Office of Learning and Information Technology

UW System CIO Council

Tuesday, April 20, 2010

Green Lake, WI

CIC Endpoint Security Request For Proposals
Credential Assessment Framework Update
CIC IT Leadership Program
Gartner Research Access at Each UW Institution
HRS Project and UW-Whitewater's Identity Management System
Institutional Network Credentials for UWSA Staff

Attendees

CIOs and their Representatives Guests

Nancy Crabb
Jack Duwe
David Dumke
Chip Eckardt
John Krogman
Erich Matola
Ed Meachen
Jose Noriega
Kathy Pletcher
Elena Pokot
Mary Schoeler
Ken Splittgerber
David Stack
John Tillman
Stephen Reed
Doug Wahl

Tom Callaci
Tom Jordan
Jim Lowe
Paul Moriarty
Jim Stull


CIC Endpoint Security Request For Proposals

Jim Lowe described incident response activity at the UW–Madison campus which has increased in frequency since December as a result of the increasing sophistication of viruses. No fully patched machines have been compromised which demonstrates that anti-virus software by itself is not sufficient.

In August 2009, the security officers of the CIC (Committee on Institutional Cooperation) institutions decided to issue a request for proposals (RFP) for anti-virus software and other end point security products.The RFP responses were received in January 2010. The scores of the leading responses were close. Proof of concept demonstrations were held at Northwestern University. All products were about 95% effective. It is hoped that at least two vendors will be selected for the final CIC contract.

Ed Meachen reported that after vigorous debate the line item in the Common Systems Review Group (CSRG) budget for vulnerability management software for next year has been eliminated. David Dumke noted that there is not a single point of leadership for IT security efforts in the UW System (UWS) and different approaches may be appropriate for different institutions. A standards-based approach may be preferable to a product-based approach. Stephen Reed reported that the UWS data privacy and security group has not met for the last few months, but it will be re-engaged soon. Proposals to the CSRG to support standards efforts would help raise IT security issues across the entire UW System. Nancy Crabb will expand the email list for the ITMC security group to include those who are only on the other lists.

Credential Assessment Framework Update

Jim Lowe and Tom Callaci distributed a report on progress toward the credential assessment framework (CAF) level of assurance (LOA) that was based on self-reports from the UWS institutions. Since the previous report, there have been both increases and decreases in the totals of affirmative responses on the 37 questions. Overall, compliance is roughly unchanged. Variations in reponses are due to changes in the survey wording, changes in the people at the UWS institutions who complete the survey and deeper understandings of the underlying issues. Considerable work remains to be done before the CIOs' December 2010 deadline. Fortunately, there are a number of gains that can be made with small efforts and Tom Callaci is willing to work with each UWS institution either in person or via phone. He will contact the CIOs to get engaged. A successful completion of this exercise will make the UWS institutions compliant with the InCommon Silver level of assurance.

CIC IT Leadership Program

Continuing the discussion from the morning's ITMC meeting, Ed Meachen suggested that the CIOs touch base with the library directors at their institutions and report whether there are sufficient funding, interest and time to support two attendees from each institution at the CIC IT Leaders Program. Some funding support may be available from the UWSA Office of Learning and Information Technology.

Gartner Research Access at Each UWS Institution

Ed Meachen will send an email to the CIOs soliciting their interest in a systemwide contract for a subset of Gartner research.

HRS Project and UW-Whitewater's Identity Management System

Ed Meachen explained that two issues surfaced at the UWS HR System (HRS) team's visit to UW–Whitewater because the campus is already running a version of the PeopleSoft HR system. UW–Whitewater has an existing method for ID management that is not compatible with the UWS direction for HRS and UW-Whitewater already has basic employee self service functions in production that they do not want to lose for an extended period of time. Subsequent to the visit, Elena Pokot and Tom Jordan made a presentation to the HRS Decision Council and explained that all of their downstream campus systems use the campus PeopleSoft HR system as a reference source. Therefore, the proposed UWS HRS identity management approach would entail a restructuring of many systems which would require a prohibitive amount of time and effort. On the other hand, UW–Whitewater also did not want to burden the UWS HRS implementation.

A compromise solution was identified that will provide a component interface in the UWS production HRS system that just UW–Whitewater will use. Tom Jordan explained that a transaction table will be shared between UWS HRS and UWS IAM to provide a single integration point for the UW–Whitewater identity management system. The shared transaction table will not include information regarding people from any other UWS institution.

With regard to employee self service, the Decision Council understood the difficulty of UW–Whitewater going without self service for a protracted length of time and is willing to go ahead with a limited level of self-service functionality for the entire UWS that is similar to what UW–Whitewater is already using.

Institutional Network Credentials for UWSA Staff

Nancy Crabb explained that there are six people from UW System Administration who regularly visit the UWS institutions and who don't have authention credentials for the various campus networks. The Council members recommended that those who invite them to campus use whatever local campus procedures are already in place to request guest accounts.