February 26, 2009 Minutes

ITAC Agenda
February 26, 2009 4:00-5:30
RENCI Center

Announcements & Meeting Minutes
Update on Blackboard Upgrade (Neal Caidin, Chris Meyer)
Security Vulnerability Testing (Paul Horner)
ViewsFlash Update (Samantha Earp, Ed Gomes)
Unity Voicemail Deletion Guidelines (Bob Johnson)

Announcements & Meeting Minutes

Terry Oas opened by asking ITAC members present at the February 12, 2009 meeting if they had comments on the minutes. Noting no objections, Terry accepted the minutes and stated that they would be posted on the ITAC web site.
(http://www.oit.duke.edu/itac/index.html)

Update on Blackboard Upgrade (Neal Caidin, Chris Meyer)

Neal Caidin was present to review the planning of the Blackboard upgrade plan and then offer a demonstration of the new version of Blackboard. Duke will upgrade from its current implemented version (6.3) to Blackboard 8. Blackboard 8 has been out for a year and is very stable. The primary driver for the upgrade is to ensure that Duke is on a supported version, Neal said. In addition, the development of Blackboard into a portal for other services – such as Lectopia or e-Reserves – may require the newer integration capabilities offered in the new version.

The planned upgrade date is Thursday May 7, 2009 at 6:00pm. The upgrade is scheduled for three full days due to the technical complexity and data migration. This date was selected in collaboration with the Registrar’s office and graduation schedules to minimize impact, Neal said. During this upgrade window, the production data will be available by request should one need to access the information in an emergency.

Chris Meyer spoke about Shibboleth integration and the load testing. Shibboleth integration is new since the existing system connects through webauth. In addition, the system allows for pass-through authentication for individuals that are not Duke affiliates, Chris noted. With the Shibboleth implementation, a Blackboard-only container will be created, Chris said.

He added that the implementation is trickier than previous versions, and that there are a few open issues the technical team is working on. Chris said that the team expected these issues to be resolved by March 6 without impacting any other groups or testing, including the CIT core group. Chris added that a load testing plan should be completed by the end of February, and that his team expects to begin executing that test plan in mid-March. Some of the items that will be tested include:

Uploading and downloading of course materials
System response time using similar load to current production load. The project team has metrics that provide good information on the sample load.

Neal added that the testing plan includes the new Shibboleth model. There will be new Blackboard-only accounts for Shibboleth that are independent of NetIDs, a departure from previous models. Neal continued that the today’s grade export functionality does not function as expected with the new version; the vendor is aware of this issue and is working with Duke on it.

Neal said that the communication plan includes outreach to faculty and instructors through email, Blackboard announcements and hands-on training. Other groups included in the communication plan are students, IT staff, and administrators.

Terry asked if there was a way to identify the “heavy users”. Neal stated that the largest impact would be in the grade center component. He continued that the project team would target heavy users of that subsystem as a proxy for overall usage. The current system does not otherwise provide an easy way to identify the “heavy users.”

Samantha Earp asked if the grade book that Neal demonstrated was the primary Blackboard function used by faculty. Neal responded that approximately one third of faculty Blackboard users utilize the grade center feature. An ITAC member suggested that this grade book change could potentially generate more users. Some ITAC members suggested that the grade book was the only feature they used. Terry added that the functionality would be best if faculty could submit grades directly from the grade center to the registrar. Neal stated that was on ongoing conversation.

Neal then offered a demonstration of Blackboard version 8, demonstrating that the user interface was quite similar; the demonstration focused on grade center, which has added a number of features to make the tool easier for users.

John Board asked about any migration concerns, specifically as pertains to the importing of existing courses. Neal stated that there have been no unexpected issues with migration testing, specifically as it pertains to course imports. In addition, other universities that are Blackboard customers have described smooth transitions.

Terry asked about a challenge with the tracking statistic feature, specifically, experiencing an apparent non-response from the system when requesting to “show tracking statistics”. Neal responded that sometimes large class sizes can make that process slower. He continued that this behavior could occur for very large sets of data, such as large class sizes, or undefined date ranges. Terry acknowledged that he has not historically set date ranges. Neal recommended setting date ranges to restrict the data search. Neal added that the volume of data for course statistics would complicate the migration; therefore, tracking statistic data will be truncated as part of the migration. An ITAC member asked if the ranges could be set as a default. Neal said he did not know.

Kathy Pfeiffer asked if members felt that more faculty would use the Blackboard grading component if a more streamlined way of adding grades existed. Members present agreed that would be desirable.

Security Vulnerability Testing (Paul Horner)

Tracy introduced the security vulnerability presentation by noting the growing awareness of risk introduced through security vulnerabilities. Paul Horner is currently on assignment to the university audit’s unit. Mark Phillips, a colleague of Paul’s, has been involved in this effort and has been attending ITAC.

Tracy added that given the distributed nature of a university, there needs to be a balanced approach to security scanning and remediation; however, that approach needs increased guidance over previous years due to the increased threat posed by the Internet.

She noted that the new Information Security Steering Committee (ISSC) convened last year. This membership of this group includes the Provost, Executive Vice President, and the Vice Chancellor of the Health System to address governance issues and recognize that security issues are cross-Duke issues. Paul is working with the ISSC as Duke continues the IT security officer search. Paul’s talk today is specifically about security vulnerability scanning, which Duke as been doing for a number of years, Tracy noted; however, Paul will speak today to a new focus on responsibility of machine administrators for remediating identified vulnerable, she added.

Paul said that the ISSC requested the creation of comprehensive vulnerability management program. The response to the scanning today is voluntary. The new element in this policy is to require that the groups responsible for vulnerable machines respond to the scan results..

An ITAC member asked if the scanning today is voluntary and this proposal was to mandate the scanning. Paul clarified that the scanning is already network wide and centrally executed and will continue; however, the new element is getting a response stating next steps from the machine owners. Tracy added that current scans are limited by internal firewalls. The ISSC believes the scans need to be able to investigate behind firewalls, she said. Paul said that the ISSC draft procedure was sent to the security liaison group, and that afterward, the proposal should be made available for feedback.

Discussion ensued on technical details of the scanning.

Paul stated that the proposed procedure would be first to identify the stakeholders, along with their responsibilities. Next, these stakeholders would be provided with relevant reports so they can get a clear picture of their security environment, Paul said.

Paul described the current scanning process. The scanning software categorizes the weaknesses based on criticality. The software’s scan assesses the criticality of a vulnerability. In the March scan, the report generated will be limited to “Critical” and “High” risk items. Paul added that Medium risk items may be added to the April report. Terry asked if there were a parallel effort on the Health System, and Rafael Rodriguez confirmed there was.

Paul introduced two additional proposed reports. These may be run on request of the security liaison. Additionally, a scan that attempts to exploit vulnerabilities may be added; however, that may introduce some service interruption risk, Paul said. These last two reports will initially be run solely on request, Paul said. Klara added that OIT has performed these scans on its own server class systems and has learned valuable information. These scans would be coordinated effort between the security office and the machine owners.

Paul identified the roles of various stakeholders. Specifically:

CIOs, VPs, and Deans would set the strategy for vulnerability management in their own areas.
ISSC is a governance group.
The IT Security Office is available as a resource. Potentially, the ITSO would provide customization and support.

An ITAC member asked in what manner deans would be involved in specific, technical scanning decisions. Tracy stated that this type of feedback is what the group wanted. Tracy expanded that not every vulnerability has to be mitigated, but the risk must at least be documented. At this level, the Deans would be involved in making decisions about risk management, not necessarily the specific machine remediation.

Robert Wolpert asked if test members had been identified. Tracy responded that a measured pilot process is a very good idea. Paul added that a subset of the security liaisons group might be a good starting point. Another question was whether there would be an effort to address large issues en masse rather than as one offs. Paul responded that the ITSO is certainly available as a resource. In some cases, administrators may not be able to fully test something before deployment. Maybe resources could be pooled to test deployments, Paul added. Klara added that the BigFix and Linux@Duke efforts are possible initiatives to build on.

Susan Gerbeth-Jones asked who was on the ISSC. Tracy enumerated the members.

Paul stated that most security liaisons come from three constituent groups: subnet owners, machine owners, and custodians. These groups would receive the security reports, assess them, and recommend next actions.

Paul described the mandatory report process. The scans are spread over 4 nights and sent to the individuals who the ISSC has identified as the responsible party. Within the first week, the individuals contacted should confirm ownership. Within the second week, the responsible group should communicate planned activity or acceptance, he said. These responses would be rolled up into a monthly report. In addition, a quarterly report would be sent to the CIOs, Deans, and VPs with a summary of vulnerability information by organization.

An ITAC member asked about machines that are off at the time the scans are run, as well as required responses from staff members that may be away from the office. Paul responded that there is no current plan for this.

John Board asked about the impact on student machines. Tracy clarified our focus is on administrative computers. Klara added that email providers sometimes blacklist Duke because of spam received by those providers. She noted for consideration the operational impact to Duke business to rectify that matter.

Terry added that Duke owns the network address, even if they do not own the machine. Bryan Fleming added that some students might welcome this proactive vulnerability help. Rafael questioned if machine scanning is the most effective way to address the spamming issue. Andrew Tutt proposed that student machines might suffer more from behavior-driven infections than vulnerabilities that were exploited. Klara added that Duke has Intrusion Detection System and Intrusion Prevention System (IDS/IPS) solutions to minimize the risk of incoming vulnerabilities. Ed Gomes added that the issue was not one of intent, it was one of results. Robert Wolpert concurred with Terry’s assessment that the network address is the ultimate issue. Bryan suggested that maybe the Netreg scan could occur each time one connects to the network, not just the initial time. Andrew clarified his earlier comment by stating that vulnerability scanning might overlook another significant security risk – that is, user behavior.

Klara summed up that IDS/IPS, phishing attack scanning, and user education are all additional parts of Duke’s holistic vulnerability mitigation program. Rafael stated that the IDS/IPS systems generate a great deal of data that require a heavy resource commitment.

Terry raised the question of a researcher with a networked Windows 3.1 system as an example to confirm that such would be a permanent vulnerability if it was on the network. Rafael and Klara suggested that machine might require a mitigated solution, such as putting it on a private network. Terry voiced a concern that some equipment manufacturers (particularly for scientific equipment) require older operating systems. This equipment must be accessible across the network. Rafael suggested that one would need to think through all the different layers of a system, including hardware, operating system, database, and application(s). Tracy clarified that in Terry’s case, the risk assessment and acceptance would need to be documented.

Bryan stated that one of the concerns is the overhead to OIT to have the students’ machines exploited. He suggested adding students’ machines to the scan. Bryan asked what the liability of students in this situation would be.

ViewsFlash Update (Samantha Earp, Ed Gomes)

Ed G. described ViewsFlash as a survey tool originally setup as a pilot. Duke is currently three versions behind. The user community, made up of students, faculty, and staff, is anxious to get the system upgraded to the current version. This will provide additional functionality. Ed was appointed as the ViewsFlash functional owner with Stephanie Dott as the Project Manager.

The project team stood up a development implementation of the latest version and migrated data to it, Ed said. Some initial testing with select groups of the upgraded tool has occurred and has foun minimal issues. The scope of the original testing has expanded to some larger groups. The second round of testing is ongoing and looks positive.

Assuming the testing remains positive, the project team targets the first week of April to upgrade. Ed mentioned that Steve O’Donnell is involved in helping craft the communication plan. Ed stated that some embedded surveys currently in production would require that the current version run in parallel with the new version as the team works to migrate the embedded surveys; therefore, both versions will run in parallel through the end of December 2009.

Samantha Earp stated the training and support plan is still being finalized. In addition, the team will work to collaborate with the power users. The historical support model has been one of “community support.” Samantha will work with Ed and Stephanie to refine the support processes.

Terry asked what the demographic usage is. Ed stated that it is varied. He continued that approximately forty percent of the survey administrators are students. There are surveys used in the School of Medicine as well.

Terry asked whether one of the goals of this effort is to increase adoption versus freely available Internet versions. Ed said that conversation took place among the team. Primarily, the group recognized that the existing ViewsFlash survey tool had to be upgraded, Ed said. One of the key advantages of using the ViewsFlash solution for customers is its ability to require (and integration with) Duke authentication. Terry highlighted that some other tools are very intuitive and require no training. Lynne O’Brien volunteered that ViewsFlash is “easy to use.” Bryan stated that one of his concerns over solutions other than ViewsFlash is that external organizations require that the user provide some personal information.

Unity Voicemail Deletion Guidelines (Bob Johnson)

Bob Johnson stated that there is currently no policy on purging deleted voicemails. There is a risk for users who believe they have deleted messages which, in fact, will remain in perpetuity. In addition, with the convergence of voice and data, resources will continue to be an issue. Bob proposed that deleted voicemails be purged after thirty days.

Paolo Mangiafico stated that he assumed deleted voicemails immediately went away. Ginny Cake concurred. Rafael added that cell phone companies already purge deleted voicemails after seven days.

Klara said that 30 days would be the same as the central email policy. Mark McCahill contributed that mirroring Unity’s purge schedule with the purge schedule for email would make long-term alignment of the converging systems easier.

No objections were heard to the policy proposal.