Duke ITAC - April 8, 1999 Minutes
DUKE ITAC - April 8, 1999 Minutes
April 8, 1999
Attending: Pakis Bessias, David Ferriero, Nevin Fouts, Jimmy Grewal, Patrick Halpin, David Jamieson-Drake, Jason Kreuter, Betty Leydon, Melissa Mills, George Oberlander, Mike Pickett, Rafael Rodriguez, John Sigmon, Chris Cramer (for John Board), Andy Keck (for Roger Loyd), Alan Halachmi (for Kevin Cheung), Kyle Johnson (for Caroline Nisbet)
Guests: Ginny Cake, Bruce Cunningham, Charles Register, and Jim Rigney
Call to Order: Meeting called to order by at 4:00pm
Review of Minutes and Announcements:
- Minutes approved for 3/11/99
- Betty Leydon announced that Annette Foster, the university's Year 2000 Compliance Officer, will be leaving Duke effective April 30, 1999. Neal Paris from OIT has agreed to take over Annette's Y2K duties.
- Betty mentioned that there were very few requests from faculty with regards to the cluster upgrade. The decision to change the ratio of PC's to Macs in favor of PC's was based on data that came mostly from
- surveys of incoming students and
- the type of companies that graduates join after leaving Duke.
Jimmy Grewal commented that the Old Chemistry Mac cluster is not used much, but that the he hopes the number of Macs at Perkins will not be reduced because students have 24 hour access to the Macs there.
John Sigmon said that there is no universal solution to please all constituents and we will need more data to base our decision for next year's cluster upgrade.
Confidentiality Committee Report
Bruce Cunningham (University Registrar and Project Manager for SISS) gave an overview of the reasons for the formation of the Confidentiality Committee (12-13 members). As Student Information Services and Systems (SISS) is implemented at Schools and Departments around Duke, the issue of the confidentiality of student data arose. Under the new system, student data will become more decentralized. The committee is charged with identifying confidentiality issues and creating guidelines and policies for access and distribution of confidential student data.
The University follows confidentiality policies that are based on the Family Educational Rights and Privacy Act (FERPA). In a nutshell, student academic data is owned by the student and a student's written permission is required for release to external sources and internal constituents not having a "legitimate educational interest" in the data.That is true with the exception of "directory information" data such as Name, Address, major etc. which can be released without a student's consent.
The committee plans to educate the Duke community about student data acceptable use and is in the process of creating the policy statement and guidelines. The goal is to provide SISS users at Schools and departments with as much student data as possible without sacrificing confidentiality.
Discussion ensued when social security number, EMPL (used in SISS) and Duke Unique ID (used in On-line Phonebook and other systems) was mentioned. According to a proposed policy, the use of SSN as a student ID number will cease with SISS, even though it will still be required for other purposes such as financial aid, tax reporting, and external data interfaces. Instead, the PeopleSoft assigned EMPL ID has been proposed as the official student ID. According to FERPA rules, the Student ID cannot be published. Therefore, if we use the Duke Unique ID, its publication must be ceased.
There are a few problems with using yet another number for a student identifier.
Jimmy Grewal mentioned that students will now have to remember yet another number!
Kyle Johnson mentioned the hardship for the departments that have spent a lot of resources changing their systems to use the Duke Unique ID and now will have to change those same systems to use a different number.
David Jamieson Drake suggested that maybe the Duke Unique ID should be the Student ID in SISS so that the students can use it for all services without learning more ID's.
Bruce said that were we to do that, we might have to reissue them due to the FERPA restrictions.
IT Security Officer Update
- Make people aware of security e.g. password issues
- Work with Publications and Training to create security publications
- Make public announcements of hacker incidents
- Put together a Duke-specific install for LINUX ("a major security hole")
- Develop certification process (a check list) for LAN administrators to secure Departmental servers.
Charlie Register proceeded to give an update on IT Security at Duke. He mentioned the formation of the Security Advisory Group, a small group of volunteer representatives that he is working with: Ed Anapol, Rob Carter, Alan Halachmi, Melissa Mills, George Oberlander, Al Trozzo. He is currently looking for additional members from the Medical Center. They have met twice and have been working on identifying needs. Below are some of the ideas/plans they would like to pursue:
Charlie then talked about recent security incidents on campus where ACPUB and other computers on both Dukenet and CSN were compromised and were used to launch "Denial of Service" attacks on other off-campus computers. Of the 2600 ACPUB accounts that were compromised in January of this year, OIT had to lock about 130 accounts for which the passwords had not been changed after repeated notification to the users. He also referred to a brand new threat where a program attacks the Operating System Kernel ( mentioned Solaris ) and is almost undetectable. Lastly, he talked about encryption software and the legal issues arising from its distribution. Discussion followed:
Nevin: If people hack and we catch them, we should try to prosecute them.
Charlie: Unfortunately, they are very hard to find and catch. We collaborate with the FBI and other law enforcement on these issues.
David Jamieson-Drake: Are there ways to evaluate "honey pots" (unsecured systems). What are OIT and MCIS doing on this issue?
Betty: The Internal Audit Office is in charge of this.
Charlie:We don't have the resources currently, we are reactive.
David Jamieson-Drake: What about Tivoli and SnareWorks?
Charlie: I don't know about Tivoli, but SnareWorks will be great for authentication and data encryption. But it won't do anything for Denial of Service attacks, it is not a firewall.
Computer Stores On-line Purchases Update
- planned Tech Fair,
Jim is working with Neal Paris to bring in vendors at the Searle Center on June 17th (tentative). The emphasis will be on attracting vendors that would be of interest to the staff and faculty. There will be a different fair at the Bryan Center later on that would be tailored to student needs. Jim would like to showcase some "internal vendors" that provide services to the Duke community and gave Surplus and Salvage as one example.
If you have any good ideas about vendors, fair format etc. please email Jim at email@example.com.
- On-line purchase web site demo,
Next, he demonstrated the Online-Purchases web site (http://18.104.22.168/cpustore.nsf) that includes Duke-specific systems from Dell, IBM and HP. The site has been live for 10 months and has been very successful ( 29% increase in hardware sales). Dell has been the winner so far, accounting for the majority of sales with IBM second. It has been very difficult, but Jim is working to add standard Duke software (NT 4.0, Acrobat, Notes, McAfee, Tivoli etc.) on the available systems. Compaq might be another vendor that will be added in the future.
- Microsoft Licensing issues
Lastly, he gave a brief update on a very murky topic, Microsoft Licensing. Jim used Office 97 as an example. Duke users can get the academic license for it for $50, and the academic packaged product for $250. He said that Microsoft wants to count FTE's ( Full Time Equivalent) and that Duke will get a Level-B pricing ( > 3000 FTE's) which will allow students to get the same package for $16 and departments for $45. He said that he will continue to talk with Microsoft and give an update when things are clearer about what the choices are.
Jim Rigney gave an update on
Ginny Cake then passed around the draft copy of the letter with the 1999-2000 Student Computer Recommendations. This final form of the letter will be distributed at the end of May to incoming undergraduates. The committee provided feedback and pointed out minor errors. Ginny asked that any additional feedback be sent to her in the next few days. She said the main goal is to hopefully provide the freshmen with some good guidelines to make a system purchase that would be good for 3-4 years. Lastly, Ginny mentioned that Ken Hirsh (Law School) has already published his (almost identical ) version of the recommendation letter.