Information Te c h n o l o g y Newsletter Volume 6, Issue 1, October 2011 It has definitely been a year full of constant changes and challenges. With so many projects and initiatives, every day is exciting. With this in mind, I would like to begin by taking this opportunity to express my sincere appreciation to all of the staff of Information Technology. Their hard work and dedicated service maintain the incredibly complex systems that support every student, faculty member and staff member in this college. Well Done! October is National Cyber Security Awareness Month. Microsoft and the National Cyber Security Alliance (NCSA) have teamed up with the Department of Homeland Security (DHS) again this year to help increase awareness about Internet security issues and to educate people about how to help protect themselves and their devices. Check out the articles inside for valuable information provided by Richard Buller and Richard Becker. Please take a moment to share in our successes and our plans for the future. Read how each campus will have its own connection to the Internet and with increased bandwidth, data will move even faster than before. Learn how Records Management helps EPCC Go Green! Celebrate with us as we recognize milestones. Jenny Giron, Ph.D. CIO/Vice President, IT Contents Plain Talk . . . . . . . . . . . . . . . . . . . . 2 Increased Bandwidth. . . . . . . . . . . . 2 When you cross the street, you look both ways so make sure it’s safe. Staying safe on the Internet is similar. It takes some common sense steps. The Best Place To Start Stop: Before you use the Internet, take time to understand the risks and learn how to spot potential problems. Records Management Accreditation Process. . . . . . . . . . . 3 Review and Rehabilitation of Banner Access . . . . . . . . . . . . . . . . . . . . . . 3 Technology Enhanced Classrooms. 4 Think: Take a moment to be certain the path ahead is clear. Watch for warning signs and consider how your actions online could impact your safety, or your family’s. 20th Anniversary!. . . . . . . . . . . . . . 4 Connect: Enjoy the Internet with greater confidence, knowing you’ve taken the right steps to safeguard yourself and your computer. Financial Aid & State Reporting. . . 5 STOP. THINK. CONNECT. Protect yourself and help keep the web a safer place for everyone. More tips and advice at http://stopthinkconnect.org. EDI. . . . . . . . . . . . . . . . . . . . . . . . . 4 What is Least Privilege Concept?. . 5 Case Management System . . . . . . . 5 ID Thieves are coming!. . . . . . . . . .6 MyMathLab . . . . . . . . . . . . . . . . . . 6 Database Administration. . . . . . . . . 6 Published by Information Technology, Page 1 El Paso County Community College District does not discriminate on the basis of race, color, national origin, religion, gender, age or disability. Plain Talk Richard Buller, Chief Information Security Officer Why you should not give your username and password to anyone! Note: The griffin, a fabulous animal half eagle and half lion, is symbolic of wisdom and inspiration. The role of the griffin as guardian of treasure is symbolic of the Information Security Program’s responsibility to promote safeguarding the sensitive institutional and student and employee personally identifiable information of El Paso Community College. Stop-Think-Connect Tip #1: Keep a Clean Machine. Osvaldo Luna Media Services Coordinator Employee of the Month September 2010 Rio Grande Keep security software current: Having the latest security software, web browser, and operating system are the best defenses against viruses, malware, and other online threats. Automate software updates: Many software programs will automatically connect and update to defend against known risks. Turn on automatic updates if that's an available option. Protect all devices that connect to the Internet: Along with computers, smart phones, gaming systems, and other web-enabled devices also need protection from viruses and malware. Plug & scan: "USBs" and other external devices can be infected by viruses and malware. Use your security software to scan them. (from stopthinkconnect.org) Increased Bandwidth ISPs (Internet Service Providers) in order to provide redundancy and backup. In the event that one ISP fails, the entire College’s Internet traffic is routed to the other ISP within milliseconds. The new design will consist of an Internet bandwidth increase to a total of 600 Mbps of Internet bandwidth. Furthermore, a 100 Mbps Internet bandwidth connection will be delivered at each campus. This will provide autonomous Internet service as well as redundancy. In the event of an Internet service outage at a campus, the new design will be configured to reroute the service to College backup Internet connection. In addition, the College will continue to have a separate ISP providing 100 Mbps backup Internet connection for redundancy and reliability. This will improve the experience and performance for students, faculty and staff with their online, cloud computing and hosted applications. Elbert Hubbard T h e emergence of cloud computing, S a a S (Software as Marco Fernandez, Executive Director a Service), and hosted services have increased the demand on the College’s Internet bandwidth. To address this, the Network Systems department has been working on engineering a new design to increase Internet bandwidth in the District. Currently, the College has a total of 200 Mbps of Internet bandwidth for the entire District. This is delivered at two different campuses (ASC and RG) with each having one 100 Mbps connection. Each 100 Mbps connection is shared by three campuses. These two connections are provided by two different One machine can do the work of fifty ordinary men. No machine can do the work of one extraordinary man. Someone asks you to let them use your username and password for “just a minute.” Perhaps you write your EPCC computer credentials on a slip of paper for your children to use in the library while you are in class – and it is left behind on the computer they used. Maybe you have given your always forgetful friend your logon information which they have loaned to others. Once others have your computer, network, database or program access credentials, they can change your password and you will no longer own these accounts. You will not be able to use EPCC computer and Network Services. You will have to present yourself and prove your identity at the EPCC Service Center, the Office of the Registrar, or an Academic Computer System lab to have the opportunity to regain control of your account. Others can use your account to commit crimes; perform acts that violate EPCC policies, procedures and standards; discredit your reputation and that of the College; or compromise your identity. Everything done under your account, no matter by whom, is the responsibility of the account owner – you! Can you trust the persons to whom you gave your username and password to not pass it on to their friends? Giving your username and password to a minor could result in criminal charges should the minor’s parents be not so understanding. We can draw a parallel between doing this and purchasing beer for persons less than 21 years of age. In the wrong hands, your credentials could be used to compromise sensitive personally identifiable information, personal identities of students and employees of EPCC. Protecting your username(s) and password(s) is as important as securing your credit or debit cards and other bank information. Do not give them to anyone and change your password regularly! Page 2 It is only when they go wrong that machines remind you how powerful they are. Clive James Page 3 Records Management Accreditation Process With the forthcoming review of EPCC by the Southern Association of Colleges and Schools (SACS), Records Management is keeping very busy working in many areas of the College District to comply with a SACS requirement to provide documentation electronically to the SACS reviewers located in different parts of the country through a safe and secure web access. It is the responsibility of Records Management to work closely with other members of the SACS Team to gather and create programs that image and manage all documentation required by SACS. Those documents will be ready and available for review next year. Bonnie Prieto, Director Many key areas such as the Financial Aid Office, the Registrar Office, Comptrollers, Counselors, Early High School, to name only a few, are already practicing this form of technology to better serve our students, faculty and staff. After the accreditation process is complete, the College will have not only complied with a new SACS initiative of providing digitized information, but, from this point forward, will carry on with this technology in conducting day to day business on a permanent basis. This technology will facilitate a smoother transition of information through Share Point. Stop-Think-Connect Tip #2: Protect Your Personal Information. Secure your accounts: Ask for protection beyond passwords. Many account providers now offer additional ways for you verify who you are before you conduct business on that site. Make passwords long and strong: Combine capital and lowercase letters with numbers and symbols to create a more secure password. Unique account, unique password: Separate passwords for every account helps to thwart cybercriminals. Write it down and keep it safe: Everyone can forget a password. Keep a list that’s stored in a safe, secure place away from your computer. Own your online presence: When available, set the privacy and security settings on websites to your comfort level for information sharing. It’s ok to limit who you share information with. Review & Rehabilitation of Banner Access Richard Becker, Security Analyst Banner © is going through a bit of rehabilitation these days. SunGard’s© Banner© is El Paso Community College’s (EPCC) Enterprise Resource Planning (ERP) system. We use Banner© for tracking requisitions and purchases, scheduling classes, assigning faculty to classes, running payroll, performing accounts payable and receivable (AP/AR) activities, and many other tasks that assist all of us in achieving the mission and vision of EPCC. Each user who needs to perform their job specific functions using Banner© is enabled to do so by assigning classes and objects to their Banner© account. Briefly, objects are the individual forms, processes, and reports that we use to perform our job tasks. To reduce the amount of user maintenance, these individual objects are lumped together into classes, relating to requisitions, payroll, faculty, AP/AR, and the like, and then these classes are assigned to a user account, as needed. Sergio Ramos Media Services Coordinator Employee of the Month February 2011 Valle Verde Over the years, the access to these classes and objects by EPCC staff have become bloated and overreaching, thus raising concerns for the security of the information within the Banner© system. How did this occur? Over the years, when staff moved to a new position or to another department, new job related classes and objects were added to their accounts and their previous job related classes were not always removed. To eliminate the concern of unnecessary access and improve information security, EPCC has embarked on the Banner© Access Rehabilitation Project. The project’s primary goal is to clean-up and remove unnecessary access, which has led to many layers of duplication in user access. This clean-up will have the added benefit of better protecting the information within the system. All departments will go through this project of evaluating, testing, and implementing streamlined classes. EPCC is starting with the Purchasing, General Accounting, Payroll, and Accounts Payable departments. The Information Security (InfoSec) Program of EPCC looks forward to working with each department on this project. New! TechnologyEnhanced Classrooms Stop-Think-Connect Tip #3: Connect with Care. David Licano Systems Administrator Employee of the Month July 2011 Administrative Service Center When in doubt, throw it out: Links in email, tweets, posts, and online advertising are often the way cybercriminals compromise your computer. If it looks suspicious, even if you know the source, it's best to delete or if appropriate, mark as junk email. Get savvy about Wi-Fi hotspots: Limit the type of business you conduct and adjust the security settings on your device to limit who can access your machine. Protect your $$: When banking and shopping, check to be sure the sites is security enabled. Look for web addresses with "https://" or "shttp://", which means the site takes extra measures to help secure your information. "Http://" is not secure. EDI The EDI system allows criteria outlined in the TREx EPCC and UTEP to send Checklist on SPEEDE’s (Electronic Data Interchange) and receive transcripts and website. We are currently applications electronically. Gary Chacon, Executive Director working with thirteen other EPCC has TREx Certified high schools to TREx Certify thirteen area high schools. After a high school is TREx their institutions. EPCC developed a process to upload the Certified, they can send transcripts electronically via EDI high school transcripts into Banner. EPCC has added four to any college or university listed as ready to receive on colleges and universities to EDI production which now SPEEDE’s website and eliminate sending paper copies totals six. This means that EPCC can send and receive of the transcripts. SPEEDE is the UT at Austin server EDI transcripts with these institutions instead of paper that electronic transcripts and applications are processed copies. We are currently testing sending and receiving through. EDI transcripts with sixteen colleges and universities. The TREx Certification involves checking to make Support team for the EDI system are EDI Programmer sure that the information sent on the EDI transcripts analyst Kent Hurtig, development support provided by matches 100% when compared to the official paper Senior Programmer analyst Bobby Morrow and project copies. The information also has to comply with the management support by Yvette Mottley. 20th Anniversary of Mature Living Show EPCC-TV began producing the Mature Living Show in the fall of 1991 and this year marks the 20th year anniversary for the show. This year, co-producers Marco Lara and Mary Yanez designed a brand new look to the show with the set and Patrick Ebert, Manager furnishings. Mary Yanez, the hostess for the show, said “It’s been quite a ride over the last 20 years” and “I must thank and express my appreciation to all of the people who have had anything to do with our production over the years. Some have come and gone, but if it had not been for them, it would not have happened. And, of course, thanks to Dr. Jenny Girón for allowing us to be creative and for being so supportive.” It’s impossible to move, to live, to operate at any level without leaving traces, bits, seemingly meaningless fragments of personal information. William Gibson During Spring 2011, the Instructional Media Services with the guidance of Dr. Raul Munoz implemented 78 new technologyenhanced classrooms district wide. Five of these rooms are ADA fully automated podiums. There is one on each campus. What is different about these, you might ask? Well, they are stream lined to take up less space in the classroom. The podiums do not have a touch panel; you operate these by using the PC, mouse, and monitor mounted on the podiums. Use your active directory username and password to log-on to the PC, double-click X-Panel icon. Using the mouse, Nancy Gamez, Manager, Media Services click the system power on. Select the desired source and that is it (NOTE: don’t forget to poweroff the system before logging-off the PC). What resources do you have in these podiums? PC, keyboard/mouse, monitor, Document Camera, Blu-ray DVD player only, LCD projector, ceiling mounted speakers, electric screen, and Laptop connections (NOTE: you still need to log-on to the PC to select the laptop). Page 4 What is the “Least Privilege” Concept Ben Shneiderman (2002) Successful Technologies are those that are in harmony with end user’s needs Richard Buller, Chief Information Security Officer Page 5 The principle of “least privilege” (PoLP), also called “Least-privileged User Account” (LUA), promotes minimizing user privileges on computers based on the user’s job needs. The objective is to support the least authority necessary to perform one’s duties. The concept of “least privilege” is being implemented at EPCC by removing full administrative rights from the global profiles on all our computers. When a user is a “standard” user in a Windows PC, over 90% of all attacks are prevented! That is a compelling reason to move away from every user having admin rights! Having administrative rights gives users complete and total control over the security of their desktops - a situation that is far from ideal but has been very common for many years. While it is dangerous enough for users to have full control because of the opportunity to violate College policy for software use and for abuse of workplace rules, it becomes catastrophic when spyware enters that computer or is encountered during Web surfing or through Jesse Salas Media Services Coordinator Employee of the Month September, 2011 Transmountain No pressure here except for the fact that state and federal funds are a major funding source for our students and institution. Gary Chacon, Executive Director IT has two teams that provide technical support for both the Financial Aid and Institutional Research departments. Doug Schirmer and Dalila Chavez support Institutional Research and State reporting requirements. Fred Ornelas and Debbie Sweet are part of the technical support team for Financial Aid. As part of a cross training effort, Bobby Morrow recently joined the Financial Aid technical support team and is also assisting with Financial Aid projects. Both teams are constantly working on new regulation modifications or fine tuning processes related to the submission of data files and reports. Deadlines and accuracy associated with these submissions are very critical. Both of these teams are highly skilled in what they do and work year round with the department functional users from each area to provide the most accurate and reportable data in a timely manner. Financial Aid and State Reporting email messages. Removing admin rights helps eliminate the accidental or deliberate misuse of these privileges, decreases the risks posed by malicious software and reduces the cost of supporting the desktop computer. In general terms, our implementation and governance plan will progress like this: First, we will map job functions to privileges on IT assets (based on the tasks associated with a job position). Second, no guest accounts will receive extended authorities – privileges will be restricted to only the specific roles and accounts that need them. Finally, Information Technology will use a software tool to extend additional, tailored rights for those with specific needs. Information Technology has procured Beyond Trust’s PowerBroker software package to help us manage this much more secure environment while meeting the mission needs of each employee and department. Once the implementation begins, we will provide a template for anyone to complete to describe the duties they cannot perform under PoLP (or LUA). After confirmation and approval by the supervisory channel and a risk assessment, the necessary authorities will be added to all computers serving users having those same job tasks. Then we will all be in a much more secure computing environment! Stop-Think-Connect Tip #4: Be Web Wise. Stay current. Keep pace with new ways to stay safe online. Check trusted websites for the latest information, and share with friends, family, and colleagues and encourage them to be web wise. Think before you act: Be wary of communications that implore you to act immediately, offers something that sounds too good to be true, or asks for personal information. Back it up: Protect your valuable work, music, photos, and other digital information by making an electronic copy and storing it safely. Case Management System Gary Chacon, Executive Director EPCC received a Bill Gates Foundation grant that lead to developing a case management system. Senior programmer Analyst Yvonne Almanza worked with the Student Success Prep program staff, Ruben Ochotorena and Luis Pratt to develop a Prep program case management system. The system was designed to document first-time-in-college developmental education student intervention activity and progress. The data tracked in this system was also used to produce reports that identify students for the Mentoring Program which utilizes EPCC Leadership Academy graduates as mentors. The ID Thieves are coming. The ID Thieves are coming. Too late!!! ID Thieves are Coming! Richard Becker, Security Analyst Security is always excessive until it’s not enough. Unlike Paul Revere warning us about the coming British invasion, the Information Security (InfoSec) program at El Paso Community College (EPCC) wants to warn you that the identity thieves are already here. So what is Identity Theft? Identity theft (ID theft) occurs when a lone individual or a group acquires and uses your personally identifiable information (PII) [such as your name, Social Security Number (SSN), Academic ID, financial institution information] without your permission to commit fraud or other crimes. ID theft is a crime that affects everyone. In 2009, 11 million individuals were victims by ID theft at a cost of $54 billion. This is a conservative victim count and dollar amount for 2009, and does not include the hidden costs that businesses pass on to us by implementing measures to prevent and recover from ID theft. ‘ You ask, “How can I protect myself?” Start by reviewing your credit reports annually. Report any discrepancies. Encourage your grown children to review their credit reports. Review your children’s credit reports. ID thieves can take out loans using your information or your children’s information, thus potentially ruining yours or your children’s credit. The three credit reporting agencies are Experian, TransUnion, and Equifax. Stagger your requests so that you receive, for example, your Experian credit report in February, your TransUnion credit report in June, and your Equifax credit report in October. You can even pay for credit rating reports from these same agencies. Educate yourself and always be vigilant when it comes to your personal and financial information. If you suspect you are a victim of ID theft be embarrassed later, take action quickly. Really, do not be embarrassed; ID theft can happen to anyone. Report your suspicions to your financial institutions and your local law enforcement agency. For more information visit http://ftc.gov/idtheft. MyMathLab is a series of online courses Gary Chacon, Executive Director that accompany Pearson’s textbooks in mathematics and statistics. Ernie Montero, Senior Programmer Analyst is working with EPCC faculty and Pearson technical staff to bridge student enrollment information between Banner and the MyMathLab system. It allows students the ability to use their EPCC user ID credentials in order to provide a seamless online educational experience. MyMathLab Stop-Think-Connect Tip #5: Be a Good Online Citizen. Safer for me more secure for all: What you do online has the potential to affect everyone – at home, at work and around the world. Practicing good online habits benefits the global digital community. Post only about others as you would have them post about you. Help the authorities fight cyber crime: Report stolen finances or identities and other cybercrime to www. ic3.gov (Internet Crime Complaint Center), the Federal Trade Commission at http://www.onguardonline.gov/filecomplaint.aspx (if it’s fraud), and to your local law enforcement or state attorney general as appropriate. IT Database Administrators, Edmundo Vasquez and Patti Sayers, work every day to make Banner systems secure, available, and upto-date. Last summer, they were both part of a Banner upgrade planning and implementation team that provided successful upgrades to the Gary Chacon, Executive Director Banner servers. This fall, they are moving our entire database systems and Banner software from older servers to new, more robust servers because they know our “need for speed”. Planning, research, and testing can take weeks for this type of event. The final production conversion is mostly conducted on weekends or holidays. The plan is to provide seamless secure availability, stability, and speed. Robbie Sinclair (n.d.) Database Administration Page 6