1 / 31

Faculty Council Briefing

Faculty Council Briefing. Larry Conrad Stan Waddell VC for IT and CIO Exec Dir and Info. Security Officer January 14, 2011. Central and Distributed IT Services. The Role of CIO. The CIO role has two distinct aspects Division head for central IT (ITS)

irina
Download Presentation

Faculty Council Briefing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Faculty Council Briefing Larry Conrad Stan Waddell VC for IT and CIO Exec Dir and Info. Security Officer January 14, 2011

  2. Central and Distributed IT Services

  3. The Role of CIO • The CIO role has two distinct aspects • Division head for central IT (ITS) • Overall responsibility for coordinating IT services across campus units • Provisioning a cohesive IT architecture • Providing campus-wide IT infrastructure • Campus-wide IT policies • Overall responsibility for IT security • Carolina Counts IT “champion”

  4. Key Services ITS Provides • Central IT infrastructure • Learning Management System • Centrally supported classrooms • Centrally supported computer labs • Research computing configurations • Enterprise applications, e.g., ConnectCarolina • Central Help Desk • 24/7 computer rooms • E-mail/calendaring

  5. Key Services ITS Provides • Central IT infrastructure • Hundreds of servers in the 3 ITS computer rooms • Networked attached storage • Server housing/hosting • Campus network • Campus telephone system • IT security office • CCI program • Software site licensing program

  6. Key Services ITS Provides • Central IT infrastructure • Campus directory services • Single sign-on environment • www.unc.edu

  7. Key Services Distributed IT Provides • Organizations such as OASIS in A&S • A spectrum of IT services • Some duplication of central services • Best at providing • Unit-/discipline-specific applications • Discipline-specific support • Faculty computer support • Coordination with central IT services to ensure seamless support to campus units • Partnership with ITS on IT security

  8. Key Services Distributed IT Provides • Central vs. distributed services • Certain services are best provided locally and some centrally (see the following “economic framework” graphic) • The focus of the Carolina Counts initiative is to allow campus units to leverage central services more effectively and where appropriate

  9. 9 Proposed Model for Rebalancing Central vs. Distributed DRAFT 9

  10. Proposed Model for Rebalancing Central vs. Distributed DRAFT

  11. Cohesive IT Environment • ITS and distributed IT groups are working together • Coherent IT architecture for the campus • Comprehensive approach to IT security • IT policy development and compliance • Upgrade the Carolina IT infrastructure, which has lagged behind in recent years • Achieve the Carolina Counts IT objectives • Make the technology fade into the background…

  12. Major IT Initiatives • Modernizing the Carolina IT environment • New communications funding model • New research computing funding model • New IT governance structure for the campus • New enterprise systems base: ConnectCarolina (Student, Finance, HR) • Blackboard to Sakai transition • MS Exchange for e-mail and calendaring • Upgrade the campus network core and off campus connectivity to 10 Gb

  13. Major IT Initiatives • Modernizing the Carolina IT environment • Upgrade of the research computing cluster • Outsource student e-mail to MS Live@edu • Carolina Counts IT Partnership (Bain) • New cell phone stipend program • Improving information security • State Auditor information security findings • New information security policies • “It takes a village…” approach

  14. Information Security

  15. Information Security Level Set • Information Security deals with the protection of three characteristics of Data • Confidentiality – Keeping data private • Integrity – Keeping data accurate • Availability – Keeping data accessible (even in disasters)

  16. Carolina Under Attack! Campus Wide 30,000 attempted hacks per day Thousands of systems have malware on them in any one year ~1000 systems isolated a year >30-60 systems forensically analyzed by ITS, Information Security per year Hacker motivations and the perpetrators have changed

  17. Info Security Challenges • The decentralized nature of campus data • The open network at Carolina • The University is a valuable target in the eyes of the bad guys: “a destination resort” • These challenges force us to concentrate on securing sensitive information

  18. Definition of Sensitive Information “Sensitive Information” includes all data, in its original and duplicate form, which contains: “Personal Information” Examples of Sensitive Information may include, but are not limited to: Identifiable research data Protected Health Information Students records Public safety information Financial donor information Information concerning select agents (controlled substances) http://help.unc.edu/6475Definition of Sensitive Data http://help.unc.edu/6604 Legal References for Sensitive Data

  19. Information Security at UNC • Leadership from the CIO Office:the Chancellor’s vesting of responsibility for campus IT security with the CIO • ITS Information Security Office • Information Security Liaisons • Campus IT Professionals • Staff, Students, and Faculty • It takes a commitment from all of us

  20. Security Liaisons • They work with the ITS Info Security team • Each Department has at least one • They can help: • With reporting security incidents • Getting clarification on policy • Communicating information from the security office • Implementing policy • Help with general information security concerns

  21. Incident ManagementWhat to do? First, do no harm Any time you suspect a critical system or one which hosts or processes sensitive data is compromised, STOP and do a critical Remedy ticket to ITS-Security.

  22. Vulnerability Management: Scanning and Patching • Systems storing sensitive information must be scanned for vulnerabilities at least monthly • Scans can identify missing patches and improperly configured services • Give guidance on how to remediate vulnerabilities • Identified vulnerabilities must be remediated • Critical: within 1 week • Medium: within a month of identification

  23. Mobile Devices • Mobile Devices that store sensitive information must be encrypted • Includes media (tape, thumb drives, external hard drives…) • Pretty Good Privacy (PGP) laptop encryption is available • Administratively funded • Can be installed by departmental support • Reduce risk of lost data due to forgotten passwords

  24. Mobile Devices Continued • Should be scanned for vulnerabilities • Should use the Sensitive version of Symantec End Point Protection (antivirus) • Should be authorized by the dean or department head • Must be patched and/or updated regularly (i.e. MS update for laptops or cellular provider system updates for smart phones)

  25. Info Security Policies • A long overdue policy base to operate from in protecting the campus • Information Security policy • Information Security Standards policy • General User Password policy • Sys. and Appl. Administrator Password policy • Transmission of Sensitive Information policy • Security Liaison policy • Vulnerability Management policy • Incident Management policy • Data Governance policy

  26. Highlight:Data Governance Policy • The policy defines the governance structure for management of institutional data and establishes procedures for data classification. • No one person or unit owns UNC Data • Groups should have processes in place for granting and revoking access to data • Eliminate data when it has reached the end of its retention period

  27. Highlight:Password Policy • Requires password complexity • Requires password expirations • Prohibits password sharing • Prohibits generic accounts • Requires changes in situations where the password may have been compromised • This applies to all passwords not just the ONYEN

  28. What this means to faculty… • We all have a responsibility to protect the University and its data—particularly sensitive data • Policies apply campus wide • When in doubt ask (report issues) • Use strong passwords • Don’t surf web on machines with sensitive data • Patch and configure correctly (scan to verify) • Encrypt sensitive data and only use when needed • Ensure servers are supported/maintained by competent systems administrators

  29. Key Upcoming Projects • Systems Administrator Assessments • Ensure appropriate skills for Sys Admins • Identify servers storing sensitive information • Identify Service clusters which can provide systems administration support (fee based) • Campus Perimeter Firewall • Construct a workable strategy for enhancing security at the campus network border

  30. Contact Information • For issues involving system security, call 919-962-HELP or send e-mail to: security@unc.edu.

  31. QUESTIONS?

More Related