Please report any problems to the Shared Tools Team at st-help@doit.wisc.edu    Broken Links? Missing Macros? WIKI Retiring Plugins
Child pages
  • PAT Meeting 2019-11-19
Skip to end of metadata
Go to start of metadata

Tue 3:30-4:30, Rm 3139AB CS

Attending: __ McKinney Austin, __Bruce Barton, __Jennifer Bonifas, _x_Gary De Clute, _x_J.J. Du Chateau, __Jason Erdmann, _x_Sarah Grimm, _x_Elizabeth Harris, _x_Ed Jalinske, __Noel Kim, _x_John Krogulski, __Kim Miller, _x_David Parter, __Amanda Reese, _x_Joe Salmons, __Chris Spencer, __Eric Straavaldsen, __ Sara Tate-Pederson, __Bob Turner, _x_Stefan Wahe, _x_Sue Weier.

Agenda

  1. Preliminaries: Welcome, introductions, agenda review, notes from previous meeting, announcements (5 min)
    Goal: FYI
    • ITC activity (Joe, Gary)
      • At the Oct 18 ITC meeting:
        • Voted to approve the Proposal to Develop and IT Credentials Policy. No changes were suggested.
        • Voted to approve the PAT Work Plan. No changes were suggested.
        • Received the first reading of the Proposal to Develop an IT Asset Inventory Policy.
      • At the Nov 15 ITC meeting:
        • Voted to approve the Proposal to Develop and IT Assets Inventory Management Policy. No changes were suggested.
        • Received the first reading of the IT Policy Principles and Procedures.
      • At the upcoming Dec 20 meeting:
        • Vote to approve the IT Policy Principles and Procedures.
        • Receive the first reading of the PAT Charter. A vote to approve is anticipated in January.
      • At the upcoming Jan 17 meeting:
        • Vote to approve the PAT Charter.
        • Receive first reading of one of:
          • Proposal to Develop an Endpoint Management and Security Policy (planned)
          • IT Credentials Policy and Implementation Plan (fall back)
    • Status of hiring policy staff (Ed)
      .
  2. Draft revision of the PAT Charter (20 min)
    Handouts:
       * Revised PAT charter with differences marked (version 2019-03-15 TO 2019-10-25)
    Reference:
       * Revised PAT charter, clean copy (version 2019-10-25)
       * List of recommended changes to PAT Charter (version 2019-09-15).
       * Current PAT Charter in MS Word (version 2019-03-15)
    .
    Action:
    • During discussion we made some changes in the mission section, and on the approval of the membership of the EC.
    • We did not have time to review further during the meeting.
    • Gary has notes and will make changes as discussed. We were not always precise so please check them to make sure.
    • Gary will put with document on GSuite so that folks can see what others have commented and edited.
    • REQUESTED ACTION: Please review the charter document and make edits or send comments to Gary by COB Nov 26.
    • Follow up activity:
      • After PAT suggestions are incorporated, the charter will go to the PAT EC at their Dec 3 meeting, (the PAT EC is serving a the drafting team for PAT documents.)
      • The intent is to submit the Charter for first reading at the ITC at their Dec meeting.
        .
  3. Draft IT Credentials Policy and the PAT analysis of the policy (30 min)
    Goal: Review for submission to the ITC in Dec.
    Handouts:
       * Draft IT Credentials Policy (version 2019-10-29)
       * Draft IT Credentials Implementation Plan (version 2019-10-29)
       * Draft PAT analysis of the policy (version 2019-11-18)
    Reference:
       * Proposal to Develop an IT Credentials Policy (version 2019-10-18 as approved by the ITC)
       * Credentials Policy Stakeholders Team report (version 2016-03-03 as reported to UW-MIST)
    .
    Action:
    • The discussion was about further activity for review of the documents rather than changes to the documents.
      • Most of the discussion was about further review by other groups, (in particular UW-MIST, but by extension other groups as well,) plus the appropriate level of detail to put into the impact statement of the Policy Analysis.
      • No specific changes were suggested to the text, (although folks might want to make specific suggestions upon further review, and should feel free to do so.)
    • Comments about the documents themselves were generally expressions of agreement, with the exception of the impact statement.
      • People did not disagree with the impact statement as far it is currently goes, but expressed the viewpoint that it should include more detail about specific impacts in order to be more understandable to folks who are reviewing the policy.
      • Other folks pointed out that we do not have that level of detail available because future activity on credential changes has not yet been defined, nor should that level of detail necessarily be placed in the analysis document. As an alternative approach, discussion at that level of detail would occur as we develop or modify the standards under the policy, which would occur in parallel with future credential changes as they are proposed.
    • We also discussed the consequences of delaying approval of the policy (currently scheduled for Feb and Mar) in order to have more discussion.
      • It is possible to delay policy approval up to two months and still get the policy approved this spring.
      • Down side is that doing so will cause policy issues to pile up on the April and May ITC agendas.
    • Regard the need for further discussion, this policy has been discussed a lot over the last two years, and there might not be a whole lot more to say about it.
    • Gary will ask UW-MIST to put an announcement on their Dec agenda asking UW-MIST members to review and comment by a specific date after the Dec UW-MIST meeting.  The UW-MIST EC, (meeting this Thursday,) can discuss if they want to also have a discussion on the documents at the Dec meeting, or would like to discuss it in January, etc.
    • Gary will also put the documents on GSuite, (same as the charter above.)
    • REQUESTED ACTION: Please review all three documents and send comments to Gary by COB Nov 26.
    • Follow up activity:
      • The Policy Analysis of the will go  to the PAT EC for final editing, (the PAT EC is serving a the drafting team for PAT documents.)
      • The IT Credential Drafting team is already reviewing the documents, with the same deadline of Nov 26.
      • If substantive changes are suggested by the PAT or UW-MIST, the DT will take a final look at it in late Dec or early January after UW-MIST responds.
        .
  4. Status (as time permits)
    Goal: Review highlights of the following status and planning documents.
    Policy Initiative Chart (see latest version)
    PAT Work Plan (see latest version)

    Proposed Schedule of ITC policy-related activity (see latest version)

        .
  5. For next agenda:
    • Review Draft IT Inventory Management Policy and the analysis of the policy (25 min)
      (scheduled to go to IT Governance for endorsement in January)
    • Review Draft of Proposal to Develop an Endpoint Management Policy (25 min)
      (Scheduled to go to the ITC for first reading in January)

PAT Status Summary

PAT Status Summary

Ground Rules

  1. Everyone must be treated respectfully, whether present or not.
  2. Everyone present who wants to speak on a topic must have a chance to speak.
  3. Attend more often than not, and review materials when you can't attend.
  4. Don't be shy, or worry about perception of an idea - we need open borders for these discussions.
  5. Let's park side issues or extensive detail for future work by this team, or others.
  6. Discuss intent and meaning, rather than the exact language of documents.

On Deck agenda items

  • For January
    • Revise PAT Vision (scheduled to go the ITC for first reading in March)
    • Discussion of balancing strength of security vs. disruption (tentative, if PAT EC and/or ITC EC decide that PAT should discuss prior to ITC discussion)
  • For February
    • Finish revision of PAT Vision (scheduled to go the ITC for first reading in March)
    • Review of IT Asset Inventory Management Policy and analysis of the policy (scheduled to go to the ITC for first reading in March)
  • For March
    • Review Endpoint Management and Security Policy and analysis of the policy (scheduled to go to the ITC for first reading in April)
    • Start planning for next academic year. (Not too soon to start planning policy initiatives that should start in the Summer to get a head start on the academic year)
  • For April, May, Jun, Jul, Aug
    • Continue planning for next AY.

Future agenda items

In no particular order:

  • Improvement of policy/procedure templates to identify the Responsible Executive(s), the deployment plan, the compliance plan, and the monitoring of and reporting on deployment and compliance.
  • Adjustment of PAT membership.

Meeting Schedule

  • PAT Meeting 2019-12-17, Tue 3:30-4:30, Rm 3139AB CS
  • PAT Meeting 2020-01-21, Tue 3:30-4:30, Rm 3139AB CS
  • PAT Meeting 2020-02-18, Tue 3:30-4:30, Rm 3139AB CS
  • PAT Meeting 2020-03-17, Tue 3:30-4:30, Rm 3139AB CS
  • PAT Meeting 2020-04-21, Tue 3:30-4:30, Rm 3139AB CS
  • PAT Meeting 2020-05-19, Tue 3:30-4:30, Rm 3139AB CS
  • PAT Meeting 2020-06-16, Tue 3:30-4:30, Rm 3139AB CS
  • PAT Meeting 2020-07-21, Tue 3:30-4:30, Rm 3139AB CS
  • PAT Meeting 2020-08-18, Tue 3:30-4:30, Rm 3139AB CS

PAT Members


Member

Unit

Type

Member

Unit

Type

Member

Unit

Type
McKinney Austin

ODMAS

Appointed by CDO

Bruce Barton
(EC)

Libraries

Appointed by
IT Governance

Jennifer Bonifas
(Co-chair, EC)

 SMPH

Appointed by IT Governance

Open

Appointed by RTAG

Sara Tate-Pederson

Cybersecurity

SME
IT Policy

J.J. Du Chateau

DoIT

SME Enterprise
Architect

Jason ErdmannEducationAt-LargeElizabeth HarrisEngineeringAppointed by
TLTAG
OpenDoIT

SME
Communications

Sarah GrimmArchivesSME
Records Mgt
Ed JalinskeCybersecurity

SME
SETA/IT Policy

Noel KimEngineeringAt-Large

John Krogulski

WIDA

At-Large

Open


At-Large

Open


Appointed by
IT Governance

David Parter

CS

At-Large

Amanda Reese

Office of
Compliance

Appointed
by OOC

Shawn Green
(Co-chair, EC)

ITC

Permanent
(Chair of ITC)

Chris SpencerSMPH

SME Cybersecurity

Eric Straavaldsen

DoIT

SME Enterprise
Systems

Open

AIMS

SME
User Services

Bob Turner
(EC)

Cybersecurity

Permanent
(CISO)

Stefan Wahe

CALS

At-Large

Sue Weier
(EC)

L&S

Appointed
(Interim)

Joe Salmons


ITCAt-Large





Some appointments are interim. At-Large = Community Representative. EC = Executive Committee. SME = Subject Matter Expert.
Appointed and permanent members vote. Nine voting positions are currently filled. Quorum is a majority of voting positions currently filled.

Status of Policy Initiatives (updated on 6/12)

  • Policy Initiative Charts. Updated the first week of the month.

  • Status tables (below). Updated before each PAT meeting. Sorted first by priority, and second by process step.
InitiativePriorityStepStatus
IT Credential Policy (link to wiki page)1 TopStep 4, Draft
  • See PAT Meeting 2019-07-16 for entries prior to 07/16/2019.
  • (7/16)
    • The proposal has been drafted and currently being reviewed by the IT Credentials Drafting Team, and the original IT Credentials Policy Stakeholder Team (from 2015/2016).
  • (8/20)
    • Proposal reviewed by PAT on 8/20.
    • Next review is by the IAM Council as soon as practical.
  • (9/26, 10/15)
    • Proposal was reviewed:
      • by PAT on 8/20, comments due 9/9.
      • by IAM Council on 9/5 comments due 9/12.
      • by UW-MIST on 9/12 comments due 9/17.
    • Proposal had first reading at ITC on 9/20.
    • Plan is to vote at 10/18 ITC meeting.
  • (11/19)
    • Proposal was approved by the ITC on 10/18
    • Policy and Implementation plan are drafted and being reviewed at this meeting.
    • Plan is to submit the policy to IT Governance for review in January, and to the ITC for the first reading in February.
Endpoint Management and Security Policy (link to wiki page)2 TopStep 2, Recommend
  • (8/20) (New entry as of this date)
  • (9/26)
    • CDM Advisory Group discussed recommendations at their Sep 11 meeting.
    • Drafting team will be formed.
    • Plan is to discuss at next five meeting, and return recommendations on Nov 21.
    • First draft of recommendations as been drafted for review at the CDM 9/26 meeting.
  • (10/15, 11/19)

IT Assets Inventory Management implementation plan  (link to wiki page)

3 TopStep 3, Propose
  • See PAT Meeting 2019-07-16 for entries prior to 06/18/2019.
  • (6/18, 7/16)
    • The CDM Advisory Group began discussing best practices for IT Asset Inventory at their June 27 meeting.
  • (8/20)
    • The CDMAG will make recommendations for IT Asset Inventory Management at their Aug 22 meeting.
    • A provisional policy might be issued in Sep or Oct. TBD.
  • (9/26)
    • CDMAG approved recommendations at their 9/11 meeting.
    • Proposal has been drafted and is being/will be reviewed:
      • by drafting team starting 9/24, comments due 10/1.
      • by PAT on 9/26, comments due 10/10.
      • by CDM Advisory Group plus additional members and guests starting 9/30, comments due 10/10.
      • by UW-MIST on 10/3, comments due 10/10.
    • Plan is for proposal to have first reading at ITC 10/28 meeting.
  • (10/15)
    • Received much feedback and made many changes to the proposal.
    • Will receive first reading at ITC on 10/18.
  • (11/19)
    • Is scheduled for a vote at the ITC on 11/15.
Password Policy revision (link to wiki page – is the same as the credential policy page)5 HStep 9, Review
(Revision at
Step 4,
Draft)
  • See PAT Meeting 2019-07-16 for entries prior to 07/16/2019.
  • (7/16, 8/20)
    • UW System is currently discussing revision of their password standard. UW-Madison is suggesting that NIST SP 800-63-3 be adopted rather than specifying details of the password.
  • (9/26, 10/15)
    • UW System plans to issue a revised authentication policy that is incompatible with UW-Madison plan to adopt NIST SP 800-63-3, but will allow institutions to submit a risk assessment describing the difference is risk. Risk assessment is underway.
    • Original plan for password standard at UW-Madison is unchanged:
      • With MFA, 8 characters
      • Without MFA, 16 characters
      • In either case, no complexity requirement, no periodic password change (only force change if there are indication the password is compromised,) plus some other requirements previously documented in the 2018 compensating control memo to UW System.
  • (11/19)
    • Revised standard is drafted. Being reviewed by Office of Cybersecurity and the IT Credentials Drafting Team.
Information Incident Reporting and Response policy (link to wiki page)5 HStep 9, Revise
(Revision at
Step 2, Recommend)
  • See PAT Meeting 2019-07-16 for entries prior to 07/16/2019.
  • (7/16, 8/20)
    • GDPR compliance may require major revision of policy and procedures.
  • (9/26)
    • UW System has drafted a policy that expands the amount of incident reporting by end users and IT staff, and requires most incidents to be reported up to UW System.
    • UW-Madison is preparing a response with suggested changes that reduce the amount of required reporting by end users and IT staff, and to UW System.
  • (10/15, 11/19)
    • Response submitted to UW System. Waiting to hear the results.
Digital Accessibility Policy (link to wiki page)5 HStep 9, Review
(Revision at
Step 3, Propose)
  • See PAT Meeting 2019-07-16 for entries prior to 05/21/2019.
  • (5/21, 6/18, 7/16, 8/20)
    • The Digital Accessibility Campus Advisory Group (DACAG) is reviewing a draft strategic plan for digital accessibility which may help answer some of the outstanding questions that have so far delayed work on the policy.
  • (9/26, 10/15, 11/19)
    • Plan is to use existing recommendations to satisfy step 2, recommend, and move directly to step 3, propose.
SETA implementation Plan (link to wiki page)6 MHStep 4, Draft
  • See PAT Meeting 2019-07-16 for entries prior to 05/21/2019.
  • (5/21, 6/18, 7/16)
    • SEACC approved the draft plan implementation plan with some specified changes.
    • The intent is to publish it as provisional, and take it to the ITC for approval in the fall.
    • Since then, UW System issued a revised Security Awareness policy which slightly changes the requirements. The draft plan needs to be adjust to reflect the new requirements.
    • The intended plan to publish and get approval from ITC is still in place, but it will take slightly longer to publish the provisional plan.
  • (8/20, 9/26,10/15, 11/19)
    • No need to publish a provisional plan. ITC can review later in the year.

Encryption Policy (link to wiki page)

6 MHStep 9, Review

(Revision at
Step 2, Recommend)

  • See PAT Meeting 2019-07-16 for entries prior to 08/20/2019.
  • (8/20, 9/26)
    • UW System 2 Yr engagement team on storage encryption has been organized and is meeting.
  • (10/15)
  • (11/19)
    • The Work Plan Project Encryption team will server as the drafting team when the policy and standard are eventually revised.
Guest NetID (link to published policy)6 MH

Step 7, Deploy

  • See PAT Meeting 2019-07-16 for entries prior to 05/21/2019.
  • (5/21, 6/18, 7/16, 8/20, 9/26, 10/15)
    • Drafting team has reviewed the policy and suggested changes. The changes are being evaluated.
  • (11/19)
    • Final changes are published.
    • When the IT Credentials Policy is approved, this will be converted to a standard.
NetID Appropriate Use Standard (link to published document on KB)6 MH

Step 9, Review
(Revision at
Step 2, Recommend)

  • See PAT Meeting 2019-07-16 for entries prior to 07/16/2019.
  • (7/16, 8/20, 9/26, 10/15)
    • The DoIT IAM group is going to re-evaluate what needs to placed in a standard. Revision of the published standard is on hold until they do so.
  • (11/19)
    • When the IT Credentials Policy is approved this will be converted to a standard with no substantive changes. When DoIT IAM finishes the evaluation it can be modified accordingly.
Access Control Services (link to wiki page)6 MHStep 9. Review
(Revision at
Step 1, Plan)
  • (4/17, 5/21, 6/18, 7/16, 9/26, 10/15)
    • Added this as one of the standards to be under the IT Credentials Policy.
    • Have not yet contacted DoIT IAM group.
  • (11/19)
    • When the IT Credentials Policy is approved this will be converted to a standard with no substantive changes.
    • The plan is to continue review and revision independently from that conversion.
Data Classification Policy (link to wiki page)7 M

Step 9, Review
(Revision at
Step 4, Draft)

  • See PAT Meeting 2019-07-16 for entries prior to 04/17/2019.
  • (4/17, 5/21, 6/18, 7/16, 8/20, 9/26, 10/15)
    • Policy needs maintenance revision. No change in classifications is anticipated.
    • New CDO needs to review it before it is published.
  • (11/19)
    • Maintenance revision is drafted and has been submitted to ODMAS for review.
    • There are suggestions included as comments that go beyond a maintenance revision. If any of these are included it would be at least a minor revision. Action on those comments, if any, is TBD.
Data Loss Prevention Policy (will be renamed from Restricted Data Security Management Policy) (link to wiki page)7 MStep 9, Review
(Revision at
Step 1, Plan)
  • See PAT Meeting 2019-07-16 for entries prior to 07/16/2019.
  • (7/16)
    • A Data Loss Prevention Administrator has been hired and will start on Aug 1.
    • Revision of the policy can begin in the fall term.
  • (8/20, 9/26)
    • Data Loss Prevention Administrator has been hired.
    • Will present to UW-MIST in October.
  • (10/15, 11/19)
Privileged Account Management Policy7 MStep 1. Plan
  • (8/20, 9/26, 10/15, 11/19) (New entry as of 8/20 date)
    • Newly identified policy.
    • Comes from the UW System 2 Yr Work Plan initiative.
    • Have met once with the co-chairs to discuss the policy process.
Vulnerability Scanning Policy (link to Wiki page)7MStep 1. Plan
  • New entry as of 11/19.
    • Newly identified policy
    • Comes from the UW System 2 Yr Work Plan initiative.
    • Have informally discussed this with a team co-chair.
Email Servers Policy (link to policy on KB)8 ML

Step 9, Review, (pending retirement)

  • See PAT Meeting 2019-07-16 for entries prior to 08/20/2019.
  • (8/20, 9/26, 10/15, 11/19)
    • PAT Recommended retirement of the Email Servers Policy.
    • Will refer the matter for ITC approval in the fall term.
IPv4 Allocation Policy (link to policy on KB)8 ML

Step 9, Review, (may be retired)

  • (2/11/2019, 3/19, 4/17, 11/19)
    • Initiated review because it is way out of date, was never officially issued, and possibly obsolete.
    • DoIT Network Services. Response pending.
  • (5/21, 6/18, 7/16, 8/20, 9/16, 10/15, 11/19)
    • This is moderate-low priority so it may be awhile before it comes to closure.

Attachments

  • No labels