learn from or cite examples from work already complete, in progress, or soon to begin.

Referred issues

Refer other issues to the CIO:

  • The team should note other significant issues that appear to be out-of-scope, and should forward these separately to the CIO so they may be addressed.

 

 

Process

The PST is working within the context of the UW-Madison IT Policy Process. The process is outlined in at IT Policy Process. The team's methods of deliberation and resulting recommendations should be consistent with the Key Success Factors of the process:

  • Transparent process
  • Inclusive representation
  • Adequate review and revision
  • Practical implementation

Assumptions

Assumed outcome:

  • The general assumption is that the initiative will result in development of guidelines for encryption or other protection of sensitive information during transmission. The PST may, however, recommend otherwise.

Constraints

The recommendations of the PST must be consistent with:

  • State or federal laws with encryption requirements.
  • Applicable UW System or UW-Madison policies.

Risks

Care should be taken to avoid:

  • Scope creep.
  • Too much time spent on deferred or referred issues.

Communications & collaboration

The team should coordinate its efforts and recommendations as practical with the following:

  • Office of Campus Information Security.
  • DoIT Security (in the role of supporting the information security of enterprise applications.)
  • HIPAA Health Care Component and other projects in progress or soon to begin that are working on the protection of payment card and other Restricted Data.

Amendment

This charter may be amended in consultation with the sponsors:

  • The team should initially review the charter and consult with the sponsors regarding any recommended changes.
  • The team may consult with the sponsors regarding later amendment  of the deadlines, deliverables, team membership or other issues.

References

CIO Policy Website

http://www.cio.wisc.edu/policies

IT Policy Process

https://wiki.doit.wisc.edu/confluence/display/POLICY/IT+Policy+Process

IT Policy Wiki

https://wiki.doit.wisc.edu/confluence/display/POLICY/Home

OCIS

http://www.cio.wisc.edu/security/

Sensitive Information

http://www.cio.wisc.edu/policies/SensitiveDataDefinition.pdf

Storage and Encryption of Sensitive Information

https://wiki.doit.wisc.edu/confluence/display/POLICY/IEncrypt

Team Membership

Unit

Dale Carder

Network Services

Judy Caruso

CIO Office

Nick Davis

DoIT Security, PKI

Gary De Clute

CIO Office (staff)

Rick Konopacki

Med School, HIPAA Data

Jim Leinweber

SLH, HIPAA data

Linda Pruss

OCIS, Restricted Data

Phil Saunders

Registrar's Office, FERPA data

Ilene Seltzer

ISIS, Enterprise apps, FERPA data

Eric White

Survey Center, Research data

Contact

  • No labels