Please report any problems to the Shared Tools Team at st-help@doit.wisc.edu    Broken Links? Missing Macros? WIKI Retiring Plugins
Child pages
  • PAT Meeting 2019-09-26
Skip to end of metadata
Go to start of metadata

9:00-10:00, Rm 3139AB CS

Attending: _x_ McKinney Austin, _x_Bruce Barton, __Jennifer Bonifas, _x_Gary De Clute, _x_J.J. Du Chateau, __Jason Erdmann, __Sarah Grimm, _x_Elizabeth Harris, __Ed Jalinske, __Noel Kim, __John Krogulski, __Kim Miller, _x_David Parter, __Amanda Reese, _x_Joe Salmons, __Chris Spencer, __Eric Straavaldsen, _x_ Sara Tate-Pederson, _x_Bob Turner, _x_Sue Weier.

Agenda

  • Preliminaries: Welcome, introductions, agenda review, notes from previous meeting, announcements (5 min)
    Goal: FYI
    • PAT Work Plan and Proposal to Develop and IT Credentials Policy were both give their first reading at the Sep 20 ITC meeting.
      • On the Work Plan
        • ITC suggested adding a brief description of each initiative.
          DONE.
      • On the Proposal
        • ITC suggested adding language to the policy about ongoing monitoring and evaluation of the effectiveness of the credentials.
          DONE.
      • Later, invited the ITC to send feedback on both by COB on Friday Oct 11.
        • Updates can then be ready for their review a week before their Oct 18 meeting.
      • Plan is for the ITC to vote on both of these at their Oct 18 meeting.
        .
  • IT Assets Inventory Management Proposal (30 min)
    Goal: Does the content look good for an Proposal to Develop an IT Assets Inventory Management Policy?
    Handout: Proposal to Develop an IT Assets Inventory Management Policy (2019-09-23 version)
    .
    Action:
    • Much good feedback. Gary has notes and will make changes.
    • PAT members, please review and comment in detail by COB Oct 7.
      .
  • Recommended revisions to IT Policy Principles and Procedures (20 min)
    Handouts:
       * List of recommended changes to PP&P (2019-09-05 version).
       * Current PP&P in MS Word (2019-03-15 version) (Reference: as published on IT Policy KB)
    .
    Action:
    • Recommendations are OK.
    • Gary will bring a draft revision to the Oct PAT meeting.
      .
  • Status of policy initiatives, PAT work plan, schedule of ITC policy activity (as time permits)
    Goal: Review highlights of the updated initiative chart, work plan, and proposed ITC schedule.
    Policy Initiative Chart (see latest version)
    PAT Work Plan (see latest version)

    Proposed Schedule of ITC policy-related activity (see latest version)

        .
  • For next agenda:
    • Review draft revision of IT Policy Principles and Procedures.

PAT Status Summary

PAT Status Summary

Ground Rules

  1. Everyone must be treated respectfully, whether present or not.
  2. Everyone present who wants to speak on a topic must have a chance to speak.
  3. Attend more often than not, and review materials when you can't attend.
  4. Don't be shy, or worry about perception of an idea - we need open borders for these discussions.
  5. Let's park side issues or extensive detail for future work by this team, or others.
  6. Discuss intent and meaning, rather than the exact language of documents.

On Deck agenda items

  • Discussion of balancing strength of security vs. disruption

Future agenda items

In no particular order:

  • Improvement of policy/procedure templates to identify the Responsible Executive(s), the deployment plan, the compliance plan, and the monitoring of and reporting on deployment and compliance.
  • Adjustment of PAT membership.

Meeting Schedule

  • PAT Meeting 2019-12-17, Tue 3:30-4:30, Rm 3139AB CS
  • PAT Meeting 2020-01-21, Tue 3:30-4:30, Rm 3139AB CS
  • PAT Meeting 2020-02-18, Tue 3:30-4:30, Rm 3139AB CS
  • PAT Meeting 2020-03-17, Tue 3:30-4:30, Rm 3139AB CS
  • PAT Meeting 2020-04-21, Tue 3:30-4:30, Rm 3139AB CS
  • PAT Meeting 2020-05-19, Tue 3:30-4:30, Rm 3139AB CS
  • PAT Meeting 2020-06-16, Tue 3:30-4:30, Rm 3139AB CS
  • PAT Meeting 2020-07-21, Tue 3:30-4:30, Rm 3139AB CS
  • PAT Meeting 2020-08-18, Tue 3:30-4:30, Rm 3139AB CS

PAT Members


Member

Unit

Type

Member

Unit

Type

Member

Unit

Type
McKinney Austin

ODMAS

Appointed by CDO

Bruce Barton
(EC)

Libraries

Appointed by
IT Governance

Jennifer Bonifas
(Co-chair, EC)

 SMPH

Appointed by IT Governance

Open

Appointed by RTAG

Sara Tate-Pederson

Cybersecurity

SME
IT Policy

J.J. Du Chateau

DoIT

SME Enterprise
Architect

Jason ErdmannEducationAt-LargeElizabeth HarrisEngineeringAppointed by
TLTAG
OpenDoIT

SME
Communications

Sarah GrimmArchivesSME
Records Mgt
Ed JalinskeCybersecurity

SME
SETA/IT Policy

Noel KimEngineeringAt-Large

John Krogulski

WIDA

At-Large

Open


At-Large

Open


Appointed by
IT Governance

David Parter

CS

At-Large

Amanda Reese

Office of
Compliance

Appointed
by OOC

Shawn Green
(Co-chair, EC)

ITC

Permanent
(Chair of ITC)

Chris SpencerSMPH

SME Cybersecurity

Eric Straavaldsen

DoIT

SME Enterprise
Systems

Open

AIMS

SME
User Services

Bob Turner
(EC)

Cybersecurity

Permanent
(CISO)

Stefan Wahe

CALS

At-Large

Sue Weier
(EC)

L&S

Appointed
(Interim)

Joe Salmons


ITCAt-Large





Some appointments are interim. At-Large = Community Representative. EC = Executive Committee. SME = Subject Matter Expert.
Appointed and permanent members vote. Nine voting positions are currently filled. Quorum is a majority of voting positions currently filled.

Status of Policy Initiatives (updated on 6/12)

  • Policy Initiative Charts. Updated the first week of the month.

  • Status tables (below). Updated before each PAT meeting. Sorted first by priority, and second by process step.
InitiativePriorityStepStatus
IT Credential Policy (link to wiki page)1 TopStep 3, Propose
  • See PAT Meeting 2019-07-16 for entries prior to 07/16/2019.
  • (7/16)
    • The proposal has been drafted and currently being reviewed by the IT Credentials Drafting Team, and the original IT Credentials Policy Stakeholder Team (from 2015/2016).
  • (8/20)
    • Proposal reviewed by PAT on 8/20.
    • Next review is by the IAM Council as soon as practical.
  • (9/26)
    • Proposal was reviewe:
      • by PAT on 8/20, comments due 9/9.
      • by IAM Council on 9/5 comments due 9/12.
      • by UW-MIST on 9/12 comments due 9/17.
    • Proposal had first reading at ITC on 9/20.
    • Plan is to vote at 10/18 ITC meeting.
Endpoint Management and Security Policy2 TopStep 2, Recommend
  • (8/20) (New entry as of this date)
  • (9/26)
    • CDM Advisory Group discussed recommendations at their Sep 11 meeting.
    • Drafting team will be formed.
    • Plan is to discuss at next five meeting, and return recommendations on Nov 21.
    • First draft of recommendations as been drafted for review at the CDM 9/26 meeting.

IT Assets Inventory Management implementation plan  (project page)

CDM Advisory Group (link to wiki page)

3 TopStep 3, Propose
  • See PAT Meeting 2019-07-16 for entries prior to 06/18/2019.
  • (6/18, 7/16)
    • The CDM Advisory Group began discussing best practices for IT Asset Inventory at their June 27 meeting.
  • (8/20)
    • The CDMAG will make recommendations for IT Asset Inventory Management at their Aug 22 meeting.
    • A provisional policy might be issued in Sep or Oct. TBD.
  • (9/26)
    • CDMAG approved recommendations at their 9/11 meeting.
    • Proposal has been drafted and is being/will be reviewed:
      • by drafting team starting 9/24, comments due 10/1.
      • by PAT on 9/26, comments due 10/10.
      • by CDM Advisory Group plus additional members and guests starting 9/30, comments due 10/10.
      • by UW-MIST on 10/3, comments due 10/10.
    • Plan is for proposal to have first reading at ITC 10/28 meeting.
Password Policy revision (link to wiki page – is the same as the credential policy page)5 HStep 9, Review
(Revision at
Step 4,
Draft)
  • See PAT Meeting 2019-07-16 for entries prior to 07/16/2019.
  • (7/16, 8/20)
    • UW System is currently discussing revision of their password standard. UW-Madison is suggesting that NIST SP 800-63-3 be adopted rather than specifying details of the password.
  • (9/26)
    • UW System plans to issue a revised authentication policy that is incompatible with UW-Madison plan to adopt NIST SP 800-63-3, but will allow institutions to submit a risk assessment describing the difference is risk. Risk assessment is underway.
    • Original plan for password standard at UW-Madison is unchanged:
      • With MFA, 8 characters
      • Without MFA, 16 characters
      • In either case, no complexity requirement, no periodic password change (only force change if there are indication the password is compromised,) plus some other requirements previously documented in the 2018 compensating control memo to UW System.
Information Incident Reporting and Response (IReport) policy (link to wiki page)5 HStep 9, Revise
(Revision at
Step 2, Recommend)
  • See PAT Meeting 2019-07-16 for entries prior to 07/16/2019.
  • (7/16, 8/20)
    • GDPR compliance may require major revision of policy and procedures.
  • (9/26)
    • UW System has drafted a policy that expands the amount of incident reporting by end users and IT staff, and requires most incidents to be reported up to UW System.
    • UW-Madison is preparing a response with suggested changes that reduce the amount of required reporting by end users and IT staff, and to UW System.
Digital Accessibility Policy (link to wiki page)5 HStep 9, Review
(Revision at
Step 3, Propose)
  • See PAT Meeting 2019-07-16 for entries prior to 05/21/2019.
  • (5/21, 6/18, 7/16, 8/20)
    • The Digital Accessibility Campus Advisory Group (DACAG) is reviewing a draft strategic plan for digital accessibility which may help answer some of the outstanding questions that have so far delayed work on the policy.
  • (9/26)
    • Plan is to use existing recommendations to satisfy step 2, recommend, and move directly to step 3, propose.
SETA implementation Plan (link to wiki page)6 MHStep 4, Draft
  • See PAT Meeting 2019-07-16 for entries prior to 05/21/2019.
  • (5/21, 6/18, 7/16)
    • SEACC approved the draft plan implementation plan with some specified changes.
    • The intent is to publish it as provisional, and take it to the ITC for approval in the fall.
    • Since then, UW System issued a revised Security Awareness policy which slightly changes the requirements. The draft plan needs to be adjust to reflect the new requirements.
    • The intended plan to publish and get approval from ITC is still in place, but it will take slightly longer to publish the provisional plan.
  • (8/20, 9/26)
    • No need to publish a provisional plan. ITC can review later in the year.

Encryption (IEncrypt) Policy (link to wiki page)

6 MHStep 9, Review

(Revision at
Step 2, Recommend)

  • See PAT Meeting 2019-07-16 for entries prior to 08/20/2019.
  • (8/20, 9/26)
    • UW System 2 Yr engagement team on storage encryption has been organized and is meeting.
Guest NetID (link to published policy)6 MH

Step 7, Deploy

  • See PAT Meeting 2019-07-16 for entries prior to 05/21/2019.
  • (5/21, 6/18, 7/16, 8/20, 9/26)
    • Drafting team has reviewed the policy and suggested changes. The changes are being evaluated.
NetID Appropriate Use Standard (link to published document on KB)6 MH

Step 9, Review
(Revision at
Step 2, Recommend)

  • See PAT Meeting 2019-07-16 for entries prior to 07/16/2019.
  • (7/16, 8/20, 9/26)
    • The DoIT IAM group is going to re-evaluate what needs to placed in a standard. Revision of the published standard is on hold until they do so.
Access Control Services (link to wiki page)6 MHStep 9. Review
(Revision at
Step 1, Plan)
  • (4/17, 5/21, 6/18, 7/16, 9/26)
    • Added this as one of the standards to be under the IT Credentials Policy.
    • Have not yet contacted DoIT IAM group.
Data Classification to Support System Security Policy (link to wiki page)7 M

Step 9, Review
(Revision at
Step 4, Draft)

  • See PAT Meeting 2019-07-16 for entries prior to 04/17/2019.
  • (4/17, 5/21, 6/18, 7/16, 8/20, 9/26)
    • Policy needs maintenance revision. No change in classifications is anticipated.
    • New CDO needs to review it before it is published.
Data Loss Prevention Policy (will be renamed from Restricted Data Security Management Policy) (link to wiki page)7 MStep 9, Review
(Revision at
Step 1, Plan)
  • See PAT Meeting 2019-07-16 for entries prior to 07/16/2019.
  • (7/16)
    • A Data Loss Prevention Administrator has been hired and will start on Aug 1.
    • Revision of the policy can begin in the fall term.
  • (8/20, 9/26)
    • Data Loss Prevention Administrator has been hired.
    • Will present to UW-MIST in October.
Privileged Account Management Policy7 MStep 1. Plan
  • (8/20, 9/26) (New entry as of this date)
    • Newly identified policy.
    • Comes from the UW System 2 Yr Work Plan initiative.
    • Have met once with the co-chairs to discuss the policy process.
Email Servers Policy8 ML

Step 9, Review

  • See PAT Meeting 2019-07-16 for entries prior to 08/20/2019.
  • (8/20, 9/26)
    • PAT Recommended retirement of the Email Servers Policy.
    • Will refer the matter for ITC approval in the fall term.
IPv4 Allocation Policy8 ML

Step 9, Review

  • (2/11/2019, 3/19, 4/17)
    • Initiated review because it is way out of date, was never officially issued, and possibly obsolete.
    • DoIT Network Services. Response pending.
  • (5/21, 6/18, 7/16, 8/20, 9/16)
    • This is moderate-low priority so it may be awhile before it comes to closure.

Attachments

  • No labels