Please report any problems to the Shared Tools Team at st-help@doit.wisc.edu    Broken Links? Missing Macros? WIKI Retiring Plugins
Child pages
  • PAT EC Meeting 2019-12-03
Skip to end of metadata
Go to start of metadata

Policy Planning and Analysis Team Executive Committee (PAT EC) Meeting

Wed, 3:00-4:00, Rm 2112CS (Bob's Office)

Attending: __Bruce Barton,  _x_Jennifer Bonifas,  _x_Joe Salmons,  _x_Bob Turner,  _x_Sue Weier.  Also attending: _x_Gary De Clute (facilitator), _x_Ed Jalinske (IT Policy Lead), __Kim Miller (Communications), __Stefan Wahe(Assoc. CISO), also __ Steve Tanner and __ J.J. Du Chateau (Portfolio Subcommittee)

Agenda

  1. Preliminaries: Welcome, introductions, agenda review, and notes from prior PAT EC meeting, review prior PAT meeting, announcements. (5 min)
    Handouts: Prev EC meeting minutes

    • Notes are from October. The November EC meeting was canceled.
    • Please send comments and corrections to Gary. 
      .
  2. Review previous PAT plenary meeting (Oct), previous meeting (Nov) (5 min) 
    Goal: Improve the PAT plenary meetings
    • Skipped this in the interest of time. Send any comments to Gary.
      .
  3. PAT Subcommittees, Status and Reports (20 min)
    Goal: Manage the PAT subcommittees.
    Items updated since the last EC meeting are underlined and colored red.
    .
    1. Communications (ongoing) – See 2019-10-162019-11-20 for meeting notes.
      Goal this EC meeting: FYI
         * FYI.
       .
    2. Portfolio (ongoing) – See 2019-10-08 for meeting nodes.
      Goals this EC meeting: Review Team Description.
         *
      Handouts:
             * Team description
             * Email thread with results of the voting (as of 2019-10-24, will be updated if there is further traffic)

      .
    3. Process (ongoing) – See 2019-11-12 .
      October meeting was canceled due to lack of attendance..
      Goal this EC meeting: FYI.
         * Ed proposed using the IRAC process during steps 2 thru 6 of the policy process. IRAC is: Issues, Rules, Analysis, Conclusions. This is a methodology that is well established and widely used in the legal profession.
         * This is a significant optimization.
             * It allows us to have a single document that evolves forward during each step and serves as:
                     * the Recommendations of step 2,
                     * the Proposal of step 3, and the
                     *Policy Analysis of steps 4 thru 6.  See notes for details.
             * IRAC also allow us to streamline step 2. Recommend, by using the methodology to make recommendations in a more well-defined manner.
                     * Historically, step 2 is by the longest "development step", (i.e. among steps where actual development of a document is occurring, from 2. Recommend thru 6. Approve.)
      .
    4. PAT Drafting Teams
      Goal this EC meeting: FYI.
        * We have drafting teams in place for all initiative that are or have been drafting proposals and policies.
        * Some initiatives that are still in planning stage do not yet have a complete drafting team, but we know who might lead it.
      The PAT Executive Committee sponsors and provides direction to the PAT Drafting Teams. Many different groups and individuals review and suggest changes to policy-related documents. The DT has editorial control of the documents for a particular IT Policy initiative. Please see the PAT Charter for details. Updated: 2019-09-29.

      Active Drafting Teams

      Pending Drafting Teams

        .
    Action on subcommittee status:
    • Agreed that the Portfolio Subcommittee should focus on recommendations on how to manage portfolios and the criteria for making decisions about type and mix of documents, rather than being directly involved in the actual management of any particular portfolio or making decisions about any particular document(s) in a portfolio.
    • The actual management and decision-making for a particular portfolio and document are the responsibility of the Portfolio Manager. The Portfolio Subcommittee could discuss particular cases for the purpose of improving the general recommendations described above.
    • The portfolio subcommittee would not be directly part of the execution of the policy process, but would be monitoring the relevant portions in order to provide general advice as described above. The three most relevant steps are: 1 Plan, 2 Recommend, and 9 Review, because those are where most of the decisions are made regarding portfolio-related issues.
    • Regarding concerns that a policy initiative might be too far along before the PAT has the opportunity to provide guidance:
      • Each of steps 1-4 has check points at which the PAT is consulted.
        • Step 1 Plan - The plan is presented and endorsed by the PAT. The draft charter (if one is needed) is usually presented to the PAT for comment.
        • Step 2 Recommend - The recommendations are presented to the PAT for comment. The PAT EC can monitor the PST and provide input as needed.
        • Step 3 Propose - The proposal is presented to the PAT for comment and the PAT has the option to vote to endorse / not endorse prior to sending the proposal forward. The PAT has the option of providing a Policy Analysis to accompany the proposal. The PAT EC often appoints and manages the drafting team, and however the DT is appointed and managed, the PAT EC can monitor and provide input as needed.
        • Step 4 Draft - The draft documents are presented to the PAT, and the PAT votes to endorse prior to sending the drafts forward. The PAT would ordinarily send a Policy Analysis along with the drafts documents. The PAT EC would usually appoint and manage the drafting team, (if there is not already a DT,) and can provide input as needed.
      • Assuming that the above process is executed as described, the PAT has ample opportunity to provide guidance and to endorse / not endorse the result. This inputs on those portions that are the responsibility of the Portfolio Manager. The Portfolio Subcommittee would be aware of the above activity and could use the activity as case studies to improve portfolio management.
    • Regarding the policy process, Ed presented a summary of the IRAC process and provided a PDF file with a description.
      • Gary presented how it could be integrated into the policy process steps 2 thru 4.
      • In addition, if the  CIRAC variant is used, it would be applied during steps 1 thru 4.)
      • See the Process Subcommittee November 2019 meeting notes for an outline of IRAC and how it could be applied to the policy process.
        .
  4. Adjustment of PAT Work Plan (5 min)
    Goal: Discuss significant adjustments to the work plan, as needed.
    The major change currently under consideration is the need to delay the Proposal to Develop an Endpoint Management and Security, and possibly moving up the draft IT Credentials Policy approval from Feb to Jan.
    Handouts:
       * Adjusted Work Plan, including comments on the proposed change(s) (version 2019-11-21.)
       * Adjusted Scheduled of IT Policy-related Activity (version 2019-11-21)
    Reference: PAT Work Plan page (on the Policy Wiki), ITC Schedule (on Policy Wiki)
    .
    Action:
    • Agreed on the change of scheduled for the Endpoint Management and Security Policy.
      • The change in schedule was needed because the CDM Advisory Group is still working on recommendations.
        • Need to do one of two things:
          • encourage the CDMAG to continue working on the recommendations and complete them soon
          • or alternatively, use this as the first opportunity to apply the IRAC process for producing recommendations.
        • Either way, action is needed quickly in December and January in order to present a Proposal and get it approval by the ITC this spring.
          • To do that, the Proposal must be initially presented to the ITC no later than their April meeting.
          • This implies that the Proposal must start development no later than March. (A proposal takes at least a month to review before sending it to the ITC.)
          • This implies that the recommendations are needed no later than the end of February.
        • Ed it writing up the IRAC process and will take the lead on using it for the Endpoint Management and Security recommendations.
        • Role of CDMAG is TBD. Perhaps they could be the team that executes IRAC for this policy? Not yet decided.
      • Discussed the possibility of issuing a provisional policy in the spring, preferably after the Proposal is approved, (or at least after it is written.)
        • Basing the provisional policy on the text of the proposal would increase the probability that the provisional policy will be "in the ballpark" with the final policy approved in the fall.
        • The policy, (whether provisional or final,) needs to be issued along with the rollout of the endpoint management implementation, so the actual time frame for issuing it depends upon the schedule for the rollout.
        • Bob will ask Jeff Savoy to estimate the time frame, and keep the PAT informed as the project progresses.
        • The hope is that rollout will begin in the summer. If so, a provisional policy in a May/June time frame would be appropriate.
    • Also discussed sending the IT Credentials Policy to the ITC in January instead of February, in order to reduce the crunch of approvals by the ITC in late spring.
      • To go direct to the ITC implies skipping IT Governance endorsement.
      • This particular policy may not need much in the way of endorsement. The only controversial component is the revised password standard, and although it is possible to discuss the password standard anywhere from briefly to endlessly, it not practical to change the major provisions, which were discussed and agreed upon in the summer of 2018, and to which UW-Madison is already committed with regard to compliance with the UW System policy.
      • Decided that UW-MIST had to be informed on Thursday Dec 5 of the this possibility, otherwise those on UW-MIST (and elsewhere) who are also on IT Governance might be surprised that the policy did not come to them for endorsement.
      • Final decision has not been made. Gary will tentatively plan on the policy going the ITC in January.
      • It is also possible to do an accelerated endorsement by IT Governance starting in December if we move very quickly to initiate that.
        .
  5. Review of  PAT Charter Revisions (10 min)
    Goal: Discuss briefly. Review after the meeting and respond by deadline.
    Handouts:
       * Draft revision with changes from the previously version distributed to the PAT for comments. (version 2019-10-25 TO 2019-11-29)
    Reference:
       * Clean copy of latest revision (version 2019-11-29)
    .
    Action:
    • Please review and make suggestions to Gary by COB Tue, Dec 10
    • Final version as modified by the EC will go the IT for the first reading on Dec 20, approval anticipated on Jan 17.
      .
  6. Description of IRAC - Ed Jalinske (10-15 min)
    Goal: Introduction to how the technique can be used in IT Policy work.
    NOTE: May do this by lengthening the Subcommittee discussion above.

    Action:
    • See agenda item #3 above.
      .
  7. Planning for the next plenary meeting of the PAT (5 minutes)
    Goal: Plan the next plenary meeting agenda. Review pending agenda items for future PAT meetings.

    Handout:  Draft agenda  
    .
    Action:
    • Agenda is OK. (It is pretty much determined for the Dec meeting by the scheduled of ITC policy activity.
      .
  8. Routing of a discussion on balancing strength of security vs. disruption (5 min)
    Goal: Recommend whether or not this should be addressed at the PAT first (in January), or is this is a discussion that should go directly to the ITC.

    Action:
    • Decided that this issue should go directly to the ITC.
    • Bob and Joe will discuss further.
      .
  9. Review of status and planning documents (as time permits)
    Goal: Review highlights of the following status and planning documents (see latest versions).
       * Policy Initiative Chart
       * PAT Work Plan

       * PAT Vision
       * Proposed Schedule of ITC policy-related activity

    Handouts: All of the above.

    Action:
    • ...
         .
  10. For next EC meeting:
    Standing agenda items:
    • Review previous plenary meeting.
    • Review, adjust subcommittee activity.
    • Set agenda for the next plenary meeting agenda.
    Special agenda items:
    • ...

PAT Status Summary

PAT Status Summary

Ground Rules

  1. Everyone must be treated respectfully, whether present or not.
  2. Everyone present who wants to speak on a topic must have a chance to speak.
  3. Attend more often than not, and review materials when you can't attend.
  4. Don't be shy, or worry about perception of an idea - we need open borders for these discussions.
  5. Let's park side issues or extensive detail for future work by this team, or others.

Future Agenda Items

  • Discussion of balancing strength of security vs. disruption. Decide if this should be addressed at the PAT first (in Nov), or is this a discussion that should go directly to the ITC.

Meeting Schedule

  • PAT EC Meeting 2020-02-04, Tue 3:00-4:00, Rm 2112CS (CISO's Office)
  • PAT EC Meeting 2020-03-03, Tue 3:00-4:00, Rm 2112CS (CISO's Office)
  • PAT EC Meeting 2020-04-07, Tue 3:00-4:00, Rm 2112CS (CISO's Office)
  • PAT EC Meeting 2020-05-05, Tue 3:00-4:00, Rm 2112CS (CISO's Office)
  • PAT EC Meeting 2020-06-02, Tue 3:00-4:00, Rm 2112CS (CISO's Office)
  • PAT EC Meeting 2020-07-07, Tue 3:00-4:00, Rm 2112CS (CISO's Office)
  • PAT EC Meeting 2020-08-04, Tue 3:00-4:00, Rm 2112CS (CISO's Office)

PAT EC members


Member

Type

Unit


Member

Type

Unit


Member

Type

Unit

Bruce BartonAppointed
by DTAG
GLS
Jennifer Bonifas
(Co-chair)
Appointed
by ITSC
SMPH

Joe Salmons
(Co-chair)

Chair
of ITC

ITC

Bob Turner

Permanent
(CISO)

Cybersecurity


Sue Weier

Appointed
(Interim)

L&S



Quorum is three. Also attending as ex officio: Sara Tate-Pederson (SME IT Policy), Ed Jalinske (SME IT Policy), Kim Miller (Communications), Stefan Wahe (CALS)

Attachments

  • No labels