In September 2017 the Policy Planning and Analysis Team (PAT) was re-chartered to create a close relationship with the IT Governance project. The PAT charter establishes the team as a subcommittee of the Information Technology Committee (ITC).
Each IT governance group appoints a representative to the PAT. This ensures that the PAT is responsive to the needs and priorities of IT governance. The PAT is charged with defining and managing the IT policy development process. The PAT assists IT governance by providing an analysis of each IT policy as it is prepared for review and approval. The analysis provides background information on purpose, impact, deployment, and compliance.
|Policy||Description||Status||Rationale||Benefit||Initial Impact||Ongoing Impact|
|Continuous Diagnostics and Mitigation (CDM) Implementation Plan||The plan implements the privacy and security provisions of the UW System Acceptable Use Policy. Establishes guiding principles and an ongoing collaborative advisory group of IT and functional staff to help guide strategy and overall implementation.||2018-11-30. UW-MIST is organizing a CDM Advisory Group. There are or soon will be projects in progress that will implement all the activities of CDM at UW-Madison.||Helps enable expanded activity in monitoring, identifying, prioritizing, and reducing vulnerabilities on the network and connected devices and services.||5: High reduction in cybersecurity risk from vulnerabilities on networks and end point devices. Moderate overall reduction in cybersecurity risk.||4: Moderate-High impact, due to initial implementation of procedures and initial mitigation of previously undiscovered vulnerabilities.||3: Moderate impact approximately two years later. Ongoing maintenance of reduced risk is easier than the original implementation.|
|Security Education, Training, and Awareness (SETA) Implementation Plan||The plan implements the UW System Security Awareness Policy. Establishes an ongoing training program which will be implemented in stages. The initial emphasis will be security awareness for faculty and staff.||2018-10-26. Development of the plan is under way. An advisory group is being formed. Development of training is already underway.||More than one half of data breaches are the result of phishing, malware infections, or other attacks that can only be prevented through security awareness and training.||5: High reduction in cybersecurity risk from user behavior that inadvertently provides unauthorized access to systems or data. Moderate overall reduction in cybersecurity risk.||2: Moderate-Low impact, as the training is rolled out for the first time to each audience.||1: Low impact in the second and subsequent annual training for an audience.|
|Credentials Policy||The credentials policy will cover identity assurance and authentication, including multi-factor authentication (MFA) and a simplified password standard. The policy will implement new guidance from the National Institute of Standards and Technology (NIST).||2018-11-30. Multi-factor authentication (MFA) is currently being deployed to faculty and staff. Deployment to students is expected later in 2019. Implementation of a new password standard is anticipated in 2019 and will be coordinated with the MFA rollout because the new simplified standard is tied to the use of MFA.||Implements multi-factor authentication (MFA) coupled with simplified passwords which only need to be changed if compromise of the password is suspected.||5: High reduction in cybersecurity risk due to wide-spread deployment of MFA. MFA is vastly more secure than passwords alone. When MFA is used the incidents of compromised accounts are reduced to nearly zero.||3: Moderate impact that begins when a user changes to the new standard, due to the need to learn and get used to MFA and the new password standard.||1: Low impact approximately one month after a user changes to the new standard. Both MFA and the new password standard are simple and easy.|
|Incident Reporting and Response Procedures, Revision||The policy and procedures need general review and revision.||2018-10-26. A subcommittee has been formed to advise on review and revision.||Ongoing review and revision of IT policies. Awareness of reporting requirements needs to increase.||3: Moderate reduction in cybersecurity risk due to increased awareness of incident reporting requirements.||2: Moderate-Low impact as incident reporting increases.||1: Low impact approximately one year after the policy change. Reportable incidents should decrease over time as other security controls are implemented.|
|Encryption Standard, Revision||The revised policy and standard will more closely align with UW System policy and procedures.||2018-10-26. Work on an implementation plan is pending.||Alignment with UW System policy and procedures. Awareness of encryption requirements needs to increase.||5: High reduction in cybersecurity risk due to loss or theft of devices and media. Moderate overall reduction in risk.||5: High impact as built-in solutions are enabled, or add-on solutions are purchased and installed.||3: Moderate impact after encryption is enabled or installed, because the user needs to interact with the encryption solution, for example, to log into VPN, or to enter a password when booting a laptop.|
|Digital Accessibility Policy, Revision||The policy establishes goals, standards, and priorities for accessibility of digital resources by people with disabilities. Currently called the Web Accessibility policy, the scope will expand to include other digital resources as well.||2018-11-28. Revision of the policy will begin in early 2019. The goal is to publish the revised policy in 2019. Development of training is already underway.||There are many people with disabilities who work and study at UW-Madison. The University is also subject to laws and regulations that prohibit discrimination against people with disabilities.||5: High benefit to people with disabilities. Moderate reduction in institutional risk.||3: Moderate impact as units complete initial training and implement accessibility by design.||2: Moderate-Low impact approximately two years later. Ongoing training and application of accessibility by design is easier than the original implementation.|