Office of Learning and Information Technology
UW System CIO Council, 9/20/2007
University of Wisconsin CIO Council
September 20, 2007
- HRIS Pre-implementation
- UW-Milwaukee Emergency Notification System
- WiscNet Update
- RIAA Update
- Hyperion Update
- Student Technology Fee
- Credential Assessment Survey Results and Next Steps
- Procurement Update
- Student Information System Roadmap Report
- Insight Sessions
- UW System Strategic Planning Effort
- RFP for Vendor to send 1098t forms
- Records Management Schedules: UW Personnel & DOA IT Records
- UW–River Falls Update
- Planning for the IMTC Meeting
- Next meeting
CIOs and their Representatives
Ed Meachen explained that the UWS Service Center Executive Committee has largely finished the charter for the new Human Resources Information System (HRIS) project. When distributed, the charter will include a cover letter from Don Mash that explains its purpose is to set out the business case for the new system, but not the cost or timeline.
Documents are also being prepared for the upcoming Board of Regents meeting at UW–River Falls. A report on Common Systems will include the Roadmap, governance structure and budget for this year.
The fit-gap exercise for the HR system is likely to start around February 1, 2008.
Bruce Maas and Laura Pedrick from UW–Milwaukee explained that COOP/COG preparedness efforts were underway at the campus even before the Virginia Tech incident. Consequently, in July the campus administration decided to have an emergency notification system (ENS) running by the start of fall classes. David Crass was already leading the writing of a campus RFP for emergency communications, but not on such an aggressive timeframe. The focus switched to a five-day, low bid process to select a vendor that had the infrastructure for high volume text messaging, phone calling and email messaging.
Two responses were received and a service hosted by e2campus was selected. The effort was rolled into the institution's Safety Awareness For Everyone (S.A.F.E.) campaign. Ching-tzu Chien, a process analyst from central IT, was assigned to the Provost's Office to help develop the decision/communication tree. Her involvement helped shave one or two weeks off of the implementation timeframe. There are two paths for tripping a notification, the crisis management team and/or the incident response process.
In the first phase of emergency notification system, text messaging and email are the emergency communication vehicles. The e2campus product also has voice mail capabilities that are not implemented. In the event of an actual emergency, public address systems would probably be more effective. Unfortunately, there was not time to acquire a campuswide public address system via the low bid process before the start of classes. There will likely be a subsequent RFP for placing four loudspeakers at the corners of the campus.
During the next six months, an RFP for a fully featured electronic system will be developed. The approximately 2,000 voluntary cell phone registrations in the current e2campus system will be rolled forward into the subsequent system. All email addresses have been automatically loaded.
There are two audiences for an ENS, the campus administration crisis team and the faculty/staff/students. Implementation of such a system challenges the campus culture. For example, the NIMS compliance plan had to be expedited through the Chancellor's Cabinet.
A campussafety.uwm.edu website was created where members of the UWM community can register for the service. Promotional events have been held during residence hall check-in and at other events. A test of the system will be conducted in mid-October.
One of the benefits of this effort has been tighter coordination of the crisis management team. However, an ENS is not a panacea and could possibly complicate matters during a rapidly evolving situation. The UWM Police Chief reminds everyone that violence cannot be absolutely prevented, but having an ENS helps forestall questions of "Why didn't you?" after the fact.
Ron Kraemer reported that similar efforts at UW–Madison are on hold because a massive text message broadcast would crash the cell providers. Engineers say that 6,000 contacts with a cell phone tower will crash it. David Lois said that if text messaging crashes a tower, voice services will go down as well. There is also no guarantee that the cell providers will inadvertently trash the message thinking it is spam. No one has ever tested such a notification system at a level of more than 5,000 subscribers.
Bruce Maas reported that e2campus and others have reached agreements with the cellular providers to let the messages go through. The bid had a baseline notification requirement of 10 minutes. However, performance in an actual emergency needs to be seen.
Dave Lois introduced several issues that he has been discussing with Ed Meachen. The WiscNet strategic plan focuses on both the network and the associated community of institutions and individuals. In the past, considerable effort has been put toward the K12 community. Andrea Deau has recently been reassigned from focusing on K12 to focusing on higher education, including both the UW System and the Technical Colleges. Everything that she will be doing in this role has not been finalized. She has been visiting campuses and speaking with CIOs, Schools of Education, Outreach, centers for academic excellence and so on. David Dumke suggested that the CIO should go along when she talks with faculty and academic departments.
Within UW Colleges, there is interest in offering some courses directly to high school students outside of the usual advanced placement track. There is also a WiscNet Internet2/K20 workgroup that is looking at various networking applications.
WiscNet is running a Moodle server for K12s. There are also multiple Moodle servers running in departments at UW–Madison and UW–Milwaukee. Lately, the people running the various Moodle servers are asking for automatic feeds of course information, etc. David Lois reported that the WiscNet Moodle server was specifically designed to not compete with D2L. It was implemented because attractive licensing could not be found for a commercial learning management system for K12s. It is also being used as a niche service by various non-UWS entities.
Brain Remer distributed a map of how the WiscNet backbone will be configured later in the fall. Generally speaking, the BadgerNet Converged Network (BCN) is working fine and several circuits have been upgraded to accommodate traffic growth. WiscNet is also using the BOREAS fiber network to connect with Illinois, Iowa, Missouri and Minnesota.
Internet traffic transit costs are paid to outside entities to carry WiscNet's Internet traffic to the rest of the world. The strategy has been to connect to multiple in-state transit providers to ensure redundancy. Network peering has also been established with Google so that the traffic to their site can run at faster speeds without going through paid links. WiscNet has also partnered with the CIC schools to connect to various networking points in Chicago. Transit services are priced on a per megabit basis. The costs have dropped significantly for many years, but are now as low as they are likely to go. Meanwhile, the amount of transit traffic has declined due to peering agreements with other networks.
Chris Ashley said that dealing with letters from the RIAA is becoming more of a student affairs issue than a legal issue. The ordinary RIAA requests are not official legal processes. The options for the UWS institutions are:
- return the RIAA letters to the sender
- not forward the RIAA letters, but contact students in some other way using normal campus processes
- forward the RIAA letters to the students
Around the country, different institutions are pursuing different paths. At UW–Stevens Point, the latest set of alleged violators have either left or moved off of the campus network so there is no copyrighted information on the institution's network. At UW-Whitewater, the supposed violation occurred on the wireless network in March and can't be tracked. UW–Milwaukee has decided not to forward the letters as written by the RIAA, but has worked with legal counsel to craft an alert letter of its own. UW–Green Bay has seen a 20% error rate on RIAA and DMCA notifications. The council members indicated that there appears to be an overlap in letters that were sent last year with those of this year.
There was a consensus that an official response from the UWS to the RIAA should be drafted.
Lorie Docken and David Hart met with the Hyperion core team to discuss how to manage user licenses. A set of instructions were developed for the institutions to follow when naming the various types of users to enable license counting. The iHTML licenses do not need to be tracked. Counts of the UWS Hyperion license counts to date were distributed to the Council. Licenses were provisionally allocated to the UWS institutions according to the proportion of annual maintenance paid. However, the entire license pool should be managed systemwide because demand is much higher at some institutions than others. In the event that additional licenses need to be purchased, it is proposed that the costs will be absorbed by those institutions that are exceeding their provisional allocations. Lori Voss is also looking to see if Explorer licenses can be converted into Designer licenses. The overall licensing scheme will probably change when the new HR system is implemented.
On Tuesday, there will be a teleconference with the Hyperion core team. It will be affirmed that all users are entered into the foundation and that access will be limited to the Insight plug-ins.
Kathy Luker explained that the Hyperion core team has also looked at developing a training module and query writing support. A presentation and budget request was made to the Common Systems Review Group (CSRG) in July. The CSRG has since asked the CIOs for their recommendations as to whether or not the UWS institutions are likely to use these services. In the past, shared query libraries have not been well used, perhaps because campus data structures are different. Several Council members were interested in the possibility of using the UPK product for training purposes rather than developing a learning object. At UWSA, the focus of the training is more on where the local data is located rather than how to use the product and write queries. A learning object would not replace the need for this type of training. The Council agreed that it needs to have a discussion regarding long term strategy and any funding request should go through the normal CSRG channels next year. Since training for shared query writing should only cost several thousand dollars, the interested UWS institutions will pitch in to fund it.
Ed Meachen reported that a student governance representative questioned whether Student Technology Fees are being used for appropriate purposes. In response, Ed Meachen asked each institution to report on their implementation of the governance structures which are mandated to include student representation. (Note: UW–Madison has a separate process and is not covered by the Student Technology Fee legislation.) The consensus of the CIO Council was that current procedures are working fine. If there are particular student concerns at some campuses those should be brought up first with the local governance committee.
Student Technology Fees cannot be used in responding to budget cuts.
Jim Lowe explained the the overall goal of the Credential Assessment Framework (CAF) project is to do a systemwide security risk analysis and mitigation. Risk = Impact * Likelihood/Mitigation. There are two components of mitigation: technology and business processes. The risks surrounding IT systems are typically held in the CIO Office. It would be better if risks were shared with system sponsors and their respective offices should be engaged in mitigation exercises.
The components of Likelihood are:
Central IT departments have been working on availability and integrity for many years. Generally speaking, more effort needs to be expended on the confidentiality and auditability components, which are both aspects of data privacy. The goal is bring to all systems to known standards. Many of the existing industry standards are more or less equivalent, except for HIPAA regulations which are a little more stringent.
Within the UWS, the auditability of the Credential Assessment Framework is where work needs to be done to reduce risk over time by applying standards. To get underway, the UWS needs to pick the appropriate standard, metric and timeframe. For example, Levels of Assurance (LOA) are used to describe various risk levels. At LOA2 there is confidence that a person's asserted identity is accurate, which is appropriate at the institutional level. For inter-institutional work, LOA3 is more appropriate because there is high confidence that the asserted identity is accurate.
Reports of the results from the UWS CAF were emailed to the CIOs about a month ago. One purpose of the report was to encourage the UWS institutions to work together on similar issues and similar systems, e.g., identity proofing. The council members pointed out that there are other high priority security issues at the UWS institutions and balances need to be struck between the CAF items and the requirements of, for example, system maintenance.
In the case of the Shared Financial System (SFS), a price for mitigating each risk was determined and decisions were made accordingly.
Lori Voss reported that last week Microsoft agreed in writing that the current minimum discounts will continue under the auspices of the Campus Agreement contract. If there are any products the institutions have used in the past that aren't listed in the pricing amendment, the old pricing should continue. If institutions notice they are not being charged those prices, they should contact Lori Voss.
The Microsoft "Ultimate Steal" deal for Office for students is somewhat cheaper than WISC's prices. It is not clear if the details of both license agreements are the same, e.g., what rights are there to continue using the software after students graduate?
A new state cellular and data contract for wireless handheld devices will be awarded shortly.
A bid is out for PeopleSoft consulting services that will generate a rate card of qualified vendors on the Vendor Management System (VMS) for the purposes of the state's IBIS project. It is a mandatory contract that covers the UWS, but waivers are possible.
DOA would like to make sure that IT professionals are up-to-speed regarding the new requirements for contracting for professional services that cost more than $25,000. Training has been provided for the IT directors of state agencies. All purchasing agents in the UWS are required to take the training and it would be advisable for IT staff to be up-to-speed as well. The November ITMC meeting may provide such an opportunity.
Student Information System Roadmap Report
Lorie Docken thanked Brian Busby and the SIS Roadmap working group for tackling the issues. Their recommendations are divided into two priority levels. MILER, FASTAR and UWS will provide full support for interfaces for Oracle/PeopleSoft Campus Solutions (CS) version 9 by July 1, 2008. The UWS institutions are encouraged to complete their upgrades to CS version 9 by July 1, 2009. MILER will not provide support for upgrades to the CS modules themselves, just the interfaces. Decisions to provide support for interfaces to version 9.1 and beyond will be made in a collaborative, systemwide fashion.
The CS upgrade cycle provides an opportunity to look for more commonalities across the UWS institutions. The MILER group is looking for governance support for the business decisions that must be made regarding the interfaces because they have downsized and moved away from providing functional expertise. Business Objects, formerly known as First Logic, is being engaged regarding their lack of timely support for version 9.
Lorie Docken explained that Oracle offers a service in which they send staff to an institution to help develop goals, objectives and a roadmap to a desired state. Discussions have been held with the new Oracle representatives regarding an Insight session surrounding security. Representatives from the UWS institutions will be included.
Another potential Insight session topic is business intelligence (BI) which would include warehousing and reporting for the new HR environment. Lorie Docken would like to continue an online discussion with the Council about the possibility of setting up a systemwide reporting working group that would participate in the Insight session.
Ed Meachen reported that six UWS strategic planning think tank groups are being formed. The are comprised of people outside of UW System Administration. He believes that he will be a staff member to the operational efficiency group which will cover ERP systems and Common Systems. High level goals will be established, not campus action items. The goals will provide templates for campus budget requests. The timeline is very short. The effort will be completed by February or March and feed into the 2009-11 budget.
Ginger Hintz explained that an RFP process has been completed and an Intent to Award issued to a Brookfield vendor. The system will include a website through which student employees will be able to access their 1098t forms themselves. If the UWS provides the vendor with student email addresses, the vendor will notify the students via email that their 1098t is ready to view. As per IRS rules, if a student verifies that they have viewed their form online before January 25th, the form does not need to be mailed, which results in a savings. Under the vendor's proposal, the UWS institutions would need to provide the student employee email addresses, but not manage PINs.
Students will need to enter their SSNs to gain access the website. Serious concern was expressed that the email solicitation from the vendor would look like the type of phishing message that the UWS institutions are teaching students to ignore, assuming the messages are not first trapped by the institution spam filters. The use of email addresses as unique identifiers instead of SSNs would be preferable. Another option would be to provide a link on the campus website rather than within an email message from the vendor. Ed Meachen will work with the CIO Council to provide a technical advisor to work with Ginger Hintz and the vendor.
Laura Dunek and Nan Kunde, the University Records Officer from UW-Madison discussed three items.
New Federal Rules for Litigation
The evidence that will likely be demanded in a lawsuit can include disaster recovery tapes, fragments of documents, etc. A Records Retention/Disposition Authorization was distributed that gives each UWS institution the legal authority to destroy routine disaster recovery records after two weeks. Non-routine records, e.g., those that were used to recover a system after a crash, must be kept for at least six months. This authorization needs to be communicated to the managers of all institutional IT systems.
Working Group on DOA General Records Schedule for IT
The Public Records Board passed a comprehensive general records schedule on September 4. There is now a period during which the UWS is able to opt out of the non-relevant pieces. Afterwards, the remaining stipulations will become authoritative. The prior state records schedule for IT security has been folded into this new schedule.
HRIS Records Management Update
The retention schedules for payroll and personnel records need to be incorporated into the planning for the new HR Information System (HRIS). This effort is tightly integrated with the HRIS planning process. The working draft retention schedule is based on a general records schedule that has been in place at UW–Madison since 1992. Note that some personnel file records have retention periods as long as 30 years. For the foreseeable future there will always be at least some paper records for each employee.
Lisa Wheeler thanked the CIO Council for participating in the IT review that was held at UW–River Falls in July. The effort generated a lot of enthusiasm among the campus administration. The resulting infrastructure and organizational recommendations were quite large in scope. Since the review, Lisa Wheeler has talked through the recommendations with each IT staff member at UW–River Falls.
Some of the concrete applications of the recommendations include:
- Two Barracuda filtering units were installed before the start of the semester.
- A DoIT consultant helped rebuild the LDAP directory.
- Other consultants assisted with account de-provisioning.
- A short term project manager appointment has been extended for another year.
- An LTE has been added to the network staff who have been dealing with legacy responsibilities.
- Legacy responsibilities for the network staff are being shifted to other areas.
- Plans for staff training have been developed.
- A realistic list of priority projects is being formed.
- A generator will be installed shortly; there were two short power outages in August. Note that UW–Platteville also had a hard power outage during the summer on a Sunday morning.
The CIO review and suggestions have been very helpful in defining ways IT services across campus can improve during the current academic year.
John Krogman announced that the next UWS IT Management Council meeting will be on November 12th and 13th at the Heidel House. The institutional webmasters, identity management staff and communications staff will also be meeting at that time. The executive committee is developing an agenda and would appreciate input.
The October meeting will be held on the 18th. Because of the ITMC meeting, the November CIO Council meeting will be a teleconference from 8:30a.m. to 10:30a.m. on the morning of the 15th.
Meeting dates, the directory of UWS CIOs and meeting summaries are available at: http://www.uwsa.edu/olit/cio/