Common Systems Group (CSG)
October 24, 2006
Meeting Summary
CSG Attendees: Julie Austin, Paul Craft, Jim Davis, Steve Duim, Jackson Jeng, Bill Jepson, Max Kopelevich, Michelle Lew, Kathleen O’Kane, Sean Pine, Tom Phelan, Terry Ryan, Mike Schilling, Marsha Smith, David Snow, Mike Van Norman, Don Worth
Reports:
- Next Generation Network Update
Marsha Smith gave an update on Next Generation Network Principles and Process document. CSG discussed #3, how Repositioning Funds would be used, and #7, the process by which people can ask for funding. Changes to these reflect input from ITPB and ITFOC.
- Repositioning funds should be used to compliment an existing funding base. The corollary is that repositioning funds should not be used as replacement funds for lost or reassigned funds in a capital project (as an example). Building upon and existing base, repositioning funds should be used to position the project to align with the next generation network criteria and eventual architecture.
- The call letter for networking projects should come from the Chancellor’s annual strategic planning and budget process.
The ratio of other resources to Repositioning Funds for Next Generation Network projects was discussed. Steve Olsen’s office will most likely determine the ratio. There may be no hard ratio, rather guidelines and ability to fund each project based upon unique needs.
- Major Topics from Next Generation Network meeting on 10/18/06
Marsha Smith reviewed the meeting summary from the October NGN meeting. The document included major areas to be used as the first level scoping design criteria that will evolve the Next Generation Network model.
Actions:
- CSG and the CCC are to provide input on this document at the November CSG meeting. This input will go to the NGN team.
- UCLA Computer Support Guidelines
Jackie Reynolds has submitted a “Guidelines Document” draft for review, based upon ITPB feedback. OIT recommends that a small work group be formed to review, edit and make recommendations back to CSG and then to ITPB.
Actions:
- Paul Craft (or designate), Julie Austin (or designate) and Mike Lee (designated by Tom Phelan) will participate in the work group.
- The work groups’ work will come back to the CSG and then go to the ITPB.
Agenda Topics:
- Policy and Guidelines on Stewardship of Electronic Information Resources
Jim Davis reviewed and highlighted the main points of University of California Policy on Stewardship of Electronic Information Resources Draft and conferred on selected topics; points were introduced at this meeting, but will continue to be an ongoing discussion before the draft is presented for final review. The document has already been taken to the CITI and the privacy board and will soon be reviewed by the ITBP and UC Senate. Any additional feedback from CSG members should be sent to Jim Davis by mid-November.
The bullet points below represent discussion points from both the CITI and CSG meetings:
- UCLA should produce clear documentation that interprets and responds appropriately to these guidelines from a institutional view.
- We need an inventory of protected information. We then need to focus security plans and policy in those key protected areas and ensure that the staff are acting according to the security policy through training and certification.
- The document is written from a business and risk management perspective, without much comment on the mission of research and education and the need to balance security; privacy against the overarching requirements of Universities are to remain open for faculty and students to access and share information.
- The document should be explicit about the types of data within its scope.
- We need to understand where the real vulnerabilities exist. An inventory of the entire campus could take years and end up not addressing the real problems in a timely way.
- We need to develop best practices, for which individual units can respond.
- The single biggest factor facing every campus is “securing and protecting” the desktop computer that connects into the campus network.
- There needs to be visibility into the networks (as of now, we only see a small percentage of ports). Due to the low visibility, there may be unintended consequences, such as the shutting down of whole subnets rather than one compromised host when an attack occurs.
- Some network firewalls are being implemented in a “sludge hammer” way – doing the job of protecting, but in the process effectively shutting down “open” networks for access and sharing of services. UCLA needs to find the right security model that allows access and data sharing to be unrestricted, while reducing the risks of attacks. As of now, it is easier to put up a firewall and thus restrict a network than to ensure that every host (computer or server) is protected with up-to-date software patches and virus checking.
- There is increased pressure on Information Technology (IT) staff to implement these policies and guidelines. CSG discussed the idea of providing cover/protection for staff members who practice all due diligence but are vulnerable to circumstances beyond their control.
- Paul Craft of External Affairs has done a great deal of work create a “Basic Security 101” and can be leveraged for the requirements in training.
Recommendations:
- In response to Section 3A (page 2) : Information Management Planning that deals with electronic information security and continuity planning and disaster recovery and Section 6 (page 7): Continuity Planning and Disaster Recovery, CITI has agreed to proceed with a disaster recovery plan that extends outside central systems into all mission critical systems on campus, represented by all Vice Chancellor operations. Don Worth is leading a working group of data owners to conduct comprehensive planning, resulting in coordinated planning and implementation. Research and educational data will not be addressed, but there is a need to begin a discussion on how to scope such an effort.
In terms of campus oversight (3B, page 2) , UCLA is well positioned with various governance groups that are dealing with security policy including: the Privacy Board, Data Council, Applied Security Task Force, IRB, CITI, ITPB, and various FERPA and HIPPA groups. The need, however, is to connect the activities of these groups together to better understand roles and responsibilities of each and then to better integrate an intuitional view and response around the topic of “stewardship of electronic information resources”. It was recommended that Ross Bollen, the UCLA IT Security Officer reporting to OIT, be charged to bring together this institutional view and response.
- For Section 3B (page 3): Inventory and Classification of Electronic Information, Davis proposed that we build upon the existing Data Council to take the action planning. This will require a re-definition of the group’s role and scope of responsibility.
- Purchasing should be brought in to support the response to Section 3C (page 3): “Inventory and Classification of Electronic Information”, “Release and Disclosure” regarding vendors, minimum requirement for network connectivity, and encryption.
- It was recommended that Ross Bollens, UCLA IT Security Director, convene working groups to respond to Section 4A (page 5): Campus Information Security Program, which asks each campus to establish information security programs that includes risk assessment, security measures, incident response planning, security awareness training and education, and appropriate review of agreements for compliance with federal, state and university policy. One of the first goals should be to map out people/group by roles and accountability.
- CSG recommended that IT Security Officers from their corresponding units be used to begin the response to Section 7 (page 8): Common IT Architecture.
Actions:
- Additional CSG comments should be sent to Jim Davis by mid-November.
Meeting Schedule for Remainder of 2006:
| November 28 | 2:00 - 4:00 | 2121 Murphy |
| December 19 | 2:00 - 4:00 | 2325 Murphy |