IT STEERING COMMITTEE MEETING MINUTES
WEDNESDAY, FEBRUARY 5, 2020
WAYNE A. REAUD CONFERENCE ROOM 312
10:00 A.M.
PRESENT: Dr. Arne Almquist, Dr. Priscilla Parsons, Dr. Larry Osborne, Vicki McNeil, David Williams, Dr. Brenda Nichols, Dr. Jerry Lin, Juan Zabala, Dr. Joe Nordgren, Jeremy Alltop
ABSENT: Charla Pate
SPECIAL GUEST: Srinivas Varadaraj
The meeting was called to order at 10:00 a.m. by Priscilla Parsons.
APPROVAL OF MINUTES:
- Minutes will be addressed at the next meeting due to not being able to obtain the minutes from the latest meeting that was held.
ANNOUNCEMENTS: Priscilla Parsons
- Per the recommendations put forth in the IT Strategic Planning process regarding governance, this committee was co-chaired by the Provost and the Vice President for Finance & Operations but will now be co-chaired by the Vice President for Management Information & Analysis and the Vice President for Information Technology.
- Everyone introduced themselves due to changes of a few committee members.
AGENDA ITEMS:
- Tableau:
- Arne Almquist
- Day by day student headcount can be tracked back three years
- There is a substantial increase in enrollment this year for Íæż½ã½ã
- Data can be downloaded into an Excel spreadsheet
- Ellucian Analytics Project – 219 Tableau tiles with data from HR to students
- Will be able to customize the tiles
- Ellucian Analytics Project
- Priscilla Parsons
- Continuing on Ellucian Analytics: Rollout began with HR, then Finance, and we will soon begin student
- Working with Ellucian development team with issues on data validation
- Verifying data with HR and believe we are in the final steps with Finance
- Bulk data load – Taylor Stephenson has started first round of student data loads
- Data management and cleanup will be ongoing
- MIA will manage the access
- Data Literacy:
- Arne Almquist
- Users need to better understand data concepts, including when to use a particular source, which data is more reliable, etc.
- Working to build the abilities of our analysts to be able to ferret out your requirements
- Juan Zabala
- Concern about data being downloaded into an Excel spreadsheet from Tableau and shared with someone who does not have the license to look at the data
- Arne Almquist
- This is a policy issue that will be discussed one on one later
- Vicki McNeil
- How much is a license and how do you get one?
- Arne Almquist
- There are two licenses available…contact Greg Marsh for more information
- Proposed IT Policies
- Priscilla Parsons
- Information Security Incidence Management Policy handout was distributed
- Required by the State of Texas
- Assign authority to manage the cyber security incident to the Information Security Officer
- Sets responsibilities for the work that is done within that Incident Management Process
- Certain incidents are required to be reported to the State as required by Texas Administrative Code
- System and Service Acquisition Policy was distributed
- Review and revision of existing policies – Review of the Acquisition of Technology and System and Service Acquisition Policy
- Indicates roles and responsibilities for the CIO or the IRM
- Previsions around the requirement to have compliance reviews completed before technology is acquired
- Extends to applications and technologies that are developed on campus
- Security Awareness Training Packet was distributed
- All faculty and staff must be trained by Mid-June using an Information Security Awareness program that has been certified with the Department of Information Resources
- Role based training coordinated through the Information Security Office
- Training upon initial employment and thereafter – extends to vendors, contractors and temporaries
- Juan Zabala
- Who will manage who receives the proper training?
- Priscilla Parsons
- The Information Security Office will evaluate
- Provided matrix shows which course(s) each employee must complete
- Some employees may have to take more than one course depending on their role
- Will be meeting with HR tomorrow to go over tracking methods
- Jerry Lin
- Priscilla Parsons
- This is awareness training only
- This training can be previewed by committee members and it will count toward your requirements
- Vicki McNeil
- Do the employees self-identify which training they need, or will HR and IT decide that?
- Priscilla Parsons
- IT will determine the broad categories, though departments will know more about what each individual does or has access to
- IT will work with HR and the Vice Presidents
- Data Loss Prevention
- Srinivas Varadaraj
- Data Loss Prevention handout was distributed
- “You can’t protect what you don’t know exists”
- Attempt to provide data loss prevention relies on detecting where the data is and applying technology to protect the data
- 2 focuses: detection in email streams and data on workstations
- Defined Data is information such as social security numbers, credit cards, driver’s license numbers
- Institutional Data is Lamar IDs, passwords, academic history
- Priscilla Parsons
- Decision point for email scanning – 3 approaches
- Monitor and report on emails containing confidential information
- Notify of alert of confidential information
- Blocking because it likely contains confidential information
- Where do we start as an institution?
- Recommend starting with at least notification, ultimately getting to the block phase
- Vicki McNeil
- Are these referring to emails going to another Lamar employee or off-campus?
- Srinivas Varadaraj
- Both – email is one of the most targeted vectors, protected by password alone
- Jeremy Alltop
- Arguments against blocking:
- There is still a need to be able to do business, we should not resort to faxing, but I appreciate the warning to raise awareness
- Could be in a deadline situation and cannot transmit something due to no one being available to help me after hours
- Vicki Ward
- Does the notification go to the employee only or the supervisor also?
- Priscilla Parsons
- Right now, immediate notification goes to employee sending email
- Potentially able to report to supervisors about behavior in areas
- Juan Zabala
- Amount of data should also be taken into consideration - one credit card number versus thirty
- Jeremy Alltop
- Due to sense of responsibility, request to provide executive level reporting
- Data-at-rest (DAR)
- With more storage, we tend to keep more information, making the university more liable
- Spirion provides a dashboard that automatically searches your computer, so you can remove unnecessary data
- Arne Almquist
- Before dumping data, contact the university records manager to find out if it needs to be kept
- Priscilla Parsons
- Looking for permission to extend this tool beyond HR and Finance into other Administrative areas
- Looking to encrypt laptops and desktops, shielding us from a large amount of liability
- Determine if confidential information is an official record, if not, why do you need it?
- If so, it needs to be stored accordingly as a record and be encrypted
- Decision
- Priscilla Parsons
- Do we have a decision on email filtering?
- Everyone
- Agreed to notifications of confidential information
- Vickie McNeil
- Are we going to notify employees of this policy? In simplified terms with examples?
- Priscilla Parsons
- Yes, we can also test a small group before implementation
- New Desktop Device Management
- Priscilla Parsons
- Client Management Tools handout was distributed
- CMT is a tool for managing computers such as desktops or laptops but may be used to manage mobile devices
- Primary purpose is to apply patches, install and update software and inventory licensed software
- CMT allows these processes to be automated for efficiency, accuracy and completeness
- Benefits include:
- Security – email and desktops are common targets
- Confidentiality – data and files, no personal data is scanned
- Reliability – quickly receive updates and patches with little interaction from user, custom schedules can be requested
- Time efficiency – campus-wide software can be installed without a technician, or remotely
- Management Information – dashboards and reports provide current state of computers
- Microsoft System Center Configuration Manager (SCCM) will manage Íæż½ã½ã Windows-based computers
- Microsoft InTune will manage Íæż½ã½ã mobile devices – if lost of stolen, data can be wiped clean remotely
- The “client” runs in the background and does not interfere with operations of that computer
- Central IT will administer on the administrative computers, will be working with Deans to appoint who will manage the desktops in their area
- Recommended Schedule:
- IT Pilot has been installed on all IT desktops, has pushed one patch cycle
- Internal marketing/communication materials
- Administrative computers (client only by mid-February – no patching) – no Windows 7 (probably still about 200 computers, in academic arena about 1,000 still have Windows 7) with two-week exception period
- Academic computers (by end of Spring term) with two-week exception period
- Have been working directly with Microsoft with a dedicated service engineer
- Jerry Lin
- Will this system manage computers that log in locally but are not directly connected to the network?
- Srinivas Varadaraj
- Yes and no…local login will have an account that becomes part of the domain and becomes visible
- Would like to move forward with Administrative roll-out per the schedule
QUESTIONS AND CONCERNS:
- Brenda Nichols
- After looking at all the University committees and councils, this area has three separate committees that seem to overlap, should two or more be combined?
- IT Steering Committee
- Academic IT Computing
- Information Security Committee
- Pricilla Parsons
- An Administrative Computing Committee has been newly recommended as well
- This does need to be reviewed
- Jerry Lin
- IRC – surveys that are being done or requested - can we have an approver?
- Priscilla Parsons
- More information is needed, and this will be dealt with personally
ADJOURNMENT:
- The meeting was adjourned at 11:05 a.m.
NEXT MEETING: