Use of Personally Owned Devices (and Cloud Services) for University Business (POD) seeks to clarify how university requirements for privacy, security, and retention of data are applied to personally owned devices and use of non-UW-Madison-owned applications and services.
Meeting with the CIO, Joanne Berg.
Thursday, November 4th, 9:00-10:00 Rm 11520 ECM.
- Agenda Review OK
- POD initiative background
See: POD History and/or POD Meetings, in particular:
- Apr 06, 2009: IT Policy Forum. POD tied for second (with Role-based Access Control when voting to prioritize posssible initiatives in the IT Policy Plan for FY 2009-2010.
- Dec 18, 2009: POD team begins meeting.
- Apr 09, 2010: POD team discusses recommendations to the CIO. CIO suggests further discussion with the campus community, possibly including a campus-wide meeting on the subject.
- Aug 05, 2010: Leadership discussions conclude that no campus meeting regarding POD is needed at this time.
- Sep 02, 2010: POD team considers some additional possible recommendations.
- Sep 30, 2010: POD team meeting with Hideko Mills regarding Mobile UW and how the POD team might assist.
- Oct 28, 2010: POD team discusses possible next steps, including a possible meeting with the CIO.
- Previous POD recommendations
See: POD Recommendations and POD Meeting 2010-04-09 (meeting with prior CIO)
Handout: POD Recommendations, (or see attached document.)
1. Adopt a general policy that employee responsibilities to protect the confidentiality, integrity and availability of sensitive information and university records are determined by the type and content of the information or record, rather than the ownership of the device, application or service used to store or process the information or record.
2. Recommendation 1 also applies to sensitive research data such as unpublished research. There are considerations specific to sponsored research that may affect the roles of the institution and the researcher regarding protection of the data. These include such things as: ownership of the intellectual property, the source of funding, mandates from funding agencies, and the need for advance planning to budget for the cost of security controls.
3. Review contracts
a. Compliance with the proposed policy would be easier if contracts contained appropriate language so that users of those services could be confident that the service providers are handling sensitive information and university records in a manner consistent with the policies and standards of UW-Madison. The existence of such a contract does not relieve users of their own obligations under the policy.
b. Compliance with the proposed policy would be easier if users of such services and applications could readily have access to clear and simple policies and standards describing what is required by UW-Madison. This would help the users evaluate whether or not it is appropriate to use a particular application or service for university business. Adequate terms of service published by the provider do not relieve users of their own obligations under the policy.
4. The policy and the supporting standards, guidelines and procedures that are proposed above should be accompanied by appropriate awareness and training for instruction, research and administration. The awareness and training should begin as a regular part of new employee orientation, and should be incorporated into other ongoing awareness and training activities. It should highlight employee responsibilities for conducting university business, especially regarding sensitive information.
- Possible ways to proceed
See: POD Meeting 2010-10-28 (most recent meeting where we discussed options), in particular:
- Revise our previous recommendations and submit to CIO:
- Need to decide what to change and what additional things to recommend! Many possibilities. See POD Meeting 2010-09-02 for some items.
- Add more to list, as appropriate. Evaluate: which of these seem compelling?
Action: No decision on this.
- Our primary recommendation is already defacto policy:
- University data DOES belong to institution, and employees ARE responsible to protect it when they possess it.
- Folks don't always realize what that means.
- Begin to work on awareness and education.
- Team could advise regarding communications.
- Collaborate with Mobile Apps Initiative.
- We have good connection at this point.
- Not yet clear what we can contribute. Exploring possibilities.
- Connect with Email, Calendaring Chat project.
- They are considering contracting with a non-uw provider for students. (Several in higher ed have done this.)
- Could also contact with some (or all) for fac/staff. (Some in higher ed have done this.)
- See: https://wiki.doit.wisc.edu/confluence/display/InCollab/University+of+Wisconsin+Email%2C+Calendar+and+Chat,
and more generally: https://wiki.doit.wisc.edu/confluence/display/InCollab/Home.
- Work on compliance with guidelines for use of non-uw-madison apps and services.
- These have already been approved and issued, and are within the team's expanded scope.
- Team could advise on communications and implementation efforts.
- Efforts could include:
- Awareness: Getting the word out about the guidelines and their importance.
- Ideas and review of documentation of UW and non-UW alternatives (see list of outstanding action items below.)
- Encourage continued efforts to contract effectively for relevant service. How do we do that?
- Connect with the Google Apps project? (They are already doing some of the above.)
- Contact Don Schutt in HR regarding new employee orientation. Contact Don Schutt in HR regarding new employee orientation.
- Action: Proceed.
- Revise our previous recommendations and submit to CIO:
- Next steps?
- "Time is right." Starting planning a campus event on Personally Owned Devices.
- Chancellor, Deans would like to have a clear list of "what people need to do" re: IT policy. Refer this to PPT. (See: PPT Meeting 2010-11-10 for first action on this.)
- Add APR tools team to list of groups/teams to communicate with. (See below).
- Other? None
- POD Meeting 2010-12-09 11:00 AM, Thursday Dec 9, location TBD, (probably Memorial U.)
- Possible meetings with: