In September 2017 the Policy Planning and Analysis Team (PAT) was re-chartered to create a close relationship with the IT Governance project. The PAT charter establishes the team as a subcommittee of the Information Technology Committee (ITC).
Each IT governance group appoints a representative to the PAT. This ensures that the PAT is responsive to the needs and priorities of IT governance. The PAT is charged with defining and managing the IT policy development process. The PAT assists IT governance by providing an analysis of each IT policy as it is prepared for review and approval. The analysis provides background information on purpose, impact, deployment, and compliance.
|Policy||Description||Status||Rationale||Benefit||Initial Impact||Ongoing Impact|
|Credentials Policy and Standards||The credentials policy will cover identity assurance and authentication, including multi-factor authentication (MFA) and a simplified password standard. The policy will implement new guidance from the National Institute of Standards and Technology (NIST).||Multi-factor authentication (MFA) has been deployed to faculty and staff. Deployment to students is expected to be complete by the end of Dec 2019. Implementation of a new password standard is anticipated in 2019 and will be coordinated with the MFA rollout to students.||Implements multi-factor authentication (MFA) coupled with simplified passwords which only need to be changed if compromise of the password is suspected.||High reduction in cybersecurity risk as a result of the wide-spread deployment of MFA. MFA is vastly more secure than passwords alone. When MFA is used the incidents of compromised accounts are reduced to nearly zero.||Moderate impact that begins when a user changes to the new standard, due to the need to learn and get used to MFA and the new password standard.||Low impact approximately one month after a user changes to the new standard. Both MFA and the new password standard are simple and easy.|
|Incident Reporting and Response Policy and Procedures, Revision||The policy and procedures need revision for compliance with new laws, regulations, and policies.||A subcommittee has been formed to advise on review and revision.||Compliance with new laws, regulations, and policies.||Moderate reduction in institutional risk due to increased incident reporting.||Moderate impact as incident reporting increases.||Moderate-Low impact approximately one year after the policy change. Reportable incidents should decrease over time as other security controls are implemented.|
|Encryption Policy and Standard, Revision||The revised policy and standard will more closely align with UW System policy and procedures.||A project team is forming to work on an implementation plan.||Alignment with UW System policy and procedures. Awareness of encryption requirements needs to increase.||High reduction in the cybersecurity risk that results from loss or theft of devices and media. Moderate overall reduction in risk.||High impact as built-in solutions are enabled, or add-on solutions are purchased and installed.||Moderate impact after encryption is enabled or installed and the end users become accustomed to it.|
|IT Assets Inventory Management Policy and Implementation Plan||The policy and implementation plan will help UW-Madison better manage IT assets, and will prepare us for compliance with anticipated UW System policy. Only applies to institutionally-owned assets.||A project team has been formed to develop technical implementation for aggregation of inventory data. The CDM Advisoty Group is currently working on best practices for inventory processes, and will also make policy recommendations.||Improved management of IT assets, and preparation for compliance with UW System policy.||High reduction in the cybersecurity risk due to improved ability to inform people and respond to possible cybersecurty incidents.||High impact as units develop their internal procedures and perform an initial inventory.||Moderate impact approximately one year later as additions and modifications to the inventory become a routine part of IT operations.|
|Endpoint Management Policy and Implementation Plan||The policy and implementation plan will improve the consistency of endpoint management, endpoint security management, and mobile device management.||An RFP for endpoint management, endpoint security management, and mobile device management has been completed. The CDM Advisory Group will work on best practices in the Fall of 2019, and will also make policy recommendations.||Improvement in the degree and consistency of end point management, endpoint security management, amd mobile device management. Will also aid in automation of IT assets inventory management.||High reduction in the cybersecurity risk that results from unpatched or inadequately configured endpoints of all types.||High impact as units initially use or improve management solutions.||Moderate impact approximately one year later as improved automation of the management of endpoints becomes routine.|
|Digital Accessibility Policy, Revision||The policy establishes goals, standards, and priorities for accessibility of digital resources by people with disabilities. Currently called the Web Accessibility policy, the scope will expand to include other digital resources as well.||Revision of the policy will begin in 2019. The goal is to publish the revised policy in 2020. Development of training is already underway.||There are many people with disabilities who work and study at UW-Madison. The University is also subject to laws and regulations that prohibit discrimination against people with disabilities.||High benefit to people with disabilities. Moderate reduction in institutional risk.||Moderate impact as units complete initial training and implement accessibility by design.||Moderate-Low impact approximately two years later. Ongoing training and application of accessibility by design is easier than the original implementation.|