Please report any problems to the Shared Tools Team at st-help@doit.wisc.edu    Broken Links? Missing Macros? WIKI Retiring Plugins
Child pages
  • Process Meeting 2019-11-12
Skip to end of metadata
Go to start of metadata

Tue, 3:30-4:30, Rm 2112 CS (Bob's Office)

Attending: _x_ Bruce Barton, _x_ Gary De Clute, _x_ Jason Erdmann, _x_ Ed Jalinske, _x_ John Krogulski, _x_Bob Turner (chair),  _x_Stefan Wahe, _x_ Mike Whitney

Agenda

  1. Preliminaries: introductions, agenda review, notes from  previous meeting, and announcements  - (5 min)
    • Note: August, September, and October meetings were canceled.

      Action:
      • Discussed size and composition of team. Need more members.
      • Look for some mid-level staff. Ed and Jason both have lists of people and will coordinate and work on this.
      • Look for a director level members. Bob will work on this.
        .
  2. Policy Process Monitoring and Adjustment - Gary De Clute (5 min)
    Goal: Discuss how well the process is working in various initiatives. Suggest improvements.
    Handout: Latest of the Policy Initiative Charts
    .
  3. Endorsement and Approval Decision-making - Gary De Clute (40 min)
    Goal: Discuss how policy data flow decisions are made for Step 5 Endorse, and Step 6 Approve.
    Handouts:
       Nominal data flow during Endorse and Approve (version 2019-11-07a)
    .
    Action:
    • Discussed the importance of Policy Analysis.
      • Without the Policy Analysis, IT Governance and the ITC would not have sufficient background to do an accurate assessment of the merits of the policy.
      • The policy and implementation text do NOT, in general, contain sufficient background material.
        • Benefits are mentioned briefly in the policy background so the reader understands why we have a policy. A longer exposition of benefits would be distracting to the reader.
        • Impact (cost to the institution) is not included in the policy unless reducing impact it a major consideration, in which case it is briefly mentioned to assure the reader that reduction of impact has been addressed. There may be impact-related material in the implementation if particular features are designed to reduce impact.
        • Prior process is mentioned briefly in the policy background to assure the reader that the policy was developed collaboratively, and future process is described in the implementation only if compliance is being phased in over time.
          .
    • Discussed use of IRAC process, (from legal profession,) during step 2 Recommend thru step 6 Approve.
      • IRAC = Issue, Rule, Analysis, Conclusions
      • The process is very similar to what we've already been doing in step 2 when developing recommendations.
      • IRAC is a more structured and systematic approach that is well established and widely used.
      • It records both concurring and dissenting conclusions, including the reasons for those conclusions.
        .
    • Idea is that a single document developed using IRAC during step 2 could:
      • serve as the recommendations from step 2,
      • along with a cover letter and updates serve as the Proposal in step 3,
      • along with updates serve as the Policy Analysis in step 4 Draft, step 5 Endorse, and step 6. Approve.

    • In the following outline of the IT Policy Process, the  bold and √ checked items are elements of the IRAC output.
      • Note that the team that develops recommendations using the IRAC is essentially the same as a Policy Stakeholder Team
      • That same team could ALSO serve as the Drafting Team throughout the remainder of Steps 3 through 6.
        • Additional care would be needed to ensure that the PST has the right mix of expertise to carry though to the end of Step 6.
          .
    • Output from Step 1 includes (in order):
      • A Plan that includes (not necessarily in order):
        • √ Rough estimate of benefits
        • √ Rough estimate of impact
        • √ Outline of the major issues that need to be addressed
        • √ Process time line
          .
      • A Charter or other charge to a team that includes (not necessarily in order):
        • √ Outline of the major issues that need to be addressed (refined from above)
        • √ Time line for delivering recommendations (from the process time line above)
        • Sponsors, co-chairs
        • Scope, Out-of-scope
        • Etc.
          .
      • Action (in order):
        1. Intake
        2. Prioritize / Estimate impact / Plan
        3. Draft Charter for PST
        4. Initiate
          .
      • Note that between the Plan and Charter the necessary inputs to the IRAC process are provided, along with a rough version of the expected result.
        .
    • Recommendations from Step 2 include (not necessarily in this order):
      • √ Benefits
      • √ Impact
      • √ Policy recommendations
      • √ Implementation recommendations
        .
      • ACTION:
        1. Policy Stakeholder Team drafts the recommendations
        2. Improve the draft as various groups and individuals review it
        3. The final draft of recommendations go the Sponsors of the initiative (which always includes the Responsible Executive, e.g. the CISO for security policy)
          .
      • Note that the output the IRAC in step 2 is similar (but not identical) to what we have been calling "policy recommendations".
        .
    • A Proposal to Develop a Policy in Step 3 includes (not necessarily in this order):
      • √ Benefits (as above, further refined)
      • √ Impact (as above, further refined)
      • √ Description of policy (from the recommendations)
      • √ Description of implementation (from the recommendations)
      • √ Process (activity to date, current state, and follow up activity if proposal is approved)
           (comes from process time-line of Step 1, updated as necessary)
        .
      • Action (in order):
        1. Form Drafting Team (NOTE: this is not necessary if PST serves as drafting team)
        2. Drafting Team drafts proposal including all components listed
        3. Drafting Team improves the draft as various groups and individuals review it
        4. The final draft goes to the CIO (and possibly IT Governance) for endorsement and to the ITC for approval.
          (both can be done in parallel, but last word needs to come from the ITC)
          .
      • Note that the only thing added to the output of step 2 in order to create the input of step 3 is an updated version of the timeline from Step 1.
      • Note that the transition from the end of step 2 to the beginning of Step 3 is a very quick and low overhead transition.
        • All that is needed if a cover letter that states that the IRAC conclusions are the proposal for the policy.
          .
    • The output of Step 4 Draft includes:
      • Draft Policy (from the  policy description in the proposal, further refined)
      • Draft Implementation (from the implementation description in the proposal, plus additional information from the ongoing implementation work occurring in parallel)
      • Draft Policy Analysis that includes (in this order):
        • √ Benefits (as above, further refined)
        • √ Impact (as above, further refined)
        • √ Process (as above, further refined)
          .
      • Action (in order):
        1. Drafting Team drafts the Policy and Implementation, and Policy Analysis.
        2. Drafting Team improves the drafts as various groups and individuals review it
          (NOTE: the PAT reviews the drafts early in the review period)
        3. After review is complete, the PAT adds a cover letter and forwards the package for endorsement
          .
      • Note that the description of the policy and implementation from the IRAC are no longer needed when Step 4 is complete because they are replaced by the actual draft documents.
      • Note that the remaining three items from the IRAC, the benefits, the impact, and the process, persist as the Policy Analysis.
      • Note that forming the Policy Analysis is a very quick and low overhead activity.
        .
    • During step 5 Endorse
      • Action (in order):
        1. The Package, including Policy Analysis goes to CIO and the Responsible Executive, who present it to IT Governance
        2. IT Governance endorses (possibly suggests changes during that process)
        3. Drafting Team makes any necessary changes.
          .
    • During Step 6 Approve
      • Action (in order):
        1. The Package, including Policy Analysis, (modified if necessary,) goes to the ITC
        2. ITC approves (possibly suggests changes during that process)
        3. Drafting Team makes any necessary changes.
          .
    • During Step 7 Deploy
      • Action (in parallel):
        • CIO issues policy
        • Implementation rollout
          .
  4. What should the subcommittee do next? - (10 min)
    Goal: Plan subcommittee activity between now and end of calendar year.
    See process documentation list below.
    .
    Action
    • See item #6
      .
  5. For next meeting
    • Wiki alternatives
    • Review of revised process using IRAC.
    • Policy Process Monitoring and Adjustment (standing agenda item)

PAT Status Summary

PAT Status Summary

Ground Rules

  1. Everyone must be treated respectfully, whether present or not.
  2. Everyone present who wants to speak on a topic must have a chance to speak.
  3. Attend more often than not, and review materials when you can't attend.
  4. Don't be shy, or worry about perception of an idea - we need open borders for these discussions.
  5. Let's park side issues or extensive detail for future work by this team, or others.

Future Agenda Items

Review/improve:

Meeting Schedule

  • Process Meeting 2019-11-12, Tue, 3:30-4:30, Rm 2112 CS (CISO's Office)
  • Process Meeting 2019-12-10, Tue, 3:30-4:30, Rm 2112 CS (CISO's Office)
  • Process Meeting 2020-01-14, Tue, 3:30-4:30, Rm 2112 CS (CISO's Office)
  • Process Meeting 2020-02-11, Tue, 3:30-4:30, Rm 2112 CS (CISO's Office)
  • Process Meeting 2020-03-10, Tue, 3:30-4:30, Rm 2112 CS (CISO's Office)
  • Process Meeting 2020-04-14, Tue, 3:30-4:30, Rm 2112 CS (CISO's Office)
  • Process Meeting 2020-05-12, Tue, 3:30-4:30, Rm 2112 CS (CISO's Office)
  • Process Meeting 2020-06-09, Tue, 3:30-4:30, Rm 2112 CS (CISO's Office)
  • Process Meeting 2020-07-14, Tue, 3:30-4:30, Rm 2112 CS (CISO's Office)
  • Process Meeting 2020-08-11, Tue, 3:30-4:30, Rm 2112 CS (CISO's Office)
  • Process Meetings

    The Subcommittee meets the second Tue, 3:30-4:30, Rm 2112 CS (CISO's Office)
    Exceptions are marked *

Current Process Documentation

  1. Audience: Anyone involved in the IT policy process (e.g. CIO, IT Core Leadership, ITC, 'TAG's, Cross-TAG Policy Review Group, UW-MIST, DACAG, IAM Council, Policy Stakeholder Teams, all temporary PAT Subcommittees, Policy Forum participants, anyone in the other audiences below.)
  2. Audience. Anyone involved in managing the process, (e.g. CISO, PAT, PAT-EC, all ongoing PAT Subcommittees.)
  3. Audience: Those few who are actually organizing, executing, and documenting the activities of the process, (e.g. CISO, IT Policy Consultant, PAT Process Subcommittee.)

Subcommittee Members


Member
Unit
Member
Unit
Member
Unit
Bruce BartonGLSSara Tate-PedersonIT PolicyJason ErdmannEducation
Ed JalinskeCybersecurityJohn KrogulskiWIDABob Turner (chair)Cybersecurity
Stefan WaheCALS Mike WhitneySMPH 

Attachments

File Created Comment

Nominal Data Flow for Endorsement and Approval-2019-11-07a.docx

Nov 07, 2019 16:14  

  • No labels