Information and Instructional Technology Policy Subcommittee

Minutes

December, 2014, 2:00 – 3:00 pmSSB324

Attending: Andrea Gonzales, Nicolas Cachanosky, Jeff Forrest, Dave Schuette, Rick Beck, Mike Hart, Michael Erskine, James Lyall, Lee Taylor, Andrea Gonzales

Absent: Prabodh Telang, Patsy Hernandez, Cristina Miguez, Kevin Taylor

Procedural Items:

  1. Review of Minutes from the last meeting. Andrea moved to approve minutes. Jeff seconded and they were unanimously approved.
  2. Cristina Miguez has resigned.
  3. Kevin Taylor is our new Associate Director of ITS Application Services. Rick is retiring effective January 31st. Kevin will be taking over duties in the interim as we look for a replacement.

Announcements/Updates:

  1. Current and Recent IT Services Projects
  2. Office 365 migration form campus is nearly completed. All but 500 accounts have been migrated. We will complete this month so we can turn off the exchange environment next month.
  3. Continued issues with compromised accounts through phising emails. We’ve been blacklisted almost every week from people falling for phising scams. None of the compromised accounts were from people who took the SANS training.
  4. SANS security training progress. We registered 3400 individuals for training and 545 have completed. What’s the best way to get people to take this training? Tie it to if you want your password not to expire you need to take the SANS training. We could take suggestion to ITSOC.
  5. Active Directory migration completed for all users. WINAD is in place for everything. Will make things easier, as we now have a single form of authentication.
  6. Security incident 12/3/14. We were down for approximately ½ hour, our website was down for 4 hours, ConnectU down 7 hours. It’s not that we don’t have great equipment, just a challenge we have to deal with. Did emergency change of IP address.
  7. Information on HIPAA settlement case. The University of Maryland was fined $150k for not having good security in place. Still hasn’t installed firewalls to protect all of their sensitive data a year after a pretty significant security breach.
  8. SCCMis the configuration manager for window’s machines. We will do a pilot of ITS next week and then roll out to labs over the break. When we find it successful, we will ask permission to roll out to faculty.

Items for Discussion/Recommendation:

  1. Review of Proposed Documents
  2. We have three draft policies. The creation and review is almost verbatim what we were charged to do.
  3. Annual Security Training. There are a number of different policies with CRS (Colorado Revised Statutes).
  4. Data Classification is from George Washington University.
  5. We need to go through the list and prioritize between now and our next meeting and determine which are university policies and which are departmental policies. We will have hyperlinks to additional information.
  6. Under “Creation and Review of Information Security Policies” change to title and department or job role and not name in the last sentence. Use the word “steward” instead of policy “owner”.
  7. We purchased a document of 1100 pages of information technology policies. Six of the policies are on security training.
  8. Security Awareness Training Policy. The policy is just four paragraphs. The commentary is longer than the policy. By having an executive approve, it carries more weight. Remove the 4th paragraph to create more flexibility. We won’t put commentary in the policy document.
  9. Data Classification is big. We can start by identifying confidential information: social security numbers, credit card numbers, acombination of data. We will be following state guidelines. We want everyone to look at these policies on a high level. Mike will send out to get feedback. We will develop what terms we want to use like “steward” instead of “owner” and come up with a consistent tone across all of the documents. A key piece of data is classification.
  10. Records Management Policy is a whole other piece to go with this.
  11. We are starting from scratch. We will compare the George Washington document against best practices. “Here’s the six policies we needed”. We will use the George Washington document as a starting place. We need to look at as a group of policies together, with supporting policies. Develop a template and make obvious changes and bring document to this group.
  12. Our List of Policies:Do we want to do in phases and work to abolish old policies? We could add a line that this supersedes previous policy. What are the policies we find to be the most out-of-date?
  13. Organizational chart needs to be combined.
  14. Andrea and Mike will take all of the polices we have now and give it their best shot at bundling. It is a more effective use of time if Andrea and Mike go through first.
  1. Request for additional members of subcommittee – Susan Cook as representative of Extended Campus:
  2. We will need to update membership. We need to replace Cristina and look at vacancies. The School of Education and Extended Campus are not included. Would like to recommend at the next ITSOC meetingour amended membership. We will change membership on our website.

Next Meeting – Call for Agenda Items:

  1. Next Meetings February 13th and April 17th 2 – 3 p.m., SSB 324