Duke ITAC - November 18, 1999 Minutes
DUKE ITAC - November 18, 1999 Minutes
November 18, 1999
Attending: Ed Anapol, Landen Bain, Pakis Bessias, Grady Powell ( for Kevin Cheuug), Jim Coble (for David Ferriero), Nevin Fouts, Pete Goswick, Mike Gower, Patrick Halpin, Donna Hewitt, Bob Newlin (for David Jamieson-Drake), Pete Boyd (for Ken Knoerr), Betty Leydon, Roger Loyd, Caroline Nisbet, George Oberlander, Mike Pickett, Rafael Rodriguez, Mike Russell, Leslie Saper, Clark Smith, Robert Wolpert, Chris Cramer, Charles Register
Review of Minutes and Announcements:
- Minutes of the November 4th meeting accepted without revision.
- Since last meeting Pat Halpin and wife have a new baby boy.
- In 2 weeks, the cluster allocation of the 2000 academic year will be examined as to what is needed to refresh the clusters (student platforms, costs, etc.)
Betty Leydon announced that Mike Pickett has completed his mission with the Enterprise project and is returning to OIT. She stated that this transition gave an opportunity to look at reorganization and the need to establish more formal collaboration with MCIS for the good of the institution as a whole.
Rafael Rodriguez will now assume a new role in leading the effort to establish a more joint infrastructure with MCIS. He has been primarily on the 'academic side' and will now become involved with the 'Health System side'. For the next 6-9 months he will be looking closely at the voice technology issue in looking toward PBX. Beyond the 6-9 months, he will be involved in common infrastructure issues. Issues relating to funding will be examined as well.
Mike Pickett, then, will be assuming responsibility for the areas Rafael was managing, and in addition, will be "right hand" to Betty. Mike will also assist Betty in strategic planning and policy issues and serve as the Vice Chair of ITAC. Requests for agenda items can go to him.
Rafael will continue to come to the ITAC meetings.
Billy Herndon (application services, customer support, operations) will become ex-officio member of ITAC.
Continuing Discussion on Security
- Education: establishing values and principles used to think about security. These have been used as guidelines to examine how we want to protect the computing assets of departments, schools and centralized computing resources. Out of this came some "how-tos". Charlie stressed that the values will not change, but the "how-tos" will change.
- Fixing the Problems: dealing with security events and attacks as they happen. There is now a need to develop policies to back up security interventions.
- Personal accountability issues-- regarding education about proper use and personal liabilities
- Technical issues -- not as sweeping as individual issues
- Consider the idea of 'security audits' using implementation teams to assist departments/schools in establishing appropriate security measures.
- Advise administrators to acquire a systems administrator if they do not already have one and provide for the necessary professional training which would include instruction in security issues.
- Establish a proactive approach to identify the process of security education, etc. and then develop a plan to carry it out.
- Core Values of IT Security which included:
- privacy and respect for the individual
- respect for the ownership of original works
- safety of the community and protection from harassment and threat
- protection of IT resources from disruption
- Core Principles of IT Security (based on the core values)
- a representative group to put together comprehensive fundamentals regarding security (making use of the Core Values and Principles)
- develop an emergency response team with guidelines as to what they can and cannot do.
- "HELP! What should I do, as an end-user, to protect my own electronic privacy and security?"
- "HELP! What should I do, as a network or system administrator, to protect the electronic privacy and security of my systems?"
- "HELP! There has been an intrusion (I've been hacked) "
- "Help Me: Things you can do to help yourself and others" which cover:
Charlie Register, the Security Officer, is the contact for all computer security issues. However, the responsibilities and authority of this position are still evolving. He is requesting input on refining these as well as how to disseminate information to all the constituencies of the University. To date his efforts have been aimed in 2 directions:
Robert Wolpert discussed a meeting he had with some members of Academic Council regarding the relationship of the Council with ITAC. He reported that it was up to ITAC to propose a policy to resolve conflicts regarding freedom of information. Then, Academic Council will approve or disapprove. Annually a report from ITAC will go to the Council to outline what was done during the year.
Landen Bain stated that HIPAA (Health Insurance Portability & Accountability Act of 1996) has very stringent security regulations (external audit potentially more expensive than Y2K). Dave Kirby will be asked to do a presentation to ITAC regarding this matter.
It was stressed that security issues cut across all faculty, staff and students. Categories of issues:
Charlie presented his web site (http:www.oit.duke.edu/~charlie) and his links to security resources.
His web page has helpful user information:
He asked for feedback on the web site to be sure he is on the right track with information.
There were a couple of suggestions regarding security matters:
The big question to answer: What is the process to make people at Duke aware? Once this is decided, then implementation can be developed (a checklist).
Charlie distributed 2 documents to the committee that he stated were intended to stress that IT security is everyone's issue. These documents were
It was noted that there was no faculty member on the Security Advisory GroupEd Anapol, Accounting Systems, Rob Carter, OIT Systems Administration, Stephen Galla, Fuqua School of Business, Pete Gentry, Medical Center, Alan Halachmi, Duke Student Government, Mark Hennings, Medical Center, Melissa Mills, Arts & Sciences, George Oberlander, Auxiliaries Information Services, Al Trozzo, Internal Audit It was suggested to convene a subcommittee that would include faculty representation.
A question was asked about the kinds of security issues that will arise with the advent of SISS. Charlie stated that the biggest problem is with the student machines on our network.
He made these requests:
He indicated that he is constantly asked, "What are your policies?"
IT Strategic Planning Update
- Research and high performance computing needs
- Instructional technology needs
- Chair of ITAC
- Betty Leydon
- Chairs of the above 2 committees
- Robert Wolpert (ITAC )
- Landen Bain (Medical Center Information Systems)
- Lynne O'Brien (Center for Instructional Technology)
The President has directed this planning effort to be led out of the Provost's office. The planning process will be directed by a Planning Steering Committee made up of the leadership of the entire institution and will consist of 12 members. John Harer will serve as the Academic Planning process coordinator. A draft of the plan is to be submitted to the Trustees in September 2000 and the final planning document in December 2000. A primary question is "what is Duke and what does it want to do in the years ahead." A comment was made that in addition to new things that Duke needs to do or accomplish, focus also needs to be on those things that need to be done better.
Two faculty committees will be convened (selection of committee members has not been completed):
These committees will prepare reports that will go to the coordinating committee made up of:
They will look at the technical implications of the reports including cost factors. ITAC and OIT will then determine where to go over the next few years.
A few resource people have been named:
A question for John Harer is "What should ITAC's role be in the process?"
A web site has been created for this planning project (not much there yet) http://www.planning.duke.edu/