Office of Learning and Information Technology
UW System CIO Council
Thursday, March 17, 2011
Pyle Center, Madison
HRS Project Update
UW Technology and Information Security Council Update
Managing Risk in Cloud Computing Discussion
SIS Executive Committee Update
ITMC Conference Postponement
2011-13 Budget Discussion
Implications of UW-Madison as a Separate Public Authority
Next CIO Council Meeting
|CIOs and their Representatives||Guests|
Mohamed Elhindi is the new CIO at UW-LaCrosse.
Ruth Ginzberg is working on an Elluminate contract for use with Desire2Learn.
Negotiations with Turnitin are in process. Ed Meachen will distribute a memo that outlines the terms of a potential system-wide contract.
A waiver for procurement of an e-portfolio system is being reviewed by the Wisconsin Department of Administration (DOA).
A contract for card reader systems from Blackboard will be reviewed.
Ruth Ginzberg has been working with DOA on piloting a procurement process that does not result in multiple investigations of the market for a single procurement. The proposed process would consist of an open RFP followed by one or more pilot projects to determine the most successful product for subsequent procurement. This would obviate the need for going to bid after a successful pilot project.
Elise Barho reported that in approximately a month the new Human Resources System (HRS) will go live on schedule and on budget. The second dress rehearsal, which is an expectation of every step needed for cutover, demonstrated excellent progress on data conversion. Several partner systems were included in the exercise.
The third dress rehearsal is currently underway and includes the timeclock system and changes that were necessary because of the Governor's Budget Repair Bill. The staff who are involved in the dress rehearsal need to be available whenever needed on a 24-hour basis.
Greg Konop reported on the status of online tutorials for both the Employee Self Service (ESS) and the Supervisor/Manager Self Service (MSS) functions for time/labor and absence management, especially for student supervisors. The resources are available in the self service area of uwservice.wisc.edu/hrs for use when:
- leading discussions, workshops or brown bag type opportunities at the UW System (UWS) institutions
- engaging in self-paced training
An online Knowledge Base (kb.wisc.edu/hrs) is also available. It includes step-by-step directions for student employees and supervisors.
There is a supervisor time approval PowerPoint presentation at uwservice.wisc.edu/hrs/training/mss.php that pulls together the time entering and time approval resources from both the Service Center website and Knowledge Base. The UWS institutions are welcome to use the PowerPoint as a basis for building their own custom presentations.
Chris Liechty reported that the Technology and Information Security Council (TISC) has had several meeting since it was formed and is working on the Credential Assessment Framework (CAF). Thomas Callaci has been in meetings with people at the UWS institutions to discuss their progress to date and to create estimates of necessary future work and any capital expenses. Responses have been received from 11 of the 15 UWS institutions, including UW System Administration.
There are six CAF checklist items that are challenging if an institution has an Active Directory that contains credential information. The same challenges are also being addressed by the "Big 10" schools. At this point in time, the UWS institution CAF checklists should be completed to the extent possible. Meanwhile, the UW Digital ID Initiative has digital certificates that could be distributed to individuals who access HRS for more than self service functions and who can be brought to a Level of Assurance 2 (LOA-2).
Steve Brukbacher is the Information Security Officer at UW-Milwaukee. He recently published an ECAR document on key campus roles in managing risk of cloud computing.
Steps that are necessary in order to accomplish secure, compliant, cloud engagements include:
- Mapping campus roles to the cloud
- Defining key elements of each role
- Choosing a few tools
The focus on roles is important to:
- Avert risk because it is easy to miss campus roles, e.g., the Help Desk, when outsourcing
- Reduce risk by ensuring normal oversight roles are engaged
The UW-Milwaukee campus cloud strategy is “To enable cloud adoption where there is benefit to do so in terms of service enhancement and cost savings.” The keys to the strategy are:
- Collaboration and communication among all the roles
- Creation of a formal IT purchasing group
- Providing key infrastructure to enable secure, compliant and scalable cloud engagements, e.g., Identity Management
- Providing quality, collaborative consulting to campus partners
Definition of terms:
- Cloud computing is a form of sourcing
- Sourcing is a general term that describes where a service or product comes from
- Basic forms of cloud services include:
- Infrastructure as a Service (IaaS) e.g., storage
- Platform as a Services (PaaS) e.g., servers and operating systems
- Software as a Services (SaaS) e.g., Qualtrics survey service
The common campus roles that need to be engaged, and some of the questions they need to address, include:
- Purchasers/User Community
- What kind of data are being processed?
- What integrations are needed?
- What does the service need to do?
- Why is there a desire to outsource the service?
- How will people log in?
- Is there a pre-supposition of a preferred vendor?
- Is the customer new to security requirements and technical details?
- Campus IT
- General consulting
- Are there likely to be identification problems?
- Does the purchaser need help doing an RFP?
- Is the third party solution a fair comparison to current systems?
- What data feeds will be necessary?
- In what format will the purchaser get their data back at the end of contract?
- Are there assurances that the data, and any derivative data, will be purged at the end of the contract or in the case of bankruptcy?
- Identity and Access Management
- Is it possible to leverage existing campus credentials without exposing a central LDAP or AD directory to vendor access?
- Can a federated model such as InCommon enable a campus gateway for SaaS authentication?
- General consulting and integration
- What is the financial stability of company?
- Are there any off shoring limitations for the data?
- What type of purchase vehicle is required?
- Is everything written down?
- Is the vendor's proposed contract unfairly slanted in their favor?
- Is it clear who owns the data?
- Is the contract written to include penalties in case of security failures or data breaches as well as outages?
- Information Security
- What is the highest level of security needed for different data types?
- What are the most critical controls?
- Is it specified in writing who will do what?
- Is it possible for the customer to monitor the security controls?
- Will the solution meet compliance standards?
- Will the solution meet campus security standards?
- Will the solution take advantage of new common security federations, e.g., HITrust?
- Internal Audit
- Will it be possible to ensure that the services are auditable and compliant with applicable standards, such as:
- Are there SAS 70 Type 2 tests for the effectiveness of controls?
- Is there ISO certification?
- Will it be possible to ensure that the services are auditable and compliant with applicable standards, such as:
- Service Desk/Client Services
- Is the service desk aware that the system is coming?
- Can the service desk manage the community’s expectations?
- Is it clear which user questions are in service desk's domain and which are in the vendor’s?
- Is there documentation?
The cloud is driving the evolution of roles in central IT, including:
- Moving toward “service manager” positions
- Increasing middleware/integration expertise
- Increasing contract, legal and compliance knowledge
- Forming Identity Management as a distinct group
Role changes in Information Security include:
- Realization that the highest level of security is not needed for all data types
- Caution against overspending on security
- Deriving the most critical controls
In the case of "free" cloud services:
- There is a big risk for some forms of data if there is no contract
- Confidential data should not be stored on free services
- Campus users should be responsible for records management
- Consult the Cloud Computing Alliance website
Valuable resources include:
- EDUCAUSE: Cloud Computing Resources
- Cloud Security Alliance (CSA)
- EDUCAUSE: Managing Risk in Cloud Computing
- CSA Cloud Security Matrix
- Article by Thomas Trappler of UCLA
Jose Noriega underscored the transformation of the role of the service desk and the rise in demand for new service management roles within central IT. Mary Schoeler noted that stakeholders may hold central IT responsible if a procured service goes away unexpectedly. Ruth Ginzberg recommends that purchasers always have two exit strategies from cloud contracts: a normal exit strategy and an emergency exit strategy that can be implemented in a very short period of time.
Ken Splittgerber reported that a Campus Solutions Forum is planned for April 21, 2011. Any CIOs who did not receive the Forum announcement which went out on March 18 are not on the communication list. People can subscribe to the list via the Student Information Systems link in the Communities section of the SIS communication hub, comsys.uwsa.edu.
The topics for the Forum will include:
- HRS go-live update
- Presentation by the HEUG Executive Director
- Budget update
- Update on the release of the majors database
- Transfer Information System Phase 4 update
- Interface update
- Wisconsin Covenant update
- Financial aid update
- Presentation from PeopleSoft
- D2L update
- PeopleTools 8.5 update
A communication will be sent to the CIO Council asking for the names of the institutional contacts who manage the compressed video facilities at their institutions.
There will be a meeting of the SIS Executive Committee on the afternoon of April 21st that will include the SIS contact persons from each institution. Ken Splittgerber will distribute a list of these individuals who are the ones who conduct the weekly SIS meetings at each institution.
Bruce Maas and Ed Meachen reported that today the Chief Budget Officers discussed the timing of the sharing of costs between the Common Systems budget and the UWS institutions for certain new services. Under consideration are new library discovery tools, e-portfolio services and conferencing tools that could be used for both courses and administrative purposes. The discussion will continue at the Common Systems Review Group next week.
The Council members discussed how their respective institutions are planning to address expected budget reductions.
Ed Meachen has begun looking at potential models for continued collaboration through Common Systems should UW-Madison become a separate public authority. It would be useful to benchmark the UWS against other university systems that have shared services. Mary Schoeler recommended the preparation of talking points regarding the value of the Common System model. Bruce Maas shared a draft PowerPoint he's developing on the advantages of the Common System approach.
Due to the SIS Forum on April 21st, the CIO Council meeting will be rescheduled to a conference call at noon on the 19th.
Meeting dates, the directory of the UWS CIOs and meeting summaries are available at www.uwsa.edu/olit/cio.