Information Technology Strategic Oversight Committee (ITSOC)

Minutes

March 11 th , 2016 10:30 – 11:30, SSB 324

Attending: James Lyall, Kevin Taylor, Michael Erskine, Mike Hart, Janos Fustos, Diane Watkins, Mark Potter, Chuck Yeh, Chad Mortensen, Lindsay Packer, Jackie Maldonado, Jeff Helton, Nick Pistentis, Stephen DeVisser, John Wiltsie, Andrea Gonzales

Absent: Sheila Rucki, Mark Potter, Eriks Humeyumptewa, Patsy Hernandez, Jackie Maldonado, George Middlemist, Mai Linh Nguyen

1. Approval of Minutes from November 13 th , 2015 ITSOC Meeting

a. Chad Mortensen motioned to approve. Lindsay Packer seconded, and they were unanimously approved.

2. Announcements/Updates

a. We are beginning the search for an Asset Manager to coordinate licensing and contracts.

b. SPPS License renewed after contract difficulty.

3. Items for Discussion and Recommendation

a. Draft I&IT Policy Review – first reading

a.i. One of the governance advisory subcommittees is I&IT Policy to look at our policies, which were one large document of 120 pages. This subcommittee is co-chaired by Mike Hart and Andrea Gonzales who worked through our current policies to determine what we can do away with, edit, or consolidate. We had a certain set of goals in mind to include making policies approachable instead of focusing on specific technologies. The document went from 120 pages to 22. The old document also included procedures. a.ii. We wanted to get it to you now and spend time when we get back together in May to discuss. This is a first reading. You can take back to your representatives to share and get their input. Over the course of the next 2 months, please send your comments to Mike and Andrea.

a.iii. There is reference to a Chief Information Security Officer, who is Mike Hart. There was an intentional effort to create that role.

a.iv. ITS is in the process of redoing our website, now that we’ve created a service catalogue.

a.v. Janos will review over the weekend. He also gave the policy document to his students to review.

a.vi. Thanks to Mike and Andrea and the entire committee, as this was not an easy assignment. b. Proposal for Reducing Email Impersonation (“Spoofing”)

b.i. We are seeing an increase in messages people are spoofing from outside of the institution, as well as from outside of the country. They send an email that looks like it comes from someone in our institution. This proposal is to reduce the instances of this from happening.

b.ii. As an example, there was a specific instance of a spearfishing email that looked like it came from a university executive requesting employee W- 2s.

b.iii. Spoofing an email is like sending a letter using anything you want for a return address.

b.iv. We need to take steps to eliminate spoofing. It is opening up avenues for malware to be installed, in addition to the impersonation. One of the ways we’re trying to differentiate, is to create an exclusion for white listing. If we have a contract, they have agreed to appropriately use our information and we will “white list” or create an exception.

b.v. When we implement filters it’s all or nothing, so we have to do work ahead of time. This will raise questions and concerns. We know we will not get everything on the list before we flip the switch. People using “free stuff” collects your contact information.

b.vi. Our intent is to bring to this group first, get feedback and recommendations, and then take to ASA, VPs and finally Cabinet. b.vii. As an example of “free services”, Doodle is an external service that replicates what we already have. We had an individual here whose account was logging in from here and Switzerland.

b.viii. Third party apps have risks. Not really a free service.

b.ix. Will this have an effect on sending email from your home computer? No.

b.x. There are departments buying third party software. People are buying systems we already have.

b.xi. Fundamentally, if the tool or service we provide is not effective, then that’s what we need to talk about. We do not want offices to duplicate the service and the cost.

b.xii. A lot of this is education and communication. We know we don’t know everyone who is using outside services. The annoyance far exceeds the institutional risk. We should get the message out across the institution, once vetted through ITSOC, ASA Senior Leadership, VPs and Cabinet.

b.xiii. We find offices here and there buying software and we haven’t done very well being accurate with the number of licenses we have and the number of users. We think there’s a huge opportunity to save money. It will also make the computer lab experience better. We are moving away from a one-size-fits-all approach to student computing.

b.xiv. Jeff Helton moves to support this policy. Janos Fustos seconded. The motion was unanimously approved. c. Budget cuts. We have proposed some cuts from our operating dollars.

c.i. We are doing away with the Ellucian mobile app, which costs $30,000/year and has had only about 40 users.

c.ii. We are looking at shifting from using consultants to internal ITS people, as we fill positions and increase expertise.

c.iii. There will be no new money and we still have deferred maintenance needs for our data centers. Looking for a secondary solution. We deferred maintenance on purpose, as we thought we were getting a data center in the new AES building.

c.iv. We have started some remodeling on the 4th floor of Admin, to include creating a large meeting room. Hopefully by the time fall semester starts, we can start using for this and other advisory committee meetings. c.v. This semester we’ve created smaller servers dedicated to particular classes and so far it is working well. Each student is managing an entire network. The environment is reusable, resources are not wasted, and can be easily repurposed. d. Next meeting is May 13th and is our last scheduled meeting. We will schedule for every 2 months indefinitely.