Common Systems Group (CSG)

 

April 26, 2005

Meeting Summary

 

 

 

CSG Attendees: Paul Craft, Steve Duim, Jason Frand, Bill Jepson, Robert Konishi, Max Kopelevich, Michelle Lew, Kathleen O’Kane, Tom Phelan, Sean Pine, Nick Reddingius, Terry Ryan, Ruth Sabean, Marsha Smith, Eric Splaver, Pam Taylor,  Kent Wada, Esther Woo-Benjamin, Don Worth

 

Guests: Carol King (Grad Division), Mike Lee (PDP Participant), Tom Trappler (OIT)

 

 

Agenda

 

1)    UCLA Policy 411: Domain Names

 

A second vote on a revised Policy 411 was conducted by email, with the following results:

 

Did not Vote	0
Abstain	0
Not Approve	0
Approve	8
Approve with Caveats	9	Caveats: 1.        The appeals section is still inadequate.  The appeals should be directed to the Associate Vice Chancellor of Information Technology, who in consultation with other campus officials, as appropriate, will make a final determination.  Having the head of the office that initially denies the request be the arbitrator doesn’t make sense.  I believe that Jim would certainly consult with the Vice Chancellor of External Affairs regarding the matter, but the one to make the determination must be impartial.
		2.        I also suggest changing the form to solicit “reasons for denial” in the appropriate section.  The current dotted line really doesn’t imply that providing a reason is required.
		3.        There needs to be clarification of what a "clear institutional reason is" for a campus entity to be denied its name.  For example, is the use of acronyms still a "clear institutional reason"?  The proposed policy does not clearly eliminate the possibility of arbitrariness that called it into question in the first place.

 

This vote forms the CSG’s recommendation to the ITPB on the proposed policy update. The recommendation will include written reports on the two positions regarding who should be the final decision maker on appeals to requests for domain names.

 

Actions:

·          During the meeting Paul Craft and Kent Wada were asked to develop position papers that addressed the caveat of what office has final decision-making. Subsequent to the meeting it was decided that because this constituted a change in policy and/or interpretation of the policy the domain name policy should be taken back to the ITPB.

 

2)      Payment Card Industry (PCI) Data Security Standard

 

VISA and MasterCard have recently issued Payment Card Industry (PCI) security standards that all merchants must comply with by June of this year. Consequences for non-compliance can be serious. UCLA is being viewed as a single (3^rd tier) entity so non-compliance by any unit within UCLA will be treated as non-compliance by UCLA. Requirements for network security are higher than UCLA’s minimum security standards. Requirements for physical security are at the data center level. AIS has proposed a central service for collecting credit card numbers and is working with the external auditors to meet their requirements. OIT is taking the lead on the IT components of this issue and will be pulling together a group to work on solutions.

 

There was a comment that communication from department CAO/CFOs to their IT directors does not always happen (as in this case). There was a suggestion that IT directors be copied on memos (regarding issues that might have an IT component) to CAO/CFOs.  

 

3)      UCLA Policy 420: SB1386 (revised)

 

This policy has been updated to bring it into line with current practice. All updates are based on lessons learned from the 8 incidents at UCLA since July 2003. Kent Wada will be calling for an email vote on the revised policy. There was agreement that when voting by email, members should be given a minimum of 48 hours to cast their vote.

 

4)      UCLA Policy 401 - Minimum Security Standards - Implementation: ITPB direction

 

A vote was conducted by email, with the following results:

 

Did not vote	0
Abstain	1
Not Approve	0
Approve	15
Approve with Caveats	1	Caveat: I believe that the situation of student owned computers attaching to the network either through wireless, dial-up and/or through a departmental wired connection should be addressed.

 

The ITPB and CSG have both approved these standards in principle. The next step is to send this draft policy to the campus for larger comment and review. The review will likely be a 30-day period. The implementation goal is still October 1, 2005.

 

5)      Policy for handling “restricted data”

 

There was agreement that a next step should be to develop a common definition of data types.

 

6)      Network Review Next Process Steps

 

                                a.      Marsha Smith explained the proposal to use the existing governance structure and process to analyze and respond to the network review report. The CSG (with involvement of other CIOs and technical staff across campus) would do a preliminary assessment for the ITPB. The ITPB would take the lead in tasking the existing IT committees or forming sub groups to do detailed analysis work or campus consultation. There was agreement that this structure makes sense. However, there was also concern that the ITPB and CITI are not representative bodies. The ITPB does not have significant representation from Deans. (Jim Davis will be working with the ITPB on a defined mechanism for direct involvement of the Deans).

 

                                b.     There was a general discussion about the network review report. Following are some around the table comments and questions:

 

·         Some statements were vague (e.g. ‘adopt revolutionizing new technologies’).

·         There were no great revelations.

·         Where is the support for the statement that service levels are high? How do they know this? How representative was the community that was surveyed?

·         Who are our peers? Are we comparing apples to apples? Some are profit centers and some are cost centers. Classifications are made regardless of funding source.

·         A lot of issues are not network issues.

·         Build on core strength of campus – richness of expertise.

·         How do we have a more coordinated approach to basic infrastructure requirements while still preserving the strong local talent? Find ways to leverage local resources.

·         Look at wireless process – improve efficiency of process.

·         Diffused accountability is a problem. Need top down assessment of network for accountability.

·         A good starting point – (friendly) security audits, report cards, not witch hunts.

·         Need compromises that preserve 90% of each side’s needs.

·         Need a collective body viewing the whole campus (e.g. CSG).

·         Need to look at services.

·         Look across campus and identify those whose requirements aren’t being met.

·         Look at models on campus.

 

                                c.      There was a discussion about the draft Assessment Framework for the External Network Review Report document.

 

·         There was agreement with the ‘in scope’ and ‘out of scope’ approach.

·         There was agreement to form a steering committee to develop a charge and action plan to bring back to the May CSG meeting.

 

Actions:

·           Marsha agreed to call a steering committee meeting within the next two weeks. Every CSG member is welcome to attend.

·           Everyone is asked to provide input on the draft Assessment Framework document within the next two weeks (provide feedback on assumptions, scope, organization of document, groups).

 

 

Meeting Schedule for Remainder of 2005:

 

Tuesday	May 24	2:00 – 4:00 p.m.	2121 Murphy
Tuesday	June 28	2:00 – 4:00 p.m.	2121 Murphy
Tuesday	July 26	2:00 – 4:00 p.m.	2121 Murphy
Tuesday	August 23	2:00 – 4:00 p.m.	2121 Murphy
Tuesday	September 27	2:00 – 4:00 p.m.	2121 Murphy
Tuesday	October 25	2:00 – 4:00 p.m.	2121 Murphy
Tuesday	November 22	2:00 – 4:00 p.m.	2121 Murphy
Tuesday	December 20	2:00 – 4:00 p.m.	2121 Murphy