Please report any problems to wiki-admin(a)lists.wisc.edu or use our support form. For more info Shared Tools KB
Child pages
  • PAT Meeting 2018-12-07
Skip to end of metadata
Go to start of metadata

1:00-2:00, Rm 3139AB CS

Attending: _x_ McKinney Austin, _x_Bruce Barton, __Jennifer Bonifas, _x_Gary De Clute, _x_J.J. Du Chateau, __Jason Erdmann, _x_Mary Evansen, _x_Sarah Grimm, __Ed Jalinske, _x_Noel Kim, __John Krogulski,  _x_Kristen Mcroberts, _x_Beth Martin, _x_David Parter, __Amanda Reese, _x_Joe Salmons, __Chris Spencer, _x_Eric Straavaldsen, _x_ Sara Tate-Pederson, _x_Bob Turner, _x_Sue Weier.

Agenda

  1. Welcome, notes from PAT Oct meeting and PAT Nov meeting   (5 min)
    • Deferred
         
       
  2. Announcements – (10 min)
    • The ITC approved the Network Firewall Policy on Nov 16 – Joe Salmons and Bob Turner
    • Should the PAT meet for one hour each month, (instead of 90 minutes) ? – Joe Salmons and Jennifer Bonifas
    • Other? – All
      .
    Action:
    1. Deferred.
        .
  3. Coordination of Data Policy and IT Policy – McKinney Austin and Bob Turner (45 min)
    1. Open question:
      • Which policies are data policies and which are IT policies.
    2. Open question:
      • How to make the decisions?
    3. Policies of interest at this time:
      • Data Classification Policy
      • Restricted Data Security Management Policy
    4. Regarding data classification
      1. Data stewards need practical guideance on the downstream consequences of classifying data
        • UW System policy requires that data stewards be trained
        • What that training will contain is TBD.
      2. Need to coordinate with Records Management
      3. Need a process for deciding the classification of a particular data set
      4. Need an interim statement of how to navigate among different versions of data classification now published (i.e. UW System, Data Governance, IT Policy – all have differences.)
    5. Regarding a data policy portfolio:
      1. Possible next steps regarding a data portfolio
        • Working group to discuss data policy portfolio
        • Brainstorming session to explore data policy portfolio
      2. Next step on data policy portfolio
        • Think about a possible brainstorming session.
    6. Next steps on coordination of Data policy and IT Policy
      1. Data Governance is working on naming Data Stewards.
      2. Revisit relationship of Data Policy and IT Policy in the future.
      3. In the meantime, use the current Data Classification Policy from IT Policy as the as the record of previous detailed classification decisions at UW-Madision until it is updated or superceded by something else.

  4. Status of initiatives (as time permits)
    Handout: Latest Policy Initiative Chart 
       
  5. For next agenda:
    • Status from Portfolio Subcommittee on Data Portfolio – Dave Parter and Bob Turner (10 min)
    • Discussion with the PAT Communications Subcommittee. 

PAT Status Summary

PAT Status Summary

Ground Rules

  1. Everyone must be treated respectfully, whether present or not.
  2. Everyone present who wants to speak on a topic must have a chance to speak.
  3. Attend more often than not, and review materials when you can't attend.
  4. Don't be shy, or worry about perception of an idea - we need open borders for these discussions.
  5. Let's park side issues or extensive detail for future work by this team, or others.

Future agenda items

In no particular order:

  • Pending charter revisions: Term lengths, PAT quorum language, other items yet-to-be-identified. (Fall 2018)
  • Incident Reponse Subcommittee Recommendations (Fall 2018)
  • Improvement of policy/procedure templates to identify the Responsible Executive(s), the deployment plan, the compliance plan, and the monitoring of and reporting on deployment and compliance. (Fall 2018)
  • Adjustment of mix of SME's. Including possible addition of a representative from the Academic Policy Office, DoIT Departmental Support, and others yet-to-be-identified. (Fall 2018)
  • Mix of At-large members to represent an appropriate mix of large and small units.(Fall 2018)

Meeting Schedule

  • PAT Meeting 2019-09-26, Thu 9:00-10:00, Rm 3139AB CS *
  • PAT Meeting 2019-10-15, Tue 3:30-4:30, Rm 3139AB CS
  • PAT Meeting 2019-11-19, Tue 3:30-4:30, Rm 3139AB CS
  • PAT Meeting 2019-12-17, Tue 3:30-4:30, Rm 3139AB CS

PAT Members


Member

Unit

Type

Member

Unit

Type

Member

Unit

Type
McKinney Austin

ODMAS

Appointed by CDO

Bruce Barton
(EC)

Libraries

Appointed by
IT Governance

Jennifer Bonifas
(Co-chair, EC)

 SMPH

Appointed by IT Governance

Open

Appointed by RTAG

Gary De Clute
(Facilitator)

CIO Office

SME
IT Policy

J.J. Du Chateau

DoIT

SME Enterprise
Architect

Jason ErdmannEducationAt-LargeOpen
At-LargeKim MillerDoIT

SME
Communications

Sarah GrimmArchivesSME
Records Mgt
Ed JalinskeCybersecurity

SME
SETA

Noel KimEngineeringAt-Large

John Krogulski

WIDA

At-Large

Beth Martin

Pharmacy

Appointed by TLTAG

Open


Appointed by
IT Governance

David Parter

CS

At-Large

Amanda Reese

Office of
Compliance

Appointed
by OOC

Joe Salmons
(Co-chair, EC)

ITC

Permanent
(Chair of ITC)

Chris SpencerSMPH

SME Cybersecurity

Eric Straavaldsen

DoIT

SME Enterprise
Systems

Sara Tate-Pederson

AIMS

SME
User Services

Bob Turner
(EC)

Cybersecurity

Permanent
(CISO)

Sue Weier
(EC)

L&S

Appointed
(Interim)

Open
At-Large

Some appointments are interim. At-Large = Community Representative. EC = Executive Committee. SME = Subject Matter Expert.
Appointed and permanent members vote. Nine voting positions are currently filled. Quorum is a majority of voting positions currently filled.

Status of Policy Initiatives

  • Policy Initaitive Charts. Updated the first week of the month.

  • Status tables (below). Updated before each PAT meeting. Sorted first by priority, and second by process step.
InitiativePriorityStepStatus
    
Password Policy revision (link to wiki page – is the same as the credential policy page)1 TopStep 9, Review
(Revision at
Step 4,
Draft)
  • See PAT Meeting 2018-04-06 for entries prior to 05/04/2018
  • (05/04)
    • IAM Council (note name change) met for the first time on 05/02.
    • Password policy is the top priority.
    • Will meet bi-weekly.
  • (06/01)
    • IAM Council met 5/24, and discussed password standard and related issues.
  • (7/13)
    • IAM Council has meet several times.
    • The parameters of the new standard are not yet final.
  • (8/3, 9/7, 10/5, 11/09, 12/07)
    • Parameters for password standard now determined.
    • MFA rollout (in Spring) will be synchronized with password standard change.
    • Need to make sure language in password standard is compatible with messages to campus during that rollout.
IT Policy Principles and Procedures (link to wiki)2 Top

Step 9, Review
(Revision at
Step 6, Approve)

  • (10/5)
    • Finished a draft in July.
    • Needs review by CIO, then on to ITC for approval. (Not sure if IT Gov would be interested. If so, they review too.)
    • May want to rename it "Policy on Policies", per suggestion by CIO
  • (11/09)
    • Submitted to ITC for their review and approval
    • Title is still "IT Policy Principles and Procedures". Can be changed as needed.
  • (12/07)
    • ITC discussed the PP&P at their Nov 16 meeting.
    • More discussion planned at their Dec 21 meeting.
    • Vote tentatively scheduled for their Jan 18 meeting.
Credential Policy (link to wiki page)3 TopStep 2, Recommend
  • See PAT Meeting 2018-04-06 for entries prior to 05/04/2018
  • (05/04, 06/01, 7/13, 8/03)
    • IAM Council (note name change) met for the first time on 05/02.
    • Password policy is the top priority. Credential policy will follow in time,
    • Will meet bi-weekly.
  • (9/0)
    • MFA rollout will be this Winter and Spring for faculty/staff and student employees. Students will follow.
    • IT policy forum on Nov 6 will be on Credential Policy
  • (10/05, 11/09)
    • Will start writing proposal for the Cred Policy after Nov 6 forum.
    • Hope to have policy done and approved by end of Spring.
    • More likely will slide into Fall. Middleware and IAM Council will be VERY busy with MFA. Not sure they will be able to address the assurance issues until Fall. TBD.
  • (12/07)
    • PAT Portfolio team needs to consider how a Credential policy should be organized.
    • Gary will propose an organization for the Portfolio subcommittee to review at their Dec meeting.
    • Full PAT could review at their Jan meeting.
Web Accessibility Policy (link to wiki page)5 HStep 9, Review
(Revision at
Step 1, Plan)
  • See PAT Meeting 2018-04-06 for entries prior to 05/04/2018
  • (05/04)
  • (06/01)
    • Portfolio Subcommittee met 5/30 and discussed the Digital Accessibility Portfolio.
    • Can start forming a team, but cannot meet until new Director can participate.
  • (7/13, 8/03)
    • Finalists for Director of Accessibility have been selected.
    • Hoping the person will be hired in August, arrive early this Fall.
  • (9/07)
    • Phyllis Treige is the new director. Gary met with her.
    • We first need to do a maintenance update to repair some factual errors in the policy.
  • (10/05)
    • Phyllis and Gary are working on the draft of the maintenance update.
  • (11/09, 12/07)
    • Phyllis and Gary are still working on the draft of the maintenance update.
      • Phyllis is consulting with Dir. of Compliance, and others.
    • Phyllis and Gary are working on charter for the policy stakeholder team.
      • This is more complex than usual because there are multiple outside mandates, and multiple projects already underway that overlap with the possible domain of the the PST.

Continuous Diagonistics and Mitigation Implementation Plan (link to wiki page)
(a.k.a Vulnerability Scanning, also related to DoIT Computer Logging Statement)

5 H

Step 3, Propose, or Step 4, Draft (TBD)

  • See PAT Meeting 2018-04-06 for entries prior to 05/04/2018
  • (05/04, 06/01, 7/12, 8/03, 9/07, 10/05)
    • Office of Cybersecurity is considering creation of a Cybersecurity Initiative Advisory Group (name is tentitive.)
      • This would serve in the role of a CDM steering group, and more generally on other initiatives beyond CDM, rather then have seperate advisory groups organized by functional or technological silo.
      • Would consist of both non-technical and technical staff, middle management level.)
      • Would complement UW-MIST, which is largely a technical group of IT staff.
      • Much discussion remains. Stakeholders will be consulted. The new CIO needs to have input, etc.
    • UW System has created a two year work plan that includes a significant CDM component.
      • Will tie in with the UW-Madison CDM implementation plan. Exactly how TBD.
  • (11/09)
    • UW-MIST co-chairs were tasked with chartering a CDM Advisory Group (name is tentative.)
    • First draft of charter completed, and under revision by the co-chairs.
    • Eleven volunteers have already been identified.
  • (12/07)
    • At PAT 11/9 meeting, discussed if we want to do a policy at UW-Madison, or build an implementaiton plan for UW System Policy.
    • Leaning toward Implementation Plan, but did not have a quorum to make a decision.
    • We will need to decide soon. Perhaps in January.
IT Assets Inventory implementation plan  (project page)5 HStep 1. Plan
  • (10/5, 11/09)
    • IT Assets Inventory Implementation plan is in response to the UW System Policy.
    • There is a working group exploring how to implement this at UW-Madison.
  • (12/07)
    • UW System has not yet issued a policy, and might not do so for several months.
    • UW-Madison can start to develop a policy, and can offer that work to UW System as a starting point for UW System policy.
    • To that end, UW-Madison could start a policy stakeholders team and develop recommendations, and could proceed as far as Step 3, Propose, at which point, if UW System will soon issue a policy the UW-Madison effort can be re-organized into development of an Implementation Plan.
    • IT Assets Acquisition Definition could be rolled into the above effort.
    • Profile Subcommittee could consider this at their Dec meeting.
IT Assets Acquisition Subcommittee (link to wiki page.)6 MHN/A
  • See PAT Meeting 2018-04-06 for entries prior to 05/04/2018
  • (05/04)
    • Subcommittee has met twice. Is working on a preliminary definition. See 04/18 IT Assets Meeting notes.
    • On track to report preliminary results to the PAT EC on May 18.
  • (06/01)
    • Delivered preliminary results to PAT-EC on 5/18.
    • Met on 5/23. On track.
  • (7/13, 8/03)
    • Subcommittee concluded that the scope has increased to the point that the team needed to be re-chartered, with formal sponsors.
    • Team will not meet again until there is a draft charter for them to review.
  • (9/07)
    • We need to rename this so it does not conflict with the Cybersecurity IT Assets effort.
  • (10/5, 11/09)
    • Looks like the Cybersecurity IT asset inventory management will also include acquistion.
    • How non-Cybersecurity acquisition will be handled is TBD.
    • We are scheduled for an audit of IT purchases in 2019. Details TBD.
  • (12/07)
    • See IT Assets Inventory and Management Plan
SETA implementation Plan (link to wiki page)6 MHStep 4, Draft
  • See PAT Meeting 2018-04-06 for entries prior to 05/04/2018
  • (03/02, 04/06, 05/04, 06/01, 8/03, 9/07, 10/5)
    • Ed Jalinski (SETA lead) discussed SETA with UW-MIST on 03/01.
    • The SETA advisory group is forming.
    • Ed drafting text for use in the policy implementation plan.
  • (11/09)
    • Ed is organizing a Security Education and Awareness Committee (SEAAC) to serve as the advisory group for SETA.
    • This advisory group would, among other things, advise on the implementation plan to be published on the IT policy KB.
  • (12/07)
    • Gary will draft a policy implementation plan, using material from the more detailed SETA plan the Ed has already developed.
    • The new SEAAC could consider that draft and suggest improvements.
    • TBD who else should review the plan.
    • We could publish it as soon as SEAAC and others are OK with the plan.
Network firewall policy (link to wiki page)7 M

Step 8, Comply

  • (05/04/2018)
    • IT governance has formed a cross-TAG policy review team. The first meeting has been scheduled for Wed, May 9, to review the Network Firewall Policy.
    • The review team will recommend further action by IT governance.
    • IT governance review the policy will go to the ITC this Fall.
  • (06/01)
    • Cross-TAG team reviewed policy, but need to see changes before endorsement.
    • ITC discussed, but needs to wait until Cross-TAG team has finished. Might vote by email if that is permitted.
    • Could issue policy a provisional, and finish approval in the Fall. Under consideration.
  • (7/13, 8/03, 9/07)
    • Policy was issud on June 18, as provision, expiring one year from that date.
    • ITC will consider and approve it this Fall, which removes the expirtion data and provisional status.
    • The ITC could make changes before approving it.
  • (10/05)
    • First meeting will be Oct 11, 3:00-4:00, Rm B109 CS
    • There are 18 confirmed members. See: Firewall Advisory.
  • (11/09)
    • Policy package has been submitted to the ITC for their review and approval.
    • All teams and subcommittees of the Network Firewall Advisory Group (NFWAG) have met at least once.
    • Target is the provide some initial recommendations to the Sponsors by Feb or Jan.
    • You can track status by viewing: Firewall Advisory Status.
  • (12/07)
    • The ITC approved the Network Firewall Policy at their 11/16 meeting!
    • Policy and Implementation Plan have been updated on the IT Policy KB.
    • The Network Firewall Advisory Group (NFWAG) has been formed and is meeting regularly, including subcommittees on Rules & Procedures, and Communications.
    • This will be the last entry until the the Implementation Plan is due for revision in about a year.
    • To track ongoing status, see Firewall Advisory Status.
Information Incident Reporting and Response (IReport) policy (link to wiki page)7 MStep 9, Revise
(Revision at
Step 2, Recommend)
  • See PAT Meeting 2018-04-06 for entries prior to 05/04/2018
  • (05/04)
    • First Incident Response Subcommittee meeting scheduled for May 14. See agenda.
  • (06/01, 7/13, 8/03, 9/07, 10/05, 11/09, 12/07)
    • First meeting was on May 14. Next step is a table top exercise.
Data Classification to Support System Security Policy (link to wiki page)7 M

Step 9, Review
(Revision at
Step 2,
Recommend)

  • See PAT Meeting 2018-04-06 for entries prior to 05/04/2018
  • (05/04, 06/01)
    • PAT is engaging in an exercise to help types of data for which futher guidance from Data Governance would be helpful.
  • (7/13, 08/03, 9/07, 10/5)
    • Status of data classification at UW-Madison is unchanged.
  • (11/09, 12/07)
    • McKinney Austin (interim CDO) and Bob Turner (CISO) are engaged in discussion about how to coordinate Data Policy and IT Policy
    • This topic is tentatively on the agenda for the December PAT meeting.

PAT Encryption Subcommittee (link to wiki page.)

Encryption (IEncrypt) Policy (link to wiki page)

7 MStep 9, Review
(Revision at
Step 3, Propose)
  • See PAT Meeting 2018-04-06 for entries prior to 05/04/2018
  • (05/04)
    • Subcommittee has met twice. Is working on suggested policy changes and compensating controls. See 04/18 Encryption Meeting notes.
    • On track to report preliminary results to the PAT EC on May 18.
  • (06/01)
    • Delivered preliminary results to PAT-EC on 5/18, and to CISO on 5/23.
    • Includes possible compensating controls.
  • (7/13)
    • The Encryption Subcommittee completed the draft revision of both policy and standard.
    • UW-MIST reviewed them on 7/12. No substantive changes.
  • (8/3, 9/07, 10/5)
    • At the July PAT meeting, the PAT decided that the risk of publishing the revision developed with the acceperated process was greater than the need to publish it this Summer.
    • Plan - Reset the process to Step 1. Draft a charter for a regular Policy Stakeholders Team. Idea is to do the normal (non-accelerated) policy process.
  • (11/09)
    • PAT EC discussed Encyption at their Oct 19 meeting.
    • The PAT EC believes it may be possible to modify the draft policy developed over the summer, making a few changes to fix the indentified problems.
    • The PAT EC is asking UW-MIST EC to take this up at a future UW-MIST EC meeting.
    • If we need to restart the policy process for encryption, we could restart at Step 3 Propose.
      • However, the proposal would need to include an "implementation plan" rather than a "standard" (i.e. the implementation plan would describe how to build and support the "standard".)
      • The real outstanding issue is not the policy, but the implementation plan to support a policy.
  • (12/07)
    • The team engaged in implementing the UW System 2 Yr plan discussed starting an encryption team in order to provide guidance to UW-Madison in complying with the UW System Data Protection Procedures.
    • Decision on this is pending. Request for assistance from UW-MIST EC is on hold until a decision is made.
Restricted Data Security Management Policy (link to wiki page)7 MStep 9, Review
(Revision at
Step 1, Plan)
  • See PAT Meeting 2018-04-06 for entries prior to 05/04/2018
  • (05/04, 06/01, 7/13, 8/03, 9/07, 10/5)
    • Identity Finder contract will expire.
    • Office of Cybersecurity is investigating renewal or replacement.
    • Details TBD. UW-MIST, others, will be consulted.
  • (11/09, 12/07)
    • A "restart" of data discovery has been funded.
    • Office of Cybersecurity is hiring a person to lead that program.
    • PD will be posted soon.

 

Selected low and moderate-low priority items. These are not updated unless something has changed.

InitiativePriorityStepStatus
Collection of PII via email8 MLStep 9. Review
(Revision at
Step 1. Plan)
IT Compliance Agreement review and revision (link to wiki page)8 ML

Step 9, Review
(Revision at
Step 1, Plan)

Non-UW-Madison Devices and Services
(link to wiki page)
8 MLStep 9, Review
(Revsion at
Step 1, Plan)
 Electronic Devices Policy
(link to wiki page)
8 MLStep 9, Review
(Revision at
Step 1, Plan)
Media and Device Disposal and Reuse (IDispose) policy
(link to wiki page)
9 LStep 9, Review
(Revision at
Step 4, Draft)
Possible new policy, paraphrase: Every IT service should have a
governance or advisory group (no link available at this time)
9 LStep 1, Plan

Attachments

No attachments

  • No labels