Duke ITAC - April 24, 2003 Minutes

DUKE ITAC - April 24, 2003 Minutes

Minutes: April 24, 2003

Ed Anapol, Mike Baptiste, Pakis Bessias, John Board, Paul Conway, Dick Danner represented by Ken Hirsh, Angel Dronsfield, Brian Eder represented by Jeff Garner, David Ferriero represented by Ed Gomes, Nevin Fouts represented by Randy Haskin, Tracy Futhey, Patrick Halpin, Craig Henriquez, Billy Herndon, David Jamieson-Drake, David Jarmul, Roger Loyd, Greg McCarthy, Melissa Mills, Caroline Nisbet, George Oberlander, Lynne O'Brien represented by Jim Coble, Mike Pickett, Rafael Rodriguez, Molly Tamarkin, Steve Woody

Debbie DeYulia, Asha Jones, Jen Vizas, Ginny Cake, Phil Lemmons, Ben Riseling, Michael Gettes, Dan McCarriar, Eileen Kuo, Chris Cramer, Heather Flanagan

Call to order
Meeting called to order 4:03 pm.


I.   Review of minutes and annoucements
II.   Removing social security numbers from systems
III.   Student computing review
IV.   Update: Library laptop checkout program
V.   Update: Portal and content management
VI.   Future ITAC policy/process topics
VII.   Other business

I. Review of minutes and announcements

Review of Minutes
Mike Pickett welcomes all to the new meeting room, the Allen Board Room. He reminds members that meeting venues will change and there are some TBAs on the schedule that should be announced soon.

Mike asks for comments on the minutes sent out after the last ITAC meeting (March 13, 2003). No comments. Minutes are approved and will be posted.

Ken Hirsh announces the 2003 Conference for Law School Computing, June 19-21. Duke Law School is hosting the conference in conjunction with CALI, the Center for Computer-Assisted Legal Instruction. He passes out a brochure with an overview of the event and a schedule.

Heather Flanagan provides a brief update on a Web survey tool discussed in prior ITAC meetings. Her team will have a release candidate to test May 25. She will return to ITAC later with results of the testing.

Tracy Futhey comments on the changing OIT/ECI structure. For the year and one half Bob Currier has overseen network and telephone systems. Networking is where Bob wants to be. He is shifting back to being the full-time network director. Tracy welcomes this change and comments that it will be good to have Bob contributing one hundred percent of his time to networking, especially with the national light rail project and other initiatives. That leaves a gap in the telecommunications area. Angel is overseeing the day-to-day operations in the interim while Tracy and others look for a longer term solution.

Mike Baptiste announces that the next ITAC infrastructure committee meeting scheduled for April 25, 2003 is cancelled.

John Board, sitting in as chair of the meeting in Robert Wolpert’s absence, points out that he has been waiting a long time to be in charge of Allen Building Board Room table.

back to top

II. Removing social security numbers from systems

Presented by Chris Cramer and Rafael Rodriguez

This is an update about looking into the use of social security numbers (SSNs) around campus and the Health System and how they're used as system identifiers. Chris passes out a white paper written by Rachel Franke and himself.

Several problems with using SSNs are pointed out in the white paper. Among them:

  • SSNs are not good identifiers. Not all Duke community members have SSNs (international students for example) so often Duke must create them.

  • Having SSNs in a system is an additional vulnerability/liability. Chris points to the 55,000 SSNs stolen from the University of Texas.

Chris says it makes sense to migrate away from SSNs as identifiers and as verification of identity. We should stop collecting SSNs for random purposes. Chris found there are 75-80 SSN feeds out of SAP, Peoplesoft, and the enterprise directory. He would like to see 4 or 5 steps incorporated into a policy of some type.

Rafael Rodriguez says the Health System uses the SSN as a patient identifier at Durham Regional Hospital. Most health cards have SSNs as the identifier of the person insured. This is standard practice. Rafael says it will take time and maybe legislation to resolve this use issue. He performed an inventory of systems and determined out which systems are capturing SSNs.

John Board wants Tracy to comment on how to enact a change.

Tracy Futhey says the first step is to get the word out. This is happening already. Different groups are using the Duke Unique ID rather than the SSN. She suggests all ITAC members go back and do an assessment of what systems are using SSNs in their area. Having everyone participate and help is a key component to resolving this issue. The question is how fast we can move without breaking the systems that are currently using SSNs. People should still be able to do their jobs and use the systems and we should still be able to feed SSNs when required, but we want to move away from that. We want to identify, educate, and move away from using SSNs as an identifier.

John Board asks what our strategy is for dealing with external vendors who want to use SSNs.

Tracy Futhey asks Angel about cell phones asking for SSNs for a credit check. This is an example of an external vendor using SSNs.

Angel says the cell phone vendor now uses drivers' license numbers instead of SSNs as a result of Duke's pressure to stop using SSNs.

Chris Cramer says we should handle incidents of use on a case-by-case basis. He recommends we at least set up an e-mail address that says if you have SSN concerns, send them here.

Tracy Futhey points out that for new vendors, going forward is easy because we can require they not use SSNs before we consider their services or products.

Molly Tamarkin asks if Tallman Trask will issue a policy on this. She also wants to know when to start asking her administrative people if they are using SSNs in a database.

Tracy Futhey says ask now. The sooner the better. They should know there is a movement afoot. She expects a policy to come out soon and the more advance notice people have, the better.

David Jamieson-Drake understands why we’re trying to get rid of SSNs as a system key, but he points out there are many legitimate reasons why people might need to keep SSNs as something other than as system keys.

John Board asks David Jamieson-Drake why departments should maintain a list of SSNs rather than have them in some central repository somewhere.

David Jamieson-Drake says his point is that we need to be careful not to communicate to people that we are eliminating SSNs altogether.

Chris Cramer says if someone has a cache of SSNs we need to ensure the data is treated properly until they are no longer needed.

David Jamieson-Drake has data sets archived that use SSNs as a validator. Should he go back and develop a new validator for those?

Tracy Futhey says not necessarily. We will deal with these on a case-by-case basis. If there is a critical need then we'll need to determine how to make sure SSNs are secure.

George Oberlander adds that if you have to maintain SSNs it might be acceptable to encrypt them. What is ITAC’s feeling about that?

Chris Cramer answers that we aren’t yet at the point were we need to decide what to do to protect valid SSNs, but when we get there maybe encryption is the answer.

Tracy Futhey reiterates the point is that SSNs should not be used to access systems as a validator. We need to find where that is happening and stop that practice.

Rafael Rodriguez reminds ITAC there are a lot of people using SSNs for no other reason than that is what they always have done and there has been no pressure on them to change.

John Board notices Michael Gettes in attendance and welcomes him to his first official ITAC meeting since starting at Duke.

Molly Tamarkin wants Michael’s social security number.

to top of page

III. Student computing review: services, issues, plans

Presented by Debbie DeYulia and Asha Jones

Debbie DeYulia deems the first year of the Duke Technology Advantage Program (DTAP) very successful in terms of support issues reported to the Help Desk. The Help Desk Service Center provides hands-on support for DTAP. Computers come in with hardware or software problems and the Service Center works with Duke Computer Repair and Duke Computer Store to resolve problems. Students participating in DTAP have a four-year warranty to cover them while they are undergraduates. Some recurring problems the Service Center have seen this year were computers that had been identified by Chris Cramer’s IT Security Office as having been hacked. The Service Center team cleans up those computers and sends them back out. The Service Center also does a lot of proactive maintenance when computers come in, hoping they won’t be back again.

Chris Cramer points out that IT Security has seen a dramatic decrease in hacked computers and he credits this in part to the work of the Service Center. At the beginning of the semester the IT Security Office saw about 50 hacked computers per month. Now they get about 4 or 5, he says.

Debbie DeYulia adds that the number of computers with viruses has decreased significantly too. Many of the problems they see now are software connectivity issues, for example, there are lots of p2p programs interfering with operating systems and connectivity. She is looking forward to the fall semester and security campaigns to deal with these kinds of issues as well as potentially offering service to bring computers in for that too.

Asha Jones tells ITAC that the Students With Access to Technology (SWAT) program's procedures have been fine tuned over the past few years. SWAT supports student computers and the students operating them. SWAT is in labs and in dorm rooms working on computers. Freshmen tend to make appointments and forget they made the appointment. Also, incoming freshmen tend to have newer computers so their problems are generally easy to fix. Upper classmen are typically busy and wait until the last minute to call SWAT. She's looking for proactive strategies that can be targeted to upper classmen.

John Board asks if there is any data giving a sense of the breakdown between software issues and hardware issues. He also asks how the first year of DTAP machines have held up.

Debbie DeYulia answers that most issues are software problems with only a few hardware issues.

John Board is concerned that while freshmen are covered by DTAP, upperclassmen who didn’t have a chance to participate in the program are being discriminated against when it comes to support. He asks if we know how many students have been turned away for support because they weren't DTAP participants. He thinks we are going to be mean to people who aren’t part of the program.

Asha Jones answers that all students are taken care of regardless of whether or not they participate in the DTAP program, but DTAP computers get priority and a faster turnaround.

Debbie DeYulia says as the program moves ahead, part of the incentive for participating in DTAP is that you get priority service. Many non-DTAP machines were serviced this year. She admits that we need to set some parameters, but that no student has been turned away by the support groups. DTAP just gets priority.

John Board introduces Eileen Kuo, a student representative from Duke Student Government. He asks Eileen if students are satisfied with this kind of support.

Eileen says yes, as far as she knows. She brings up issues that students are currently having trouble with. Slow downloads. She says we should better educate freshman about disabling p2p uploading.

Debbie DeYulia points out to ITAC that we do have a filesharing Web page that addresses these issues. She suggests maybe we should integrate it more into our overall IT education for incoming students.

Eileen thinks that is a good idea.

Ginny Cake asks Eileen for suggestions of how OIT can get the message out to students effectively. So far we haven’t been very effective. Eileen has no suggestions.

John Board asks Eileen about labs: Are there any complaints about operating systems? Equipment?

Eileen is not aware of any problems.

to top of page

IV. Update: Library laptop checkout program

Presented by Ed Gomes

Ed Gomes describes the library’s laptop checkout program. He hands out a report. The same information can be found at www.lib.duke.edu/access/laptop.

Ed says the library has been considering the program for a few years. Other institutions have been successful with similar programs. The Perkins Library program is officially a trial even though it is in full operation. He points to the handout and the circulation statistics. They have been good. We have 12 laptops, Dell Latitude C610s, with the full Microsoft Office suite, built-in wireless networking, and acpub account access. Unfortunately the access is not through AFS. They couldn’t get it to work with the wireless network. So the AFS client was replaced with F-secure to connect to AFS space. Also, laptop users have use of a dedicated print station. They are testing UI print software for managing printing. This provides a dedicated release station where users can call up print jobs and print on demand. If a job is not printed, the queue will delete it in 24 hours.

Ed says we’ve locked down the laptops pretty well. The student is responsible for the laptop he checks out. It’s about $2,500 worth. There is a $10 per hour fee if they go over their checkout period. The laptops are checked out just like other library materials. Response has been good about the program from faculty and students. It has been very popular so far.

John Board asks how often the laptops are re-imaged and if there is a regular maintenance schedule?

Ed responds that they are re-imaged only as needed. When they are checked in we wipe the user profile so there are no security concerns about private data.

John Board asks how labor intensive the process is for the staff.

Ed says because the program is so popular the person responsible at the circulation desk has indicated it is becoming a full-time job.

Tracy Futhey assumes the numbers representing checkouts are not unique individuals but repeat users. She asks if there is any data on the dispersal of people checking them out. How many unique users?

Ed says that data is easy to pull from the statistics. His group is going to review software at the end of the semester to determine if it is what students need. They will also review hardware.

Chris Cramer suggests the library may want to look into kiosking software. This seems like a perfect application for that type of software.

John Board thinks this is a model a lot of ITAC members will be looking at.

to top of page

V. Update: Portal and content management

Presented by Dan McCarriar

Dan McCarriar says regarding the CMS we have concluded the product selection. The RFP process could have been finished by now if we had selected an off-the-shelf, commercial product, but since we chose product X that offers more of a customization, it will take a little more time. He expects to have that all set in about a month.

Architecturally we are looking at a core set of functionality and verticals on top that people are used to. One of those is a general campus vertical, where people can take advantage of templating, revision control, and other things. Other groups might have more robust needs. Those groups’ instances of the CMS will be able to look different, but all users will share the same framework so if we want to upgrade the system we just slide in a new core and everyone benefits.

As for portals, the effort is still in a subcommittee now. The last time we talked about what portals are and what they need to do. We have benchmarked what other universities are doing and identified constituent groups that might use the portal. This includes internal groups like students and faculty, and external groups like alumni and potential students. We concluded that for the initial pilot we would like to focus on undergraduate students as a constituent group. We still have to decide what time frame we want to operate on and what the business case is for a portal.

Melissa Mills (also on the portal subcommittee) says for benchmarking we got help from schools that have made a significant investment in portals. Some are successful and some are not, as rated by themselves. We looked at eight portal projects. Half have been judged successful in that they found root and are growing--they are being used. The other four failed and will be redone or they’re not sure what to do with them. The good news is that all agreed what made for success and what made for lack of success.

There seemed to be a negative correlation between the success of project and the amount of money they put in it. Lots of money and time into it generally failed. It won’t be successful if done in a small committee. It must be done in the whole community. We expect the final report to come out in a month.

George Oberlander wants to know if there is an explanation for the inverse money/success relationship.

Dan McCarriar says one factor is off-the-shelf expensive products versus open-source.

Tracy Futhey says another is high expectations. If you throw a lot of money into something you expect a lot out of it.

Paul Conway adds that there is an incentive for standards. Almost every vendor of a major enterprise system used by Duke has a portal application claiming to meet standards.

Pat Halpin cautions that when looking at cost of a centralized system versus a dispersed system, it may look like the centralized system costs more and dispersed system costs less, but that is because we are not keeping the accounting for all of the dispersed system.

to top of page

VI. Future ITAC policy/process topics

John Board says he set aside time at the end of this meeting for members to voice what they want to see discussed at future ITAC meetings.

David Jamieson-Drake would like different schools to talk about OIT--what they need and how they are supported by OIT.

(Someone says) How about a discussion on what kinds of policies we need to adopt and when should we take on a policy generation role or pass it on to other larger committee?

Molly Tamarkin asks what is our obligation to preserve electronic documents we create? How long do we keep them? What should we do about this? How about a discussion on archiving issues?

John Board thinks ITAC suffered this year by not having students attend ITAC meetings. If Eileen will convince the Duke Student Government to elect a representative who will attend ITAC meetings, that would be helpful and important.

VII. Other business

George Oberlander asks if there is a policy on the commercial use of Duke Web sites--linking to commercial sites from Duke sites.

Dan McCarriar says there are now and will be some general Web policy issues that ITAC needs to decide.

Mike Pickett was out of town when we spoke of guidelines for system administrators regarding the USA PATRIOT Act. What happened with that?

Chris Cramer answers that it was tabled to committee.

Meeting closed: 5:21pm.