Office of Learning and Information Technology
UWS CIO Council Meeting
October 14, 2004
Best practices for access control
WCNI network update
- Contractual services
- Ad Astra
Update from IAA Governance Working Group
Portal presentation from UW-Superior
Report from the D2L Steering Committee
Report from the September Common Systems Review Group Meeting
Update on the Common Systems Assessment by Don Norris
Update on the faculty count in IPEDS for Oracle contract
CIOs and their Representatives
Paul Rediske, the Director of Internal Audit at UW-Milwaukee, also chairs the systemwide auditors group for the Appointment, Payroll and Benefits System (APBS). The UW System (UWS) common systems will be using the Identification, Authentication and Authorization System (IAA) for authentication, which relies on campus authentication processes. Campus authentication standards vary considerably across a wide variety of applications with dissimilar security needs. The issue is how to provide security in a way that is not capricious or costly.
Every APBS user must have a local campus username and password that is used by IAA for authentication to common systems. The APBS team researched nine best practices for access control and compared them to what it actually happening on campuses. Of special value, are information security campaigns which support the other practices and efforts.
APBS will have hundreds of users, not including the self service functionalities for all employees. There is a strong need for cross-campus functionality, and APBS superusers will be able to access and modify information across all of the UWS institutions. A campus with a weak access control infrastructure may expose other institutions.
To mitigate unauthorized access, the audit team is recommending that:
- APBS should inform all of its users as to best practices and request voluntary compliance.
- APBS should carefully log and audit transactions, especially those that are cross-institutional (i.e., employee record changes made by a user on a different campus).
- APBS and UWS should encourage each institution to adopt a baseline level of security for all campus authentication systems used for IAA. This would include a minimum set of standards for access controls that will provide reasonable protection for all information. While this baseline might create over-protection of certain campuses’ applications, it will help to ensure the integrity of the common systems.
- APBS and UWS should encourage IAA to investigate technical solutions to mitigate security risks associated with authenticating heterogeneous applications.
David Hart reported that the Collaterals Working Group and the MILER Core Team have looked at security for many years in regards to SAS, SFS and recently APBS in conjunction with Kim Milford of the BadgIRT security group (www.doit.wisc.edu/security/). Jerry Lange said that he has already discussed the APBS data warehouse with her and concurred that it would be good to involve her in the discussions because IAA is intended to be used for many applications that are covered by different sorts of regulations, e.g., FERPA, HIPAA and the GLB Act. Carrie Regenstein noted that the IAA architecture keeps passwords on the campuses, and a group of registrars on the IAA governance group are very happy with its FERPA compliance.
Jack Duwe noted that different groups have published different lists of best practices from their different perspectives, and a best practice in one environment may not be a best practice in another. Dick Cleek didn't feel that the same level of password security was necessary for self service as for superusers. Jerry Lange said that the working group was not trying to mandate technical solutions and was also concerned about lower level APBS users who could see various kinds of data, even if they couldn't change it. Ensuring adequate password security is in the domain of the campus, not IAA.
Annie Stunden and Jack Duwe noted that good passwords are important for all applications, not just administrative systems. Multiple password standards for different systems don't make sense. There needs to be one UWS password standard that makes sense operationally, not just a standard for APBS. Dick Cleek and David Dumke suggested that more levels of security are necessary for the 5% of people who need higher level access to more critical systems. There are practices that could potentially cause more exposure than poor password policies, and those need to be addressed as well, e.g., un-encrypted wireless networks, failure to apply operating system patches, etc. John Krogman noted the importance of supervisory control and sign-offs for account authorizations.
Kim Milford will be asked to meet and collaborate with the auditors working group to recommend a set of options that can be adopted as appropriate at each institution based upon its technical infrastructure.
Ron Kraemer is the UWS representative on the Wisconsin Converged Network Initiative (WCNI) procurement bid response team. This presentation is based on materials publicly available at the Department of Administration (DOA) WCNI web site: www.doa.state.wi.us/wcni/index.asp. To date, only a few people have seen the cost information in the bid responses. DOA hopes to announce an "intent to negotiate" a contract with one or more vendors within the next two weeks. At that point, the UWS will have wider access to the materials supplied by the vendors.
The state views WCNI as a way to move traffic. As it stands now, every UWS campus will need to be connected to a BadgerNet Converged Network (BCN) Aggregation Switch in their local LATA instead of point-to-point connections to other campuses. Once the traffic gets to a BCN Core Router, each campus will need to determine how much connectivity it wants to buy for the different priority levels of:
- vendor supplied video traffic
- vendor supplied in-state wide area data traffic
- end-user managed traffic
- Internet traffic that leaves the state core via an ISP, such as WiscNet.
- flexibility to take advantage of new fiscal and technical opportunities
- adequately meeting the needs of the UWS
- the evolution of the cost/billing structure
- the management of the user management services
- lack of ability to burst over the contracted bandwidth
- offering I2 and other next-generation applications, especially to the K-12 institutions
- communications and expectations among the stakeholders
The next steps include:
- DOA's completion of their review of the RFI
- An engineering review of the proposals from the UWS perspective
- Maximizing the performance of the current network
- Setting benchmarks for enduser satisfaction
- Documenting the UWS service and performance expectations
To the extent possible, the UWS has to understand the long term cost implications of the contract terms although lost opportunity costs are difficult to measure.
Issues were discussed with respect to how, and if, Centrex and other broad, mandatory technology contracts ultimately save money for the UWS and the State of Wisconsin overall. Ken Ebbe will work on creating a set of reference data based upon studies and contracts undertaken by the UWS institutions. Whatever talking points emerge from the effort may need to be delivered by people outside of the IT area.
DOA is moving away from the current contractual services contract to a vendor managed service (VMS). Vendor demonstrations have occurred, but the timeline for the intent to award is not clear. The functionality of these systems is attractive and the vendors have national benchmarks for hiring consultants with various skills. Presumably DOA would have the ability to monitor how much each agency and institution pays for consulting services, and to whom. The unions are interested in reducing the number of private sector contractors while the Governor is interested in holding down costs. Return on Investment (ROI) analyses may be needed for acquiring contracted services because some state agencies have made long term use of expensive, contracted staff in parallel to their own.
Some members of the Collaterals Group are interested in acquiring the Ad Astra room scheduling software (www.aais.com) that is used by UW-Milwaukee, UW-Platteville, UW-River Falls and others. The previous purchasing contract may have expired. If so, it will be re bid. Other institutions that are interested in it should contact Lori Voss (firstname.lastname@example.org).
Quest, the vendor of the Toad development tool for Oracle (www.toadsoft.com), would like to sell directly to the UW System institutions instead of through a reseller. Currently, there are 315 seats across the UW System. Lori Voss will poll the CIOs via email to determine interest.
Six applications have been approved at a policy level in accordance with the IAA governance guidelines:
- UW System Whitepages>
- MINDS@UW (DSpace)
- Student Appointment and Payroll System
Policy approval does not constitute a commitment to implement the application. At the advice of the registrars, student whitepages will go live when certain issues of student privacy and directory information are resolved.
For a few years, the UW-Superior campus web page has used PeopleSoft self service for e-business and student information applications. Once a student authenticates to the portal, they will find the same e-business and student information functionality in addition to D2L and e-community. Some of the links provide the students with their live data, such as their addresses, majors, minors, advisors and enrollment. It is easy to customize PeopleSoft pages to appear as live windows within the portal.
The number one feature request from students was access to files via WebDAV, which is slow over a dialup line. The e-community feature provides weather and road conditions, a discussion forum and a campus directory. It is possible for students to determine which of the optional pages they receive.
One person has been working on the development of the portal on a part time basis for over a year.
An upgrade to version 7.3 of D2L was planned for last May, but it was cancelled because the product was not ready. The upgrade was done in mid August instead, which led to bugs and performance issues. The upgrade to version 7.4 that was originally scheduled for the spring semester has also been delayed because the product won't be ready in time for Learn@UW to perform adequate testing. Numerous people from Learn@UW are working with D2L to address the various performance and functionality issues.
The D2L financial plan shows a shortfall for fiscal year 2005 because:
- costs of the previous e-learning utilities were underestimated
- costs of integrating with the student information systems and network authentication were not in the original budget
- more staff were required than anticipated because of the complexity of the robust environment
- faculty adoption rates have been higher than anticipated
Similar cost increases would likely have been borne if a different product had been chosen. Various options for accommodating the shortfall have been considered, including stretching out the implementation of modules and drawing upon the Student Technology Fee. This would represent a new type of use for the Student Technology Fee and there is concern about the precedent of UWS earmarking portions of it. An alternative would be to pro-rate the shortfall to the institutions, and let them choose how to cover the costs, possibly from the Student Technology Fee.
Although total costs are increasing, the costs per student have been decreasing. In the past, both UW-Madison and UW-Milwaukee were using some campus funds to pick up a portion of the costs of supporting the previous utilities.
Report from the September Common Systems Review Group Meeting (Ed Meachen, Ron Kraemer, John Berens, Annie Stunden)
The primary discussion topic at the September 22nd Common Systems Review Group was APBS. After a report by Margo Lessard, the group decided to ask for a review of the project and the proposed budget increases for this year. Ed Meachen, Ron Kraemer and Lorie Docken are engaging a consultant for the audit while the project continues. The consultant will make a report at the November 10th Common Systems Review Group meeting. Appraisals of how far along the project is, and how close it is to go-live, are needed.
The SFS project is planning an upgrade in March. It represents a big conversion and there may be additional issues if APBS also goes live in that timeframe.
Erroneous items in the draft report on Common Systems that was created by Don Norris have been corrected. Nothing that was reported in campus interviews has been altered. The executive summary will be written collectively. The report strongly states that the UWS is in great shape in regards to Common Systems, however it says the UWS is behind in working on common portals. A number of observations are made on the financing of common systems, including the need for top level executive sponsorship. Ironically, the report recommends that WEROC should be the focus of the UW System's technology strategies. The report will be distributed in mid November.
Ed Meachen had a discussion with Frank Goldberg about the faculty numbers that are reported in IPEDS which trigger escalator clauses in the ORACLE contract. The Office of Policy and Research (OPAR) has no control over the calculation of the IPEDS numbers, which are reported by Human Resources. Frank Goldberg met with George Brooks, and OPAR will have the final say on the accuracy of the data as of the spring term. The CIO Council would like the IPEDS submissions for 2003 to be corrected and the ORACLE contract payments subsequently adjusted.
The questions asked of students and faculty in the more or less annual IT survey (www.uwsa.edu/olit/survey) have been updated. A few of the questions may be restored to their original form to enable longitudinal tracking by OPAR. Lorie Docken will distribute the questions to the group. The CIO Council recommended that the survey be conducted during the February timeframe.