Office of Learning and Information Technology
UW System CIO Council
Tuesday, April 20, 2010
Green Lake, WI
CIC Endpoint Security Request For Proposals
Credential Assessment Framework Update
CIC IT Leadership Program
Gartner Research Access at Each UW Institution
HRS Project and UW-Whitewater's Identity Management System
Institutional Network Credentials for UWSA Staff
|CIOs and their Representatives||Guests|
Jim Lowe described incident response activity at the UW–Madison campus which has increased in frequency since December as a result of the increasing sophistication of viruses. No fully patched machines have been compromised which demonstrates that anti-virus software by itself is not sufficient.
In August 2009, the security officers of the CIC (Committee on Institutional Cooperation) institutions decided to issue a request for proposals (RFP) for anti-virus software and other end point security products.The RFP responses were received in January 2010. The scores of the leading responses were close. Proof of concept demonstrations were held at Northwestern University. All products were about 95% effective. It is hoped that at least two vendors will be selected for the final CIC contract.
Ed Meachen reported that after vigorous debate the line item in the Common Systems Review Group (CSRG) budget for vulnerability management software for next year has been eliminated. David Dumke noted that there is not a single point of leadership for IT security efforts in the UW System (UWS) and different approaches may be appropriate for different institutions. A standards-based approach may be preferable to a product-based approach. Stephen Reed reported that the UWS data privacy and security group has not met for the last few months, but it will be re-engaged soon. Proposals to the CSRG to support standards efforts would help raise IT security issues across the entire UW System. Nancy Crabb will expand the email list for the ITMC security group to include those who are only on the other lists.
Jim Lowe and Tom Callaci distributed a report on progress toward the credential assessment framework (CAF) level of assurance (LOA) that was based on self-reports from the UWS institutions. Since the previous report, there have been both increases and decreases in the totals of affirmative responses on the 37 questions. Overall, compliance is roughly unchanged. Variations in reponses are due to changes in the survey wording, changes in the people at the UWS institutions who complete the survey and deeper understandings of the underlying issues. Considerable work remains to be done before the CIOs' December 2010 deadline. Fortunately, there are a number of gains that can be made with small efforts and Tom Callaci is willing to work with each UWS institution either in person or via phone. He will contact the CIOs to get engaged. A successful completion of this exercise will make the UWS institutions compliant with the InCommon Silver level of assurance.
Continuing the discussion from the morning's ITMC meeting, Ed Meachen suggested that the CIOs touch base with the library directors at their institutions and report whether there are sufficient funding, interest and time to support two attendees from each institution at the CIC IT Leaders Program. Some funding support may be available from the UWSA Office of Learning and Information Technology.
Ed Meachen will send an email to the CIOs soliciting their interest in a systemwide contract for a subset of Gartner research.
Ed Meachen explained that two issues surfaced at the UWS HR System (HRS) team's visit to UW–Whitewater because the campus is already running a version of the PeopleSoft HR system. UW–Whitewater has an existing method for ID management that is not compatible with the UWS direction for HRS and UW-Whitewater already has basic employee self service functions in production that they do not want to lose for an extended period of time. Subsequent to the visit, Elena Pokot and Tom Jordan made a presentation to the HRS Decision Council and explained that all of their downstream campus systems use the campus PeopleSoft HR system as a reference source. Therefore, the proposed UWS HRS identity management approach would entail a restructuring of many systems which would require a prohibitive amount of time and effort. On the other hand, UW–Whitewater also did not want to burden the UWS HRS implementation.
A compromise solution was identified that will provide a component interface in the UWS production HRS system that just UW–Whitewater will use. Tom Jordan explained that a transaction table will be shared between UWS HRS and UWS IAM to provide a single integration point for the UW–Whitewater identity management system. The shared transaction table will not include information regarding people from any other UWS institution.
With regard to employee self service, the Decision Council understood the difficulty of UW–Whitewater going without self service for a protracted length of time and is willing to go ahead with a limited level of self-service functionality for the entire UWS that is similar to what UW–Whitewater is already using.
Nancy Crabb explained that there are six people from UW System Administration who regularly visit the UWS institutions and who don't have authention credentials for the various campus networks. The Council members recommended that those who invite them to campus use whatever local campus procedures are already in place to request guest accounts.