Office of Learning and Information Technology

UW System CIO Council, 12/14/2006

UWS CIO Council Retreat and Meeting

December 14, 2006

Madison, WI


CIOs and their Representatives


Mark Anderson
Dick Cleek
Nancy Crabb
David Dumke (by teleconference)
Ann Marie Durso
Jack Duwe
Chip Eckardt
Ron Kraemer
John Krogman
David Lois
Bruce Maas
Ed Meachen
Kathy Pletcher
Elena Pokot (by teleconference)
Ken Splittgerber
David Stack
John Tillman
Doug Wahl
Lisa Wheeler

David Alarie
Brian Busby
David Crass
David Hart
Chris Holsman
Lorie Docken
Brian Remer
Dwan Schuck
Lori Voss







SFS upgrade (Dwan Schuck)

A chart of the Shared Financial System project organization and governance was distributed. There are three teams that provide oversight for SFS: the Advisory Team, the Leadership Team and the Executive Team. The 8.9 upgrade process will be similar to that for version 8.8. Ed Meachen, Diane Mann and Doug Hendix are project sponsors.  .

The project scope is to:

  • maintain the level of functionality of SFS and WISDM as of Sept 3, 2006
  • only include such new functionality as is considered crucial to the project
  • position the 8.9 upgrade as the number one project
  • be ready to remove the UW–Madison ATS module if it is determined that it causes any problems
  • ensure that managers and sponsors of other large projects provide all necessary technical and function resources for the go live

The project risks include:

  • sharing development and test environments with the travel system and UW–Madison
  • uncertainties in applying bundles and fixes
  • challenges in hiring people will the correct mix of functional and technical skills

Risk mitigations include:

  • proactive meetings with project managers of all other large projects
  • monitoring changes to version 8.9 including reapplication and new customizations and functionality
  • implementing a hard freeze on February 1
  • freezing the application of bundles and fixes after applying bundles 10/11 and the workflow travel fix
  • not allowing crucial staff or managers to travel to any conferences during crucial periods

The project is currently working on customizations and bolt-ons. The training is getting underway. The hard freeze and final integration test are scheduled for February 1. Implementation will be March 16-20.

The only concern at this time is a little slippage on the development of interfaces and customizations. Meetings will be held with UW Extension to explore whether their large ARBI customization is necessary. However, the grants committee is also interested in ARBI customization. UW–Stevens Point had another project wrap up in early December that temporarily took away key resources.

The effort is ahead of the 8.8 upgrade in terms of setting up the WISDM test environment and running the nightly ETLs. Seventy percent of the training manuals are complete.

Microsoft update (Lori Voss)

Microsoft is coming out with new versions of key products in conjunction with Vista. There are some changes in terms of how the products are being deployed and which CALs are necessary for different versions. Hence, there is a lot of new complexity. A core group will be brought together to give guidance to the UW System institutions. Chip Eckardt, David Dumke, David Kieper and possibly Joe Smith will serve. Dick Cleek recommended that the UWS have a group that is always up-to-speed on the Microsoft contract instead of gearing up with each ad-hoc contract issue.

Chip Eckardt said UW–Eau Claire is currently rolling out Vista and Office 2007. Support calls must be purchased in bundles on a per hour basis instead of per call. This is pressuring them to on upgrade to Premier support.

Ann Marie Durso reported UW–Parkside is migrating to Active Directory. Their consultants indicated that Microsoft has purchased another company that does license metering.

Regarding class action settlements, UW System will try to pull together central records for software purchases under the Enterprise license. Counting the licenses that came with individual desktop purchases will be the responsibility of the institutions. Lori Voss will email guidance to the CIO Council. OLIT will also send out a message to the Provosts, Chancellors and CBOs saying that the CIOs will handle the process.

Network update (Brian Remer)

The Advancing Networking Working Group had its first meeting a couple weeks ago and brainstormed the state of systemwide applications, faculty engagement, connectivity and local connections. Kathy Pletcher will help synthesize the notes. The next meeting is tentatively scheduled for February 22nd at UW–Eau Claire. It is recommended that a mixture both technical staff and CIOs attend. The following meeting may be in Milwaukee.

The BCN Advisory Committee met last Thursday and Mike Meitz of DOA complimented WiscNet's support of the BCN rollout which he said could not have been done without them. Going forward, Elena Pokot will replace Ron Kraemer on the committee.

The Internet 2 community is in turmoil since the onset of the National Lambda Rail project. The two initiatives tend to view each other as competition, even though they have many of the same members. Internet 2 governance and membership are being revamped for the February–March timeline.

Common Systems Review Group report (Ed Meachen)

Report from November CSRG meeting

The biggest issue at the last CSRG meeting was the method for computing campus payments for software maintenance.  The goal is to roll the annual maintenance payments into the overall Common Systems budget based upon institutions' "ability to pay".

The CSRG agreed to have a meeting in March to discuss medium and long range planning for the complete portfolio of Common Systems to collectively add value for the UW System. Andy Richards, David Dumke and Sue Hammersmith will work with Ed, Lorie, and Debbie Durcan to plan the meeting.

Lisa Wheeler asked about the interplay between Common Systems and other contracts that smaller consortiums of UWS institutions want to purchase. It was noted that the actual processes to date have been more organic to codify and organic processes sometimes tend to be reactive. Often, one of the UWS institutions will propose a contract on short notice based upon a particular forward-looking initiative, e.g., Customer Relationship Management. Ed Meachen, would like to see new initiatives and developments discussed and vetted at the CIO Council before there is a push to suddenly buy a systemwide license. Dick Cleek reminded the group of the deliberations around ImageNow vis-ŕ-vis SOA, which went in different directions after being discussed at the CIO Council.

The chief student affairs officers now have an ex-officio liaison to the CSRG.

Update on the RFP processes to obtain project planning consulting services for HR, Supply Chain/Supplier Management, and Student System

Two RFPs were issued in November for consulting services, project planning and scoping for:

  1. HR and supply chain/supplier management
  2. student administration, including fit-gap analysis

An evaluation team is being formed to evaluate the responses to the HR and supply chain proposals and interview the potential vendors.

The student administration RFP was written specifically for UW–La Crosse, but it can be extended to the other three campuses that are looking for new solutions. The RFP was written as a series of modules that can be selected as desired. Analysis of the responses will take place in early January.

Enterprise software portfolio survey (David Hart & Lorie Docken)

Last Spring, the MILER team coordinated a survey of services. A new survey will generate an interactive database of institutional enterprise software that the UWS institutions can update themselves.

General questions surrounding campus expertise, e.g., ColdFusion and shadow systems, will not be included this time around. Suggestions of specific questions should be sent to Lorie Docken. The survey will be distributed in the January timeframe.

Security - levels of assurance (Jim Lowe)

UW–Madison is looking at the liability of maintaining certain types of confidential data. Estimates range from $25-$150 per exposed data element. Information that is deleted doesn't run up security costs. They are triaging their systems in terms of the restricted data elements that are collected, retained and propagated, especially on desktop computers. They have defined restricted data to include that which is covered by WI Act 138 or HIPAA. FERPA and GLB implications have not been considered yet because of the magnitude of the task.

UW–Milwaukee has developed a similar triage worksheet which includes FERPA and GLB considerations that it is trying to circulate to everyone who has a desktop computer via the Unit Technology Representatives in the schools/colleges/divisions. Internal Audit is partnering in the efforts at both institutions.

UW–Madison is in the process of defining levels of assurance for data that address the question of, "How sure am I that you are who you say you are?" It is based upon the NIST 800-63 standards rather than defining particular technologies and practices, which simplifies auditing and compliance. UW–Madison has defined five levels of assurance from public through highly restricted. Level two is comparable to standard password authentication.

UW–Madison would like to get rid of the three character logins that are used by the UWS institutions for accessing business systems on their campus. Before they can do that, they will employ a credential access framework to ensure that the other UWS institutions are at assurance level two. Access to restricted data will require level three authentication, which will likely incur additional costs because of the need to include a physical token of some sort, perhaps an ID card with a special table printed on the back.

UW–Madison is signing up with the newly formed InCommon Federation. Credentialing with InCommon allows for federated (trusted) access to other institutions, such as to NSF for grants, using one's home campus authentication scheme.

The CIO Council recommended engaging the systemwide security group that met with the ITMC in October. Ed Meachen and Jim Lowe will draft a message asking them to join together to assess campus credentials and discuss how each campus is handling and protecting their restricted data so that UW–Madison can move away from the three character IDs.

David Lois suggested taking an approach that would offer some low hanging fruit. The need to coordinate with records management initiatives was also discussed. UW–Madison is investing in building and buying middleware for policy control in this arena, as will be discussed in the next session.

Oracle application presentation and discussion (Ron Kraemer, Brian Busby, Chris Holsman)

Oracle is endeavoring to become a middleware company, not just a database company. The new middleware products will be closely coupled with the Fusion suite that we'll be using for student systems, financials and eventually HR. A few weeks ago, a number of UW–Madison staff visited Oracle to learn more about their middleware. They are also looking at open source products and having discussions with SUN. This presentation maps the current UWS business needs to Oracle's offerings and examines the effort that could be required to implement them.

  1. ID Management and Data Hubs
    • UWS business issues:
      • no central source of person info (the current UWS IAA is limited in scope)
      • lack of delegated ID administration and access management
      • lack of account provisioning
      • limited systemwide single signon capability via the IAA Auth Hub
      • insufficient security audit capability
      • siloed Peoplesoft applications with no sharing of person data
      • restrictions on IAA by the memo of understanding with the UWS institutions
      • increasing requirements for attribute delivery
      • lack of data standardization and synchronization
    • Oracle components can provide:
      • delegated ID administration and access management
      • account provisioning
      • single signon
      • security auditability
    • Product benefits:
      • comprehensive federated IT management solution
      • centralized person data management
      • foundation for integration middleware (SOA, see below)
    • Effort required:
      • approximately 24 months to implement
      • 14-18 FTE required for central deployment
      • hardware/software environments for development, testing and operating
      • significant governance and policy work to define groups, roles, auditing, etc.
  2. Integration middleware (SOA)
    Fusion moves all data into shared repositories, called data hubs, and the applications only handle transactions.
    • UWS business issues:
      • lack of common infrastructure
      • lack of common methodologies for integration
      • enterprise applications require both batch and real-time feeds
      • lack of security standards
      • web services are not discoverable
      • no consistent monitoring of interfaces, feeds, etc.
      • no enterprise workflow (neither manual nor electronic)
      • inadequately defined business processes
      • lack of enterprise environments to support integration
    • Oracle components can provide:
      • remedies for the lack of common infrastructure and methods for integration
      • a consistent messaging infrastructure to guarantee delivery of data from one system to another
      • security standards and policies
      • discoverable web services
      • consistent monitoring
      • enterprise workflow
      • defined business processes
      • enterprise environments that support integration
    • Product benefits:
      • common integration infrastructure and methodologies
      • uniform security processes
      • proactive monitoring
      • reusable, discoverable services
    • Effort required:
      • implementation of the SOA suite on each campus
      • the complexity of integration determines the hardware that is required
      • technical implementation can be accomplished in short order
      • a substantial amount of work for policy definition, governance, standards and business processes
  3. Database management
    • UWS business issues:
      • lack of business continuity infrastructure
      • insufficient security of data
      • lack of centralized monitoring of enterprise applications
      • need for improved performance tuning
      • need for more sophisticated database management
    • Oracle components can provide:
      • business continuity
      • security of data
      • centralized monitoring of applications
      • performance tuning
      • database management
    • Product benefits:
      • much improved security at the database level
      • more cost effective infrastructure for enterprise applications
      • enterprise applications that feature:
        • better monitoring
        • improved performance tuning
        • improved management
    • Effort required:
      • learning curve for the DBAs
      • shift from single server hosting of applications to commodity hardware
      • substantial time to define and implement security policies
  4. Business intelligence
    • UWS business issues:
      • No comprehensive BI strategy across enterprise applications
      • incomplete identification of key performance indicators
      • multiple methods of populating data stores
      • inconsistent delivery of data to business units
      • little sharing of dashboards, etc.
    • Oracle components can provide:
      • analytics server
      • intelligent dashboards
      • reporting and publishing
    • Product benefits:
      • further analysis is needed, especially to determine which gaps are technical and which are process related
    • Effort required:
      • further analysis needed

David Hart noted that currently the UWS has not implemented any business intelligence, although there is some reporting, some of which is shared. The UWS has been leveraging the MILER Core Team and the FASTAR facility. Perhaps it is time to look at what pieces of middleware should be done in common and which should be done at each institution. The current MILER, FASTAR and Hyperion efforts should be re-evaluated with an eye to greater sharing of business intelligence.

Brian Busby explained that SOA is a standards based solution that is "imposed" upon the institutions. The biggest efforts, which are needed before any technology solutions are implemented, will be in policy, governance, conventions, etc. Ann Marie Durso was recently on a conference call regarding features of IADS and no two institutions understood why the other needed what they were asking for. Dick Cleek said a will to collaborate is a pre-requisite for the development of the policies that underlie the technology solutions. Brian Busby noted that some of the data transport interface work that MILER does today would go away in a SOA environment and very little policy work would be required. Ed Meachen predicted that the fit-gap analysis for the new HR system will surface many of the policy issues that separate the UWS campuses.

Brian Busby explained that the two core middleware components are identity management and the messaging infrastructure, i.e., the enterprise service bus (ESB). Putting an ESB on each campus would potentially be a good first step. Even if the UWS had the full suite today, it lacks the staff resources to take advantage of it in a reasonable timeframe.

Ed Meachen suggested another presentation to the CSRG so they can begin to grapple with the concepts and vision, even though this is not the optimal time to secure funding. Meanwhile, UW–Madison may have to replace its identity management system, which underlies the UWS IAA system, in the near term.

Bruce Maas suggested that most enterprise applications have identified champions, but there is none for infrastructure. The same challenge exists locally at the UWS institutions. There is a cost to investing in infrastructure, but there is also a cost to not investing, especially if there is a breach. Ed Meachen noted that the CIOs have to be the champions, because they are the ones who understand the need for infrastructure.

David Crass suggested that the Oracle databases components are almost a given. The maintenance caps on the current Oracle contract expire in 2008.

Next meeting

The next meeting of the CIO Council is on January 18, 2007 in Madison.