Common Systems Group (CSG)
Meeting Summary
Tuesday – January 23, 2007

CSG Members: Julie Austin, Ross Bollens, Paul Craft, Steve Duim, Bill Jepson, Carol King, Max Kopelevich, Michelle Lew, Kathleen O’Kane, Sean Pine, Tom Phelan, Stephen Schwartz for Terry Ryan, David Snow

Ex-Officio Members: Jim Davis, Nick Reddingius, Ruth Sabean, Mike Schilling, Marsha Smith, Tom Trappler, Kent Wada, Don Worth

1. Security Actions
   
   Ross Bollens gave an update on the evolution of the Campus Security Program.  An RFQ from UCOP will be posted for web application scanners before the end of January.  The RFQ will enable UCLA to purchase products from web application vendors such as WebInspect and Watchfire.  AIS has purchased a WebInspect license and is already using it; a pre-RFQ agreement was negotiated with WebInspect and AIS will only pay what the eventual RFQ price will be.
   
   A Security Work Group has been formed to quickly create an RFQ for Audit Firms, Security Firms and System Integrators.  The four major units on campus, known to possess PII/FERPA/HIPPA data, collaborated in creating a common Scope of Work defining their environments; the units were Business and Administrative Services, Medical Sciences, External Affairs and Extension.  The RFQ should go out in early February.  Once companies respond to the RFQ, individual units across campus may contract with any of the vendors they believe best suit their needs.
   
   All notifications have gone out to individuals impacted by the UCLA Login ID compromise discovered during the investigation of the breach.  Individuals have either reset their passwords or have indicated that they indeed traveled to China.  It was emphasized that the best practices for avoiding future occurrences of the compromised UCLA Login IDs is compliance with Policy 401:  keep systems updated, keep anti-virus current and use host based firewalls. 
   
   The CTO of eEye is going to be on campus later in the week to discuss expanding the UCLA/eEye Pilot Project.  In the past the eEye scans were too intense and impacted some systems adversely.  The CTO has assured us that we can develop a series of scans that will not damage our systems and allow us to develop an Enterprise view of our campus’ resources and vulnerabilities. 
   
   It was also discussed that we will start to scan the campus using tools freely available on the Internet; every Linux installation comes with NMAP, Nessus is freely downloadable and used extensive by other institutions, and every Mac now comes with an internal scanner function.  Max Kopelevich also suggested looking into the tools Paketto Keiretsu and Core IMPACT.
   
   An inventory of all the campus’ Restricted Information is in process.  An inventory was completed in 2003 but that information is dated and needs to be brought up to date.  In all likelihood there will probably be two inventories.  The first will be a very simple questionnaire explicitly defining what PII, FERPA and HIPPA information is, and if you have it, defining your IP address, who you are, and who is your Security Breach Coordinator.  The primary purpose of the first inventory is to locate machines that either have or use Restricted Information so that we can start scanning and inspecting them for security vulnerabilities.  The second inventory will be more detailed and will delve into why is the data is where it is and why it’s accessed from where.
   
   It was also mentioned that the ITLC has requested that a special Security and Privacy Subcommittee be formed so that Campus Security Officers can have methods of securely communicating time critical information between the campuses.  There is already almost such a structure in place with the UCITPS and UCNetSec groups.  This matter will be addressed at next week’s UCITPS meeting.
   
   Mike Schilling reported that Bruin On Line has suspended the ability to make account changes using SSNs as an account authenticator.  Effective January 22, a challenge response has been added to all accounts which were established without selecting a challenge question and appropriate response.  The challenge response requires the user to provide his/her URSA pin.   Users who selected a challenge question when setting up their account were unaffected.
   
   Mike advised the CSG that the University is seeking bids from three firms to address three areas of focus which include the audit function, security system integration, and straight system security function.  Awards will be made to multiple firms within the three areas.  Bidding firms will be evaluated based on billing rates and their ability to meet University requirements in the three focus areas.  The information from these assessments will be used to develop a security audit plan and to train staff.  Mike requested that members forward their comments to him or to Constance Jordan.
   
   Jim Davis requested that CSG members advise him of potential populations at risk within University that may not have been addressed in reviews to date.  Areas that may need to be reviewed include the research community:  units that holds patent, SSNs, census information,  GSEIS longitudinal study are examples of areas which need further review.  He emphasized the value of speed with quality of self-review. 
   
   A survey in the form of a simple questionnaire will be sent to CIO’s, Deans and directors of units.  Surveys will also be sent to CAO list.  The goal is to identify who has sensitive data or access to it; the information will provide specifics as to what each unit needs to look at from a scanning standpoint.  
   
   Protected Information Reviews
   
   The UCLA Data Council is comprised of the functional owners of campus-wide data (people who can speak on polity and access rules).  Don Worth summarized the Data Council’s current agenda of establishing a policy regarding personal identification information for the University.  The discussion includes identifying where this information is stored, what it is and whether the University needs to keep it.  The goals of the Council are to take SSNs out of the data warehouse and to determine whether all SSNs can be eliminated except where needed for reporting to outside agencies.
   
   Kent Wada will be conducting a comprehensive inventory of the PII data on servers by organization.  The survey will determine how the information is updated, what applications have access to the databases, why the University keeps the information and how it is kept current.  In addition, work and data flows will be documented.  The evaluation of the data collected for this inventory will be used to create a draft proposal for the retention of PII and establishing an institutional policy regarding PII. 
   
   The issue of data owners who ask for PII and don’t track or protect it was discussed as an area that needs to be addressed.   Once the administrative areas are under control, the academic units need to be reviewed to identify areas which may need help.
   
   
2. CITI Update
   
   Jim Davis gave an overview of CITI’s agenda for the current fiscal year and the role of CITI as it is separate from the budget process.  CITI’s role is to endorse and commit to providing shared and integrated environments for institutional services, platforms and web access/portal services; review project scope, process and campus impact for application integration projects; review and provide input regarding the impact and implications of campus systems and applications.
   
   This fiscal year, 2006-07, is a planning year for ongoing commitments.  Jim summarized the status of analysis and planning projects recently endorsed by CITI:  Disaster Recovery and Business Continuity Planning; Integrated Student Web Experience/Student Portal; Identity Management.  The Common Collaboration and Learning Environment (CCLE) and campus security review plans are slated to be discussed in the next two CITI meetings.
   
   One of the major issues before CITI is the question of how long UCLA can rely on the legacy systems.  The consultant’s report concluded that the legacy system for financial and student support systems can continue to operate and adequately meet the campus needs for one more seven to ten year cycle.   This issue requires further discussion to scope planning for the next generation system.
   
   There is no intended increase in TIF for established projects; eventually, however, the TIF will need to be re-evaluated.
   
   
3. Common Collaborative Learning Enviornment
   
   Jim Davis and Ruth Sabean presented an update on the status of CCLE. The work of the FCET and the CCLE as a concept was endorsed by ITPB at the December meeting and is positioned to move forward.  The selection of Moodle as a common platform for the campus to begin its work to provide a common learning experience was also endorsed. A Project Oversight Group (POG) has been established to begin the work of detailed planning and pilot implementation. The CCLE briefing document, which will be sent to the CSG, lays out a framework for the development of a detailed business and implementation plan, will be presented to the Chancellor, EVC and Deans.
   
   CSG input and recommendations:
   
   The CCC requests to take a more leadership and accountable role in the planning and implementation of the CCLE.
   
   
4. TIER Planning
   
   Marsha Smith made a presentation on the history of the Repositioning IT initiative which began as a campus effort to reduce costs and complexity in campus infrastructure services, consolidating a large number of independent physical networks, email systems, server rooms and data centers into fewer regions. As part of a response to the Chancellor’s 2003 request to reduce costs, the initiative emphasized the consolidation of infrastructure services primarily (but not exclusively) in administrative areas.
   
   A great deal has been accomplished under Repositioning that is foundational to our strategy for moving forward and is summarized in the document – Introduction to TIER. The document outlines the achievements made and to be completed in the next six months under Repositioning IT. While an emphasis to create appropriate savings and efficiencies within administrative areas is generally a desired outcome, the Repositioning IT initiative (inc. its name) does not adequately define or reflect the efforts involved in designing IT infrastructure services for current and future educational and research requirements.  The Tier program, also outlined in the summary document, focuses on the future as we now move to design the next generation of infrastructure IT services core to UCLA’s primary mission of education and research. While savings and consolidation opportunities are important under TIER, they are not the driving forces. As we move out to the greater academic campus to support its primary mission the TIER will respond to the requirements for sustaining UCLA as a leader in education and research
   
   New projects under TIER will be coming to ITPB for review in April.  Available TIER funding (approximately 2.1M annually) can support only a fraction of campus needs. An on-going discussion should begin with all appropriate governance groups (leading with ITFOC and ITPB) on the gaps between infrastructure requirements and funding. We also must begin to look at a potential funding distribution model that includes an option for regionalization as an organizing and management framework:
   
   From the ITPB February 2005 Meeting – “The Repositioning IT Initiative leaves open the possibility of centralization AND regionalization of ‘common good’ services. If it is determined that some ‘common good’ services should be provisioned through a set of regions, the TIF will be applicable, i.e. the TIF can be applied to centralized or regionalized service delivery models.”
   
   
5. Report Updates:
   
   Disaster Recovery
   Don Worth reported that money has been allocated by Steve Olsen for Disaster Recovery.  A contract worker has been hired to address emergency preparedness and to evaluate disaster recovery tools.  Bids have been requested from vendors to conduct a business impact analysis.  It will be awarded in early February with a start date in mid-March.
   
   Campus Data Warehouse
   Nick Reddingius reported that the Campus Data Warehouse Management Oversight Group (MOG) will meet on February 12 to address non-technical issues among the stakeholders.  Sean Pine expressed concern about how the user community could get assistance in extracting and understanding the data.  Nick advised that that is one of the issues that will be addressed at the February MOG meeting.
   
   Student Experience
   Nick Reddingius reported that the planning phase of the Student/Parent Integration Experience was approved at the January 9 CITI meeting. The planning scope of the project has expanded due to broader participation than originally planned.  In six months a detailed plan of scope will be presented.
   
   EDIMI
   Ross Bollens reported that the committee will be meeting by the end of the month.