* For ITransmit-related meetings, see agenda item below.
IT Policy Planning Team (PPT) Meeting, Wednesday, Nov 10, 2010, 9:00-10:30, Rm 2281 CS
- Agenda review. OK
- Reorganization of policies
- Judy explaned the source of this question. See POD Meeting 2010-11-04.
- Upon discussion, the team suggested we proceed with re-grouping existing policies into categories to make it easier for people to figure out which apply to them in their role(s). Re-grouping of this type is "cheap and easy."
- The team also decided to continue discussion of how to reorganize the various "policy statements" that are present in current policies, including consideration of the types of policy statements that might be included in future policies (but not the specific language such statements, since that can't be determined until a policy is developed.) "Policy" in this sense includes guidelines, procedures, standards and principles, because the decision to use one rather than another is part of the policy-making process.
- The above will be on the agenda of the next PPT meeting.
- Policy and Planning has received a proposal to begin working on a policy related to encryption of information during transmission, and is exploring this with the PPT and others in the UW-Madison community.
- First step was to discuss it with the PPT.
- Next step is to discuss it with the IEncrypt policy stakeholder team.
- The IEncrypt team discussed the possibility in 2008 and 2009 and decided at that point in time to recommend that the policy on storage and encryption of sensitive information should not apply to transmitted information (hence the word "storage" in the title) but that the compliance standards should recommend encryption of sensitive information when it is transmitted (wording on this is a bit vague, as it was not the intent of the team to investigate all the rammifications.)
- The reason for this was that the technological means were (at that time) not available to the university in a cost-effective manner (i.e. certificates cost money, etc.) Cost of certificates has been resolved, (they will soon be "free" to the certificate holder.) Other technical and procedural issues may or may not have been resolved. This needs further investigation. Monica Bush (DAIS) and Nick Davis (Middleware) will be invited to join the team for this purpose.
- While "ITransmit" did not garner many votes at the April 2009 IT Policy Forum, that does not necessarily mean there is a lack of support for it. It is a question of relative priorities and practicality.
- HIPAA requires encryption of PHI during transmission in some circumstances. PCI DSS similarly requires encryption in some circumstances. The need for encryption in those instances is unaffected by the absence of a more general policy. FERPA, GLBA, and other regulations we are aware of do not appear to require encryption of transmitted information, but it might be prudent to do so anyway in some circumstances.
- The question of what information such a policy would apply to is still open. It could, for example, apply only to restricted information, or to all sensitive information, or to more specific types of sensitive information.
- Similarly, the circumstances under which encryption would be required are not yet determined. For example: it might be decided to focus on the use of secure protocols (SSH, VPN, etc.,) rather than on the encryption of information to be transfered via less secure protocols. Along those same lines, email might or might not be included, or might be included only under some circumstances, etc.
- If the IEncrypt team meets relatively soon, it might be possible to discuss ITransmit with the wider community at the 2011-02-03 IT Policy forum. That would consistent with our usual practice of involving the community when setting our relative priorities.
- There was a general feeling that any "ITransmit" policy should, if at all possible, be a modification of the existing IEncrypt policy, rather than a new separate policy.
Next ITransmit-related Meeting
- The discussion of the above led to a side discussion on "compliance". The PPT has discussed this at prior meetings, (see PPT Meeting 2010-02-11 and PPT Meeting 2010-05-06.) The Communications and Implementation (Com) team has been looking at this in considerable detail for over a year.
- Many good points were raised. We had not prepared ahead of time for such a discussion, so we decided to defer it until the next meeting. Gary will prepare material to describe what the Com initiative is currently thinking and doing, which will allow us to focus on improvements to that initiative rather than re-inventing it.
- IT Policy Forum 2010-11-11 , 11:30-1:00, Rm 3139 CSS
- PPT Meeting 2010-11-24 Wed. 9:00-10:30 Rm 2281 CSS
- PPT Meeting 2010-12-08 Wed. 9:00-10:30 Rm 2281 CSS
- PPT Meeting 2010-12-22 Wed. 9:00-10:30 Rm 2281 CSS