Please report any problems to the Shared Tools Team at st-help@doit.wisc.edu    Broken Links? Missing Macros? WIKI Retiring Plugins
Child pages
  • POD Meeting 2010-11-04
Skip to end of metadata
Go to start of metadata

Previous Meeting | Next Meeting

Use of Personally Owned Devices for University Business (POD)

Use of Personally Owned Devices (and Cloud Services) for University Business (POD) seeks to clarify how university requirements for privacy, security, and retention of data are applied to personally owned devices and use of non-UW-Madison-owned applications and services.

Meeting with the CIO, Joanne Berg.

Thursday, November 4th, 9:00-10:00 Rm 11520 ECM.

  1. Agenda Review OK
  2. POD initiative background
    Action: Informational.

    See: POD History and/or POD Meetings, in particular:
  3. Previous POD recommendations
    Action: Informational.

    See: POD Recommendations and POD Meeting 2010-04-09 (meeting with prior CIO)
    Handout: POD Recommendations, (or see attached document.)
    Recommendations:

    1. Adopt a general policy that employee responsibilities to protect the confidentiality, integrity and availability of sensitive information and university records are determined by the type and content of the information or record, rather than the ownership of the device, application or service used to store or process the information or record.

    2. Recommendation 1 also applies to sensitive research data such as unpublished research. There are considerations specific to sponsored research that may affect the roles of the institution and the researcher regarding protection of the data. These include such things as: ownership of the intellectual property, the source of funding, mandates from funding agencies, and the need for advance planning to budget for the cost of security controls.

    3. Review contracts
       a. Compliance with the proposed policy would be easier if contracts contained appropriate language so that users of those services could be confident that the service providers are handling sensitive information and university records in a manner consistent with the policies and standards of UW-Madison. The existence of such a contract does not relieve users of their own obligations under the policy.
       b. Compliance with the proposed policy would be easier if users of such services and applications could readily have access to clear and simple policies and standards describing what is required by UW-Madison. This would help the users evaluate whether or not it is appropriate to use a particular application or service for university business. Adequate terms of service published by the provider do not relieve users of their own obligations under the policy.

    4. The policy and the supporting standards, guidelines and procedures that are proposed above should be accompanied by appropriate awareness and training for instruction, research and administration. The awareness and training should begin as a regular part of new employee orientation, and should be incorporated into other ongoing awareness and training activities. It should highlight employee responsibilities for conducting university business, especially regarding sensitive information.

  4. Possible ways to proceed
    See: POD Meeting 2010-10-28 (most recent meeting where we discussed options), in particular:

    Possibilities:
    1. Revise our previous recommendations and submit to CIO:
      • Need to decide what to change and what additional things to recommend! Many possibilities. See POD Meeting 2010-09-02 for some items.
      • Add more to list, as appropriate. Evaluate: which of these seem compelling?
        Action: No decision on this.
    2. Our primary recommendation is already defacto policy:
      • University data DOES belong to institution, and employees ARE responsible to protect it when they possess it.
      • Folks don't always realize what that means.
      • Begin to work on awareness and education.
      • Team could advise regarding communications.
        Action: Proceed.
    3. Collaborate with Mobile Apps Initiative.
      • We have good connection at this point.
      • Not yet clear what we can contribute. Exploring possibilities.
        Action: Continue.
    4. Connect with Email, Calendaring Chat project.
    5. Work on compliance with guidelines for use of non-uw-madison apps and services.
      • These have already been approved and issued, and are within the team's expanded scope.
      • Team could advise on communications and implementation efforts.
      • Efforts could include:
        • Awareness: Getting the word out about the guidelines and their importance.
        • Ideas and review of documentation of UW and non-UW alternatives (see list of outstanding action items below.)
        • Encourage continued efforts to contract effectively for relevant service. How do we do that?
        • Connect with the Google Apps project? (They are already doing some of the above.)
          ****
        • Contact Don Schutt in HR regarding new employee orientation. Contact Don Schutt in HR regarding new employee orientation.
      • Action: Proceed.
  5. Next steps?
    Action:
    • "Time is right." Starting planning a campus event on Personally Owned Devices.
    • Chancellor, Deans would like to have a clear list of "what people need to do" re: IT policy. Refer this to PPT. (See: PPT Meeting 2010-11-10 for first action on this.)
    • Add APR tools team to list of groups/teams to communicate with. (See below).
  6. Other? None

Future meetings:

 

  File Modified
Microsoft Word 97 Document POD_Recommendations-2010-04-05a.doc 2010-04-05a recommendations (DOC) Oct 28, 2010 by GARY W DECLUTE

Contact

  • No labels