Please report any problems to the Shared Tools Team at st-help@doit.wisc.edu    Broken Links? Missing Macros? WIKI Retiring Plugins
Child pages
  • PAT Meeting 2019-12-17
Skip to end of metadata
Go to start of metadata

Tue 3:30-4:30, Rm 3139AB CS

Attending: __ McKinney Austin, _x_Bruce Barton, __Jennifer Bonifas, _x_Gary De Clute, _x_J.J. Du Chateau, __Jason Erdmann, _x_Sarah Grimm, _x_Elizabeth Harris, __Ed Jalinske, __Noel Kim, _x_John Krogulski, __Kim Miller, __David Parter, __Amanda Reese, __Joe Salmons, __Chris Spencer, _x_Eric Straavaldsen, __ Sara Tate-Pederson, __Bob Turner, _x_Stefan Wahe, _x_Sue Weier.

Agenda

  1. Preliminaries: Welcome, introductions, agenda review, notes from previous meeting, announcements (5 min)
    Goal: FYI
    • ITC activity (Joe, Gary)
      • At the upcoming Dec 20 meeting:
        • Vote to approve the IT Policy Principles and Procedures.
        • Receive the first reading of the PAT Charter. A vote to approve is anticipated in January.
    • Status of hiring policy staff (Ed).
      .
  2. Review Draft IT Inventory Management Policy, Implementation Plan, and the Policy Analysis (50 min)
    (scheduled to go to IT Governance for endorsement in January)

    Handouts:
       * Draft IT Asset Inventory Management Policy (version 2019-12-11)
       * Draft IT Asset Inventory Management Implementation Plan (version 2019-12-11)
       * Draft PAT analysis of the policy (version 2019-12-11)
    Reference:
       * Proposal to Develop an IT Asset Inventory Management Policy and Appendices (version 2019-11-15 as approved by the ITC)
    .
    Action:
    • The team had some questions, but generally thought it was OK.
    • REQUESTED ACTION: Please review all three documents and send comments to Gary by COB Monday, Dec 23. Friday December 27.
    • Follow up activity:
      • The Policy Analysis  will go to the PAT EC for final editing, (the PAT EC is serving a the drafting team for PAT documents.)
      • Hope to discuss the draft documents at UW-MIST at their January meeting, with comments due a week later.
      • Will probably go to IT Governance in January and February
      • If substantive changes are suggested by the PAT, UW-MIST, or IT Governance, the DT will take a final look at it before it goes to the ITC in March.
        .
  3. Status (as time permits)
    Goal: Review highlights of the following status and planning documents.
    Policy Initiative Chart (see latest version)
        * Note: December chart contains additional comments on lower priority initiatives, and
          also contains instructions for how to update and maintain the chart.
    PAT Work Plan (see latest version)

    Proposed Schedule of ITC policy-related activity (see latest version)

        .
  4. For next agenda:
    • Revise PAT Vision (scheduled to go the ITC for first reading in March, but if done sooner can go in February.)
    • Review policy development plans for any or all of (if ready):
      • Vulnerability Management Policy
      • Data Loss Prevention Policy
      • Privileged Accounts Management Standard (under IT Credentials Policy)

PAT Status Summary

PAT Status Summary

Ground Rules

  1. Everyone must be treated respectfully, whether present or not.
  2. Everyone present who wants to speak on a topic must have a chance to speak.
  3. Attend more often than not, and review materials when you can't attend.
  4. Don't be shy, or worry about perception of an idea - we need open borders for these discussions.
  5. Let's park side issues or extensive detail for future work by this team, or others.
  6. Discuss intent and meaning, rather than the exact language of documents.

On Deck agenda items

  • For January
    • Revise PAT Vision.
    • Review PAT Work Plan, especially DLP, PAM, and Vulnerability Mgt.
  • For February
    • Finish revision of PAT Vision (scheduled to go the ITC for first reading in March)
    • Start planning for next academic year. (Not too soon to start planning policy initiatives that should start in the Summer to get a head start on the academic year)
  • For April, May, Jun, Jul, Aug
    • Continue planning for next AY.

Future agenda items

In no particular order:

  • (NEW entry in Dec 2019) Improvement of impact statements. Add some specific scenarios as examples of how the impact could manifest?
  • Improvement of policy/procedure templates to identify the Responsible Executive(s), the deployment plan, the compliance plan, and the monitoring of and reporting on deployment and compliance.
  • Adjustment of PAT membership.

Meeting Schedule

  • PAT Meeting 2019-12-17, Tue 3:30-4:30, Rm 3139AB CS
  • PAT Meeting 2020-01-21, Tue 3:30-4:30, Rm 3139AB CS
  • PAT Meeting 2020-02-18, Tue 3:30-4:30, Rm 3139AB CS
  • PAT Meeting 2020-03-17, Tue 3:30-4:30, Rm 3139AB CS
  • PAT Meeting 2020-04-21, Tue 3:30-4:30, Rm 3139AB CS
  • PAT Meeting 2020-05-19, Tue 3:30-4:30, Rm 3139AB CS
  • PAT Meeting 2020-06-16, Tue 3:30-4:30, Rm 3139AB CS
  • PAT Meeting 2020-07-21, Tue 3:30-4:30, Rm 3139AB CS
  • PAT Meeting 2020-08-18, Tue 3:30-4:30, Rm 3139AB CS

PAT Members


Member

Unit

Type

Member

Unit

Type

Member

Unit

Type
McKinney Austin

ODMAS

Appointed by CDO

Bruce Barton
(EC)

Libraries

Appointed by
IT Governance

Jennifer Bonifas
(Co-chair, EC)

 SMPH

Appointed by IT Governance

Open

Appointed by RTAG

Sara Tate-Pederson

Cybersecurity

SME
IT Policy

J.J. Du Chateau

DoIT

SME Enterprise
Architect

Jason ErdmannEducationAt-LargeElizabeth HarrisEngineeringAppointed by
TLTAG
OpenDoIT

SME
Communications

Sarah GrimmArchivesSME
Records Mgt
Ed JalinskeCybersecurity

SME
SETA/IT Policy

Noel KimEngineeringAt-Large

John Krogulski

WIDA

At-Large

Open


At-Large

Open


Appointed by
IT Governance

David Parter

CS

At-Large

Amanda Reese

Office of
Compliance

Appointed
by OOC

Shawn Green
(Co-chair, EC)

ITC

Permanent
(Chair of ITC)

Chris SpencerSMPH

SME Cybersecurity

Eric Straavaldsen

DoIT

SME Enterprise
Systems

Open

AIMS

SME
User Services

Bob Turner
(EC)

Cybersecurity

Permanent
(CISO)

Stefan Wahe

CALS

At-Large

Sue Weier
(EC)

L&S

Appointed
(Interim)

Joe Salmons


ITCAt-Large





Some appointments are interim. At-Large = Community Representative. EC = Executive Committee. SME = Subject Matter Expert.
Appointed and permanent members vote. Nine voting positions are currently filled. Quorum is a majority of voting positions currently filled.

Status of Policy Initiatives

  • Status tables (below). Updated before each PAT meeting. Sorted first by priority, and second by process step.
InitiativePriorityStepStatus
IT Credential Policy (link to wiki page)1 TopStep 4, Draft
  • See PAT Meeting 2019-07-16 for entries prior to 07/16/2019.
  • (7/16)
    • The proposal has been drafted and currently being reviewed by the IT Credentials Drafting Team, and the original IT Credentials Policy Stakeholder Team (from 2015/2016).
  • (8/20)
    • Proposal reviewed by PAT on 8/20.
    • Next review is by the IAM Council as soon as practical.
  • (9/26, 10/15)
    • Proposal was reviewed:
      • by PAT on 8/20, comments due 9/9.
      • by IAM Council on 9/5 comments due 9/12.
      • by UW-MIST on 9/12 comments due 9/17.
    • Proposal had first reading at ITC on 9/20.
    • Plan is to vote at 10/18 ITC meeting.
  • (11/19)
    • Proposal was approved by the ITC on 10/18
    • Policy and Implementation plan are drafted and being reviewed at this meeting.
    • Plan is to submit the policy to IT Governance for review in January, and to the ITC for the first reading in February.
  • (12/17)
    • UW-MIST reviewed the documents, deadline COB Dec 12.
    • IAM Council has not been meeting, but many Council members are on UW-MIST, PAT, etc.
    • The CIO's Cabinet is meeting on Jan 16, and the policy is on their agenda. Meanwhile, Lois is asking people to review it.
    • Still on track to submit to ITC for first reading in February.
Endpoint Management and Security Policy (link to wiki page)2 TopStep 2, Recommend
  • (8/20) (New entry as of this date)
  • (9/26)
    • CDM Advisory Group discussed recommendations at their Sep 11 meeting.
    • Drafting team will be formed.
    • Plan is to discuss at next five meeting, and return recommendations on Nov 21.
    • First draft of recommendations as been drafted for review at the CDM 9/26 meeting.
  • (10/15, 11/19)
  • (12/17)
    • Proposal has been delayed:
      • now scheduled to go to the ITC in March or April,
      • with Policy drafted over the summer, and
      • approval of Policy by the ITC in the fall term.
    • A provisional policy may be needed in late spring or early summer.
      • Would be best if it followed an approved proposal,
      • Second best if developed in parallel with the proposal.
    • CDM Advisory will take up the recommendations again in January.
    • IT Policy Forum in February is tentatively on Endpoint Management
    • UW-MIST is interested in this topic and may be able to assist.
    • The Endpoint Security implementation team may also be able to assist.

IT Assets Inventory Management implementation plan  (link to wiki page)

3 TopStep 4, Draft
  • See PAT Meeting 2019-07-16 for entries prior to 06/18/2019.
  • (6/18, 7/16)
    • The CDM Advisory Group began discussing best practices for IT Asset Inventory at their June 27 meeting.
  • (8/20)
    • The CDMAG will make recommendations for IT Asset Inventory Management at their Aug 22 meeting.
    • A provisional policy might be issued in Sep or Oct. TBD.
  • (9/26)
    • CDMAG approved recommendations at their 9/11 meeting.
    • Proposal has been drafted and is being/will be reviewed:
      • by drafting team starting 9/24, comments due 10/1.
      • by PAT on 9/26, comments due 10/10.
      • by CDM Advisory Group plus additional members and guests starting 9/30, comments due 10/10.
      • by UW-MIST on 10/3, comments due 10/10.
    • Plan is for proposal to have first reading at ITC 10/28 meeting.
  • (10/15)
    • Received much feedback and made many changes to the proposal.
    • Will receive first reading at ITC on 10/18.
  • (11/19)
    • Is scheduled for a vote at the ITC on 11/15.
  • (12/17)
    • ITC approved the Proposal on 11/15!
    • Policy, Implementation Plan, and Analysis are drafted and being reviewed by:
      • PAT
      • IT Assets Drafting Team
    • UW-MIST will review on Jan 9, deadline COB Jan 16.
    • Hope to submit to CIO's Cabinet on Jan 16 get their endorsement in Feb.
    • Status of TLTAG and RTAG involvement TBD.
      • Estimate is that they may be interested.
Password Policy revision (link to wiki page – is the same as the credential policy page)5 HStep 9, Review
(Revision at
Step 4,
Draft)
  • See PAT Meeting 2019-07-16 for entries prior to 07/16/2019.
  • (7/16, 8/20)
    • UW System is currently discussing revision of their password standard. UW-Madison is suggesting that NIST SP 800-63-3 be adopted rather than specifying details of the password.
  • (9/26, 10/15)
    • UW System plans to issue a revised authentication policy that is incompatible with UW-Madison plan to adopt NIST SP 800-63-3, but will allow institutions to submit a risk assessment describing the difference is risk. Risk assessment is underway.
    • Original plan for password standard at UW-Madison is unchanged:
      • With MFA, 8 characters
      • Without MFA, 16 characters
      • In either case, no complexity requirement, no periodic password change (only force change if there are indication the password is compromised,) plus some other requirements previously documented in the 2018 compensating control memo to UW System.
  • (11/19)
    • Revised standard is drafted. Being reviewed by Office of Cybersecurity and the IT Credentials Drafting Team.
  • (12/17)
    • Reviewed by UW-MIST, deadline COB Dec 12.
    • Will accompany the IT Credentials Policy through the remainder of the Endorsement and Approval process.
Information Incident Reporting and Response policy (link to wiki page)5 HStep 9, Revise
(Revision at
Step 2, Recommend)
  • See PAT Meeting 2019-07-16 for entries prior to 07/16/2019.
  • (7/16, 8/20)
    • GDPR compliance may require major revision of policy and procedures.
  • (9/26)
    • UW System has drafted a policy that expands the amount of incident reporting by end users and IT staff, and requires most incidents to be reported up to UW System.
    • UW-Madison is preparing a response with suggested changes that reduce the amount of required reporting by end users and IT staff, and to UW System.
  • (10/15, 11/19)
    • Response submitted to UW System. Waiting to hear the results.
  • (12/17)
    • Still waiting to hear from UW System and UW-Madison Legal Services.
    • Office of Compliance is hiring a GDPR compliance person.
    • Still TBD what changes are necessary the Incident Reporting part of the policy.
Digital Accessibility Policy (link to wiki page)5 HStep 9, Review
(Revision at
Step 3, Propose)
  • See PAT Meeting 2019-07-16 for entries prior to 05/21/2019.
  • (5/21, 6/18, 7/16, 8/20)
    • The Digital Accessibility Campus Advisory Group (DACAG) is reviewing a draft strategic plan for digital accessibility which may help answer some of the outstanding questions that have so far delayed work on the policy.
  • (9/26, 10/15, 11/19)
    • Plan is to use existing recommendations to satisfy step 2, recommend, and move directly to step 3, propose.
  • (12/17)
    • Met with Linda Jorn and Phyllis Treige.
    • Team is being formed. Should start drafting the Proposal in January.
    • Hope to have ITC approval of Proposal this Spring, and approval of Policy in fall.
SETA implementation Plan (link to wiki page)6 MHStep 4, Draft
  • See PAT Meeting 2019-07-16 for entries prior to 05/21/2019.
  • (5/21, 6/18, 7/16)
    • SEACC approved the draft plan implementation plan with some specified changes.
    • The intent is to publish it as provisional, and take it to the ITC for approval in the fall.
    • Since then, UW System issued a revised Security Awareness policy which slightly changes the requirements. The draft plan needs to be adjust to reflect the new requirements.
    • The intended plan to publish and get approval from ITC is still in place, but it will take slightly longer to publish the provisional plan.
  • (8/20, 9/26,10/15, 11/19, 12/17)
    • No need to publish a provisional plan. ITC can review later in the year.

Encryption Policy (link to wiki page)

6 MHStep 9, Review

(Revision at
Step 2, Recommend)

  • See PAT Meeting 2019-07-16 for entries prior to 08/20/2019.
  • (8/20, 9/26)
    • UW System 2 Yr engagement team on storage encryption has been organized and is meeting.
  • (10/15)
  • (11/19, 12/17)
    • The Work Plan Project Encryption team will serve as the drafting team when the policy and standard are eventually revised.
Guest NetID (link to published policy)6 MH

Step 7, Deploy

  • See PAT Meeting 2019-07-16 for entries prior to 05/21/2019.
  • (5/21, 6/18, 7/16, 8/20, 9/26, 10/15)
    • Drafting team has reviewed the policy and suggested changes. The changes are being evaluated.
  • (11/19, 12/17)
    • Final changes are published.
    • When the IT Credentials Policy is approved, this will be converted to a standard.
Access Control Services (link to wiki page)6 MHStep 9. Review
(Revision at
Step 1, Plan)
  • (4/17, 5/21, 6/18, 7/16, 9/26, 10/15)
    • Added this as one of the standards to be under the IT Credentials Policy.
    • Have not yet contacted DoIT IAM group.
  • (11/19, 12/17)
    • When the IT Credentials Policy is approved this will be converted to a standard with no substantive changes.
    • The plan is to continue review and revision independently from that conversion.
Data Classification Policy (link to wiki page)7 M

Step 9, Review
(Revision at
Step 4, Draft)

  • See PAT Meeting 2019-07-16 for entries prior to 04/17/2019.
  • (4/17, 5/21, 6/18, 7/16, 8/20, 9/26, 10/15)
    • Policy needs maintenance revision. No change in classifications is anticipated.
    • New CDO needs to review it before it is published.
  • (11/19, 12/17)
    • Maintenance revision is drafted and has been submitted to ODMAS for review.
    • There are suggestions included as comments that go beyond a maintenance revision. If any of these are included it would be at least a minor revision. Action on those comments, if any, is TBD.
Data Loss Prevention Policy (will be renamed from Restricted Data Security Management Policy) (link to wiki page)7 MStep 9, Review
(Revision at
Step 1, Plan)
  • See PAT Meeting 2019-07-16 for entries prior to 07/16/2019.
  • (7/16)
    • A Data Loss Prevention Administrator has been hired and will start on Aug 1.
    • Revision of the policy can begin in the fall term.
  • (8/20, 9/26)
    • Data Loss Prevention Administrator has been hired.
    • Will present to UW-MIST in October.
  • (10/15, 11/19, 12/17)
Privileged Account Management Standard
(link to Wiki page)
7 MStep 1. Plan
  • (8/20, 9/26, 10/15, 11/19) (New entry as of 8/20 date)
    • Newly identified policy.
    • Comes from the UW System 2 Yr Work Plan initiative.
    • Have met once with the co-chairs to discuss the policy process.
  • (12/17)
    • Met a second time with the co-chairs.
    • Looks like the best approach would be to include PAM as standard under the IT Credentials Policy.
      • Modified the IT Credentials Implementation Plan accordingly.
      • Would still treat this as a policy initiative and track on the PAT Work Plan.
Vulnerability Scanning Policy (link to Wiki page)7MStep 1. Plan
  • New entry as of 11/19.
    • Newly identified policy
    • Comes from the UW System 2 Yr Work Plan initiative.
    • Have informally discussed this with a team co-chair.
  • (12/17)
    • Have met informally with the co-chairs.
    • Still looks like this is a separate policy.
      • There is significant overlap with other IT policies.
      • There is also unique material not covered elsewhere.
      • Solution is to avoid duplicating material and have the policies cross reference each other.
NetID Appropriate Use Standard (link to published document on KB)8 ML

Step 9, Review
(Revision at
Step 2, Recommend)

  • See PAT Meeting 2019-07-16 for entries prior to 07/16/2019.
  • (7/16, 8/20, 9/26, 10/15)
    • The DoIT IAM group is going to re-evaluate what needs to placed in a standard. Revision of the published standard is on hold until they do so.
  • (11/19, 12/17)
    • When the IT Credentials Policy is approved this will be converted to a standard with no substantive changes. When DoIT IAM finishes the evaluation it can be modified accordingly.
Email Servers Policy (link to policy on KB)8 ML

Step 9, Review, (pending retirement)

  • See PAT Meeting 2019-07-16 for entries prior to 08/20/2019.
  • (8/20, 9/26, 10/15, 11/19)
    • PAT Recommended retirement of the Email Servers Policy.
    • Will refer the matter for ITC approval in the fall term.
  • (12/17)
    • Fall term is over. Will refer to the matter the ITC in the spring, or next fall. No hurry.
IPv4 Allocation Policy (link to policy on KB)8 ML

Step 9, Review, (may be retired)

  • (2/11/2019, 3/19, 4/17, 11/19)
    • Initiated review because it is way out of date, was never officially issued, and possibly obsolete.
    • DoIT Network Services. Response pending.
  • (5/21, 6/18, 7/16, 8/20, 9/16, 10/15, 11/19)
    • This is moderate-low priority so it may be awhile before it comes to closure.
  • (12/17)
    • Checked with DoIT NS. Still pending. No hurry.

Attachments

  • No labels