Please report any problems to the Shared Tools Team at st-help@doit.wisc.edu    Broken Links? Missing Macros? WIKI Retiring Plugins
Child pages
  • PAT Meeting 2019-10-15
Skip to end of metadata
Go to start of metadata

Tue 3:30-4:30, Rm 3139AB CS

Attending: __ McKinney Austin, _x_Bruce Barton, _x_Jennifer Bonifas, _x_Gary De Clute, __J.J. Du Chateau, __Jason Erdmann, _x_Sarah Grimm, __Elizabeth Harris, __Ed Jalinske, __Noel Kim, _x_John Krogulski, __Kim Miller, __David Parter, __Amanda Reese, _x_Joe Salmons, __Chris Spencer, _x_Eric Straavaldsen, _x_ Sara Tate-Pederson, _x_Bob Turner, __Sue Weier.

Agenda

  1. Preliminaries: Welcome, introductions, agenda review, notes from previous meeting, announcements (5 min)
    Goal: FYI
    • At the upcoming Oct 18 ITC meeting:
      • A vote on the Proposal to Develop and IT Credentials Policy.
      • A vote on the PAT Work Plan.
      • first reading of the Proposal to Develop an IT Asset Inventory Policy. A vote is anticipated at the Nov 15 ITC meeting.
        .
  2. Recommended revisions to the PAT Charter (30 min)
    Handouts:
       * List of recommended changes to PAT Charter (2019-09-03 version Rev A after review by PAT EC).
       * Current PAT Charter in MS Word (2019-03-15 version)
    .
    Please see the updated version of the recommended changes to the PAT Charter (2019-10-15 version)
    There are comments indicating places where the adjustments to the recommended changes are different from what we discussed at the PAT meeting.
    .
    Please review and respond to Gary with suggestions by COB Tue, Oct 22.

    .
    Action:
    • Many good suggestions! Thank you!
    • Gary has notes and will modify the recommendations ASAP.
    • Gary will send a message to the PAT ASAP to please review and send comments to Gary by COB Tue, Oct, 22.
    • Gary will then draft a revised charter and distribute it to the PAT EC for review at their Nov 5 meeting.
    • The resulting charter as modified by the PAT EC will be reviewed by the PAT the Nov 19 meeting, comments collected during next week, revisions made etc.
    • The resulting charter will submitted to the ITC for 1st reading at their Dec 20 meeting.
    • Will hopefully be approved at the ITC Jan meeting.
      .
  3. Draft revision of the IT Policy Principles and Procedures (20 min)
    Goal: Approve to send to ITC for review and approval.
    Handout: Draft revision of IT Policy Principles and Procedures with changes marked (2019-09-28 version Rev B)
    .
    Please see the updated revision of the IT Policy Principles and Procedures and separate appendices (2019-10-15 version)
    This includes the correction suggested at the PAT meeting and the appendices placed in a separate document.
    A copy with the changes from 2019-03-15 marked up can be found at: IT Policy Principles and Procedures Drafts.
    .
    Please review and respond to Gary with suggestions by COB Tue, Oct 22.

    .
    Action:
    • One change suggested to the definition of Best Practices.
    • We went over Appendices B and D in detail because they contain a lot of new material never before reviewed by the PAT. Both were OK.
      • It was noted that since these are appendices it will be easy to adjust them over time and such adjustments are expected.
    • Gary will send a message to the PAT ASAP to please review and send comments to Gary by COB Tue, Oct, 22.
    • Gary will incorporate any changes. The resulting policy will got to the PAT EC for final review at their Nov 5 meeting.
    • The resulting policy will be submitted to the ITC for 1st reading at their Nov 15 meeting.
    • Will hopefully be approved at the ITC Dec 20 meeting, and published soon after.
      .
  4. Status (as time permits)
    Goal: Review highlights of the following status and planning documents.
    Policy Initiative Chart (see latest version)
    PAT Work Plan (see latest version)

        * Revised PAT Work Plan is OK.
    Proposed Schedule of ITC policy-related activity (see latest version)
       * Revised ITC schedule matches the revised work plan.
    .
  5. Comparison of IT Policy Process and UW System Policy Process.
    • Bob requested a volunteer and Sarah Grimm volunteered to compare the two processes.
    • Bob will make sure Sarah has an electronic copy of the UW System Process.
    • The IT Policy Process is documented in the IT Policy Principles and Procedures. This is the current KB version, but the process is the same in the new draft going to the ITC in Nov (currently at version 2019-09-28 Rev B).
      .
  6. Recruitment team volunteers for IT Policy hire.
    1. Bob requested two PAT volunteers to serve on the recruitment team for hiring an IT Policy staff person.
    2. No volunteers at meeting.
    3. Please contact Bob in the next week if willing to serve.
          .
  7. For next agenda:
    • Review Draft IT Credentials Policy (30 min)
    • Review draft of revised PAT Charter (20 min)

PAT Status Summary

PAT Status Summary

Ground Rules

  1. Everyone must be treated respectfully, whether present or not.
  2. Everyone present who wants to speak on a topic must have a chance to speak.
  3. Attend more often than not, and review materials when you can't attend.
  4. Don't be shy, or worry about perception of an idea - we need open borders for these discussions.
  5. Let's park side issues or extensive detail for future work by this team, or others.
  6. Discuss intent and meaning, rather than the exact language of documents.

On Deck agenda items

  • Discussion of balancing strength of security vs. disruption

Future agenda items

In no particular order:

  • Improvement of policy/procedure templates to identify the Responsible Executive(s), the deployment plan, the compliance plan, and the monitoring of and reporting on deployment and compliance.
  • Adjustment of PAT membership.

Meeting Schedule

  • PAT Meeting 2019-12-17, Tue 3:30-4:30, Rm 3139AB CS
  • PAT Meeting 2020-01-21, Tue 3:30-4:30, Rm 3139AB CS
  • PAT Meeting 2020-02-18, Tue 3:30-4:30, Rm 3139AB CS
  • PAT Meeting 2020-03-17, Tue 3:30-4:30, Rm 3139AB CS
  • PAT Meeting 2020-04-21, Tue 3:30-4:30, Rm 3139AB CS
  • PAT Meeting 2020-05-19, Tue 3:30-4:30, Rm 3139AB CS
  • PAT Meeting 2020-06-16, Tue 3:30-4:30, Rm 3139AB CS
  • PAT Meeting 2020-07-21, Tue 3:30-4:30, Rm 3139AB CS
  • PAT Meeting 2020-08-18, Tue 3:30-4:30, Rm 3139AB CS

PAT Members


Member

Unit

Type

Member

Unit

Type

Member

Unit

Type
McKinney Austin

ODMAS

Appointed by CDO

Bruce Barton
(EC)

Libraries

Appointed by
IT Governance

Jennifer Bonifas
(Co-chair, EC)

 SMPH

Appointed by IT Governance

Open

Appointed by RTAG

Sara Tate-Pederson

Cybersecurity

SME
IT Policy

J.J. Du Chateau

DoIT

SME Enterprise
Architect

Jason ErdmannEducationAt-LargeElizabeth HarrisEngineeringAppointed by
TLTAG
OpenDoIT

SME
Communications

Sarah GrimmArchivesSME
Records Mgt
Ed JalinskeCybersecurity

SME
SETA/IT Policy

Noel KimEngineeringAt-Large

John Krogulski

WIDA

At-Large

Open


At-Large

Open


Appointed by
IT Governance

David Parter

CS

At-Large

Amanda Reese

Office of
Compliance

Appointed
by OOC

Shawn Green
(Co-chair, EC)

ITC

Permanent
(Chair of ITC)

Chris SpencerSMPH

SME Cybersecurity

Eric Straavaldsen

DoIT

SME Enterprise
Systems

Open

AIMS

SME
User Services

Bob Turner
(EC)

Cybersecurity

Permanent
(CISO)

Stefan Wahe

CALS

At-Large

Sue Weier
(EC)

L&S

Appointed
(Interim)

Joe Salmons


ITCAt-Large





Some appointments are interim. At-Large = Community Representative. EC = Executive Committee. SME = Subject Matter Expert.
Appointed and permanent members vote. Nine voting positions are currently filled. Quorum is a majority of voting positions currently filled.

Status of Policy Initiatives (updated on 6/12)

  • Policy Initiative Charts. Updated the first week of the month.

  • Status tables (below). Updated before each PAT meeting. Sorted first by priority, and second by process step.
InitiativePriorityStepStatus
IT Credential Policy (link to wiki page)1 TopStep 3, Propose
  • See PAT Meeting 2019-07-16 for entries prior to 07/16/2019.
  • (7/16)
    • The proposal has been drafted and currently being reviewed by the IT Credentials Drafting Team, and the original IT Credentials Policy Stakeholder Team (from 2015/2016).
  • (8/20)
    • Proposal reviewed by PAT on 8/20.
    • Next review is by the IAM Council as soon as practical.
  • (9/26, 10/15)
    • Proposal was reviewed:
      • by PAT on 8/20, comments due 9/9.
      • by IAM Council on 9/5 comments due 9/12.
      • by UW-MIST on 9/12 comments due 9/17.
    • Proposal had first reading at ITC on 9/20.
    • Plan is to vote at 10/18 ITC meeting.
Endpoint Management and Security Policy2 TopStep 2, Recommend
  • (8/20) (New entry as of this date)
  • (9/26)
    • CDM Advisory Group discussed recommendations at their Sep 11 meeting.
    • Drafting team will be formed.
    • Plan is to discuss at next five meeting, and return recommendations on Nov 21.
    • First draft of recommendations as been drafted for review at the CDM 9/26 meeting.
  • (10/15)

IT Assets Inventory Management implementation plan  (project page)

CDM Advisory Group (link to wiki page)

3 TopStep 3, Propose
  • See PAT Meeting 2019-07-16 for entries prior to 06/18/2019.
  • (6/18, 7/16)
    • The CDM Advisory Group began discussing best practices for IT Asset Inventory at their June 27 meeting.
  • (8/20)
    • The CDMAG will make recommendations for IT Asset Inventory Management at their Aug 22 meeting.
    • A provisional policy might be issued in Sep or Oct. TBD.
  • (9/26)
    • CDMAG approved recommendations at their 9/11 meeting.
    • Proposal has been drafted and is being/will be reviewed:
      • by drafting team starting 9/24, comments due 10/1.
      • by PAT on 9/26, comments due 10/10.
      • by CDM Advisory Group plus additional members and guests starting 9/30, comments due 10/10.
      • by UW-MIST on 10/3, comments due 10/10.
    • Plan is for proposal to have first reading at ITC 10/28 meeting.
  • (10/15)
    • Received much feedback and made many changes to the proposal.
    • Will receive first reading at ITC on 10/18.
Password Policy revision (link to wiki page – is the same as the credential policy page)5 HStep 9, Review
(Revision at
Step 4,
Draft)
  • See PAT Meeting 2019-07-16 for entries prior to 07/16/2019.
  • (7/16, 8/20)
    • UW System is currently discussing revision of their password standard. UW-Madison is suggesting that NIST SP 800-63-3 be adopted rather than specifying details of the password.
  • (9/26, 10/15)
    • UW System plans to issue a revised authentication policy that is incompatible with UW-Madison plan to adopt NIST SP 800-63-3, but will allow institutions to submit a risk assessment describing the difference is risk. Risk assessment is underway.
    • Original plan for password standard at UW-Madison is unchanged:
      • With MFA, 8 characters
      • Without MFA, 16 characters
      • In either case, no complexity requirement, no periodic password change (only force change if there are indication the password is compromised,) plus some other requirements previously documented in the 2018 compensating control memo to UW System.
Information Incident Reporting and Response (IReport) policy (link to wiki page)5 HStep 9, Revise
(Revision at
Step 2, Recommend)
  • See PAT Meeting 2019-07-16 for entries prior to 07/16/2019.
  • (7/16, 8/20)
    • GDPR compliance may require major revision of policy and procedures.
  • (9/26)
    • UW System has drafted a policy that expands the amount of incident reporting by end users and IT staff, and requires most incidents to be reported up to UW System.
    • UW-Madison is preparing a response with suggested changes that reduce the amount of required reporting by end users and IT staff, and to UW System.
  • (10/15)
    • Response submitted to UW System. Waiting to hear the results.
Digital Accessibility Policy (link to wiki page)5 HStep 9, Review
(Revision at
Step 3, Propose)
  • See PAT Meeting 2019-07-16 for entries prior to 05/21/2019.
  • (5/21, 6/18, 7/16, 8/20)
    • The Digital Accessibility Campus Advisory Group (DACAG) is reviewing a draft strategic plan for digital accessibility which may help answer some of the outstanding questions that have so far delayed work on the policy.
  • (9/26, 10/15)
    • Plan is to use existing recommendations to satisfy step 2, recommend, and move directly to step 3, propose.
SETA implementation Plan (link to wiki page)6 MHStep 4, Draft
  • See PAT Meeting 2019-07-16 for entries prior to 05/21/2019.
  • (5/21, 6/18, 7/16)
    • SEACC approved the draft plan implementation plan with some specified changes.
    • The intent is to publish it as provisional, and take it to the ITC for approval in the fall.
    • Since then, UW System issued a revised Security Awareness policy which slightly changes the requirements. The draft plan needs to be adjust to reflect the new requirements.
    • The intended plan to publish and get approval from ITC is still in place, but it will take slightly longer to publish the provisional plan.
  • (8/20, 9/26,10/15)
    • No need to publish a provisional plan. ITC can review later in the year.

Encryption (IEncrypt) Policy (link to wiki page)

6 MHStep 9, Review

(Revision at
Step 2, Recommend)

  • See PAT Meeting 2019-07-16 for entries prior to 08/20/2019.
  • (8/20, 9/26)
    • UW System 2 Yr engagement team on storage encryption has been organized and is meeting.
  • (10/15)
Guest NetID (link to published policy)6 MH

Step 7, Deploy

  • See PAT Meeting 2019-07-16 for entries prior to 05/21/2019.
  • (5/21, 6/18, 7/16, 8/20, 9/26, 10/15)
    • Drafting team has reviewed the policy and suggested changes. The changes are being evaluated.
NetID Appropriate Use Standard (link to published document on KB)6 MH

Step 9, Review
(Revision at
Step 2, Recommend)

  • See PAT Meeting 2019-07-16 for entries prior to 07/16/2019.
  • (7/16, 8/20, 9/26, 10/15)
    • The DoIT IAM group is going to re-evaluate what needs to placed in a standard. Revision of the published standard is on hold until they do so.
Access Control Services (link to wiki page)6 MHStep 9. Review
(Revision at
Step 1, Plan)
  • (4/17, 5/21, 6/18, 7/16, 9/26, 10/15)
    • Added this as one of the standards to be under the IT Credentials Policy.
    • Have not yet contacted DoIT IAM group.
Data Classification to Support System Security Policy (link to wiki page)7 M

Step 9, Review
(Revision at
Step 4, Draft)

  • See PAT Meeting 2019-07-16 for entries prior to 04/17/2019.
  • (4/17, 5/21, 6/18, 7/16, 8/20, 9/26, 10/15)
    • Policy needs maintenance revision. No change in classifications is anticipated.
    • New CDO needs to review it before it is published.
Data Loss Prevention Policy (will be renamed from Restricted Data Security Management Policy) (link to wiki page)7 MStep 9, Review
(Revision at
Step 1, Plan)
  • See PAT Meeting 2019-07-16 for entries prior to 07/16/2019.
  • (7/16)
    • A Data Loss Prevention Administrator has been hired and will start on Aug 1.
    • Revision of the policy can begin in the fall term.
  • (8/20, 9/26)
    • Data Loss Prevention Administrator has been hired.
    • Will present to UW-MIST in October.
  • (10/15)
Privileged Account Management Policy7 MStep 1. Plan
  • (8/20, 9/26, 10/15) (New entry as of 8/20 date)
    • Newly identified policy.
    • Comes from the UW System 2 Yr Work Plan initiative.
    • Have met once with the co-chairs to discuss the policy process.
Email Servers Policy8 ML

Step 9, Review, (pending retirement)

  • See PAT Meeting 2019-07-16 for entries prior to 08/20/2019.
  • (8/20, 9/26, 10/15)
    • PAT Recommended retirement of the Email Servers Policy.
    • Will refer the matter for ITC approval in the fall term.
IPv4 Allocation Policy8 ML

Step 9, Review, (may be retired)

  • (2/11/2019, 3/19, 4/17)
    • Initiated review because it is way out of date, was never officially issued, and possibly obsolete.
    • DoIT Network Services. Response pending.
  • (5/21, 6/18, 7/16, 8/20, 9/16, 10/15)
    • This is moderate-low priority so it may be awhile before it comes to closure.

Attachments

  • No labels