IT Resource Management Plan Last Reviewed: July 2014 (Version 1.1) Page 1 of 24 Planning Team Division Vice President ............................................................... Dr. Richard Walker IT Resource Manager (IRM) ........................................................ Lawrence Daniel IT Technology Manager (TM)...................................................... Sam Nguyen Information Security Officer (ISO) .............................................. Le Nguyen Revision History Version Date 1.0 1/28/2014 Description of Revisions IRM Plan – Sections 1 and 2 Revised By Rita Barrantes Lawrence Daniel Sam Nguyen 3/25/2014 IRM Plan – Sections 3 through 5 Rita Barrantes Sam Nguyen Lawrence Daniel 1.1 3/28/2014 All sections – IRM Review and Approval Lawrence Daniel 7/8/2014 All sections - Additional changes and revisions included Rita Barrantes Lawrence Daniel Jana Chvatal 1.1 7/14/2014 UIT senior management team – Review and approval of all sections Dennis Fouty Arun Jain David Johnson Mary Dickerson Last Reviewed: July 2014 (Version 1.1) Page 2 of 24 T A B L E O F C ONT EN T S Introduction ........................................................................................................................................................................5 Section 1: Division Environment...............................................................................................................................6 1.1 Overview ............................................................................................................................................................ 6 1.3 Strategic Initiatives (2013-2018) .......................................................................................................... 6 1.2 1.4 1.5 1.6 1.7 Mission / Vision Statement....................................................................................................................... 6 Executive Leadership Team ..................................................................................................................... 8 College/Division IT Roles and Responsibilities .............................................................................. 9 IT Governance ................................................................................................................................................. 9 Audience: Departments and Employee Counts............................................................................... 9 Section 2: College IT Environment ........................................................................................................................ 10 2.1 2.2 IT Organization – Goals.............................................................................................................................10 IT Organizational Chart ............................................................................................................................11 ............................................................................................................................................................................................11 2.3 IT Service Catalog and Service Levels ................................................................................................12 3.1 Risk Management – Overview ...............................................................................................................12 3.3 IT Service Continuity Management – Overview ...........................................................................14 Section 3: Risk and Service Continuity Management ................................................................................... 12 3.2 Risk Management at the Division of Student Affairs & Enrollment Services .................13 3.4 IT Service Continuity Management at the Division of Student Affairs & Enrollment Services ..........................................................................................................................................................................14 Section 4: Resource Management .......................................................................................................................... 15 4.1 Resource Management -Overview ............................................................................................................15 4.2 Lifecycle Management ...............................................................................................................................16 4.4 Data backup and Records retention ...................................................................................................17 4.3 4.5 Connecting devices to the UH Network ............................................................................................17 Education and Training ............................................................................................................................17 Last Reviewed: July 2014 (Version 1.1) Page 3 of 24 Section 5: Resource Security .................................................................................................................................... 18 5.1 Overview ..........................................................................................................................................................18 5.3 Securing Desktops and Servers ...........................................................................................................19 5.2 Securing Information.................................................................................................................................18 Appendix A: Departmental Units part of DSAES and Headcounts.....................................................21 Appendix B: DSAIT Service Catalog ..................................................................................................................22 Appendix C: DSAIT Business Continuity Plan..............................................................................................24 Last Reviewed: July 2014 (Version 1.1) Page 4 of 24 I N T R OD U CT ION The purpose of the information technology resource management plan is to serve as a comprehensive manual with useful guidelines for technology administrators in the colleges/divisions to appropriately manage information technology resources within their units. As outlined in the MAPP 10.03.06 related to College/Division responsibilities for information technology resources, each college/division is responsible for the administration and protection of its information technology resources and will develop departmental policies and procedures to address the use of information technology resources in the areas of: risk management, resource security, service continuity management, and resource management. Each College/Division will assign the following roles for the management of information technology resources: College/Division Information Resource Manager (C/D-IRM) The C/D-IRM is the most senior administrator who is responsible for managing and securing the college or division’s Information Resources, including the related planning and compliance processes. This role is often filled by a college’s Assistant/Associate Dean or a division’s Assistant/Associate Vice President. College/Division Technology Manager (C/D – TM) The C/D-TM is an IT professional who is responsible for managing the college or division’s daily Information Technology operations. This role is often filled by a Director or Manager. College/Division Information Security Officer (C/D – ISO) The C/D-ISO is the employee responsible for managing the college or division’s information security function in accordance with the established policies and guidelines. This role is often filled by a Director or Manager. Last Reviewed: July 2014 (Version 1.1) Page 5 of 24 S E CT ION 1: D IV ISI ON E N V IR ON ME N T 1.1 O VE RVI E W The Division of Student Affairs and Enrollment Services (DSAES) include 25 departmental units (see Appendix A). In July of 2013, the Division of Students Affairs (DSA) merged with Enrollment Services (ES), and became the Division of Student Affairs and Enrollment Services (DSAES). A comprehensive IT assessment review was conducted for all departments in the Division of Student Affairs (DSA) in 2013, excluding Student Housing and Residential Life (SHRL) and Enrollment Services. SHRL was excluded from this technology review because it had been recently assessed as a separate unit before its and is currently under a separate service level agreement (SLA) with the University Information Technology (UIT) department, which covers support of all IT services. Enrollment Services was not assessed because it was not part of the Division of Student Affairs prior to the technology assessment period. The provision of current IT services continues to be provided by Enrollment Services IT personnel. Hence, this plan addresses the IT services and processes of a total of 19 departments, as listed in Appendix A. 1.2 M I S S I O N / V I S I O N S T A TE ME N T MISSION: The University of Houston’s DSAES cultivates an environment that facilitates student success through learning, discovery, and engagement. VISION: DSAES will provide a nationally acclaimed student experience that result in a valuable impact on persistence and graduation. VALUES: DSAES is committed to an ethic of care, including a commitment to civility and individual growth and learning, while holding firm and true to our core values: Empowerment – We empower students and staff through programs, personal and professional development, and employment. Transparency – We provide transparency of purpose with honesty and integrity. Accountability – We are accountable to the provision of quality programs and services. Diversity – We demonstrate and celebrate the intentional inclusion of others with various experiences and cultures. Innovation – We expect innovation of ourselves as we develop cutting-edge programs and services that continuously strive for excellence and student success. Collaboration – We embrace the spirit of collaboration through mutually beneficial partnerships on campus and in surrounding environments that faster the exchange of knowledge, resources and expertise. 1.3 S T RA T E GI C I N I T I A T I VE S (2013- 20 18) 1. Create new opportunities for student success through learning, engagement, and discovery. • Develop a comprehensive First and Second Year Experience program inclusive of sequential, intentional, and structured co-curricular involvement opportunities. • • Establish supportive an advocacy based programs and services for commuter, transfer, adult, nontraditional and graduate students. Develop a multi-year co-curricular leadership experience for students utilizing the concepts of leadership theory and self-discovery in partnership with Academic Affairs. Last Reviewed: July 2014 (Version 1.1) Page 6 of 24 • • • Create a greater variety of student involvement initiates that focus on the development of a vibrant campus life, including expanded evening and weekend programs. Develop learning communities intentionally connected to academic and student affairs programs to enhance student success in support of the growing residential campus. Develop new service learning initiatives that create opportunities for self-discovery and application of academic disciplines for students. 2. Actualize and leverage the fiscal, human, technological, and facility resources that enhance student experience. • Establish protocols, guidelines and incentives in consultation with Human Resources to recruit, train and retain talented and skilled staff to best meet the needs of the students and to effectively implement Division programs and services. • Execute an effective operating plan of existing fiscal, human, technological and facility resources in support of student success. • Assess student employment and internship opportunities and explore, in partnership with Academic Affairs and Human Resources, options for increasing, enhancing and improving such opportunities. • Create and implement a division-wide advancement and fundraising program in partnership with the Division of Advancement. • Provide the highest quality customer service experience utilizing technology, training and resources to improve user satisfaction. 3. Foster the creation of a global learning community that actualizes and embraces inclusion while preparing students to become active citizens. • Establish a division-wide standing committee focused on the assessment and creation of programs and services from a multicultural (intercultural) competency based lens. • Establish co-curricular, globally focused initiatives that provide students with opportunities for engagement on campus, in our surrounding environments, and beyond. • Explore and enhance multicultural-based collaborative programs with departments outside of the Division and in partnership with agencies in our surrounding environments. • Establish and implement a campus climate survey in collaboration with Institutional Research to identify opportunities to actualize an inclusive and global learning community. • Explore the feasibility of creating and implementing a Multicultural Student Affairs department to assess and increase the Division’s contribution to and support of a diverse student body and fostering a global learning community on campus. 4. Develop a culture of innovation and accountability in the redesign of Division policies, processes, and procedures. • Develop a comprehensive assessment plan that identifies learning and program outcomes and demonstrates a process for improvement based on measurable results. • Determine how/when to optimize human interaction between Division staff, students and University partners while employing technology to enable the timely retrieval and use of accurate information to address routine inquiries. • Establish and implement a series of reporting procedures for the purpose of demonstrating measurable outcomes and data to demonstrate a collective contribution to student success. Last Reviewed: July 2014 (Version 1.1) Page 7 of 24 • 5. Cultivate a collective identity that demonstrates a united vision. • Collaborate with the Division of University Advancement and UH Marketing & Communication to develop and implement a division-wide integrated branding and marketing plan. • Assess the current web presence and use of social media throughout the Division and implement Division expectations of website design and effective use of social media. • Develop a comprehensive and integrated communications plan to increase awareness and understanding among the Division, the campus community and the surrounding environments about who we are, what we do, and who we serve. • 6. 1.4 Establish and implement a recognition process to highlight innovative initiatives by individual staff members or departments that contribute to the ultimate utilization of human, financial, technological and physical resources. Expand the opportunities for staff involvement in division-wide initiatives, programs and services. Create and engage in strategic partnerships. • Collaborate with the Division of Academic Affairs to develop proactive initiatives and research that positively impact student retention and graduation rates. • Involve the Faculty Senate, Staff Council, Student Government Association and other shared governance groups in the Division’s assessment and planning initiatives. • Partner with the Division of University Advancement and the Alumni Association to nurture an alumni base to support the Division’s initiatives. • Engage the Division of Administration and Finance in effective facilities management and the prioritization of capital investments. • Work with University Information Technology to operationalize best practices and to leverage resources to optimize the seamless delivery of programs and services. • Join forces with UH Athletics to explore opportunities that are mutually beneficial for student success. E X E C U T I VE L E AD E RS H I P T E A M • Dr. Richard Walker Vice Chancellor/Vice President, Student Affairs and Enrollment Services • Daniel M. Maxwell Assoc. Vice Chancellor/Assoc. Vice President, Student Affairs • Stephen Soutullo Assoc. Vice Chancellor/Assoc. Vice President, Enrollment Services • Dr. William Munson Assoc. Vice President for Student Affairs and Dean of Students • Keith Kowalka Assistant Vice President for Student Affairs, Student Life • Floyd Robinson Assistant Vice President for Student Affairs, Health and Wellness Last Reviewed: July 2014 (Version 1.1) Page 8 of 24 • Patricia Sayles Executive Director, Business Services • Don Yackley Executive Director, Student Housing and Residential Life The current organizational chart is available online at http://www.uh.edu/dsa/pdf/orgchart.pdf 1.5 C O L L E GE /D I VI S I O N IT R O LE S A N D R ES PO N S I BI L I T I ES As delineated in MAPP 10.03.06, the IT roles for the Division of Student Affairs are assigned to: • • • 1.6 DSA-Information Resource Manager (IRM): DSA-Technology Manager (TM): DSA-Information Security Officer (ISO): Lawrence Daniel Sam Nguyen Le Nguyen IT G O VE RN A N C E The SAITS department is in the process of assembling a division-wide IT governance committee. This governance committee will be formed of DSAES department representatives with the purpose of providing continuous feedback, suggestions, and support for Student Affairs IT Policy and Procedures outlined in the DSAES Information Resource Management Plan. This committee will be led by Lawrence Daniel, Director for Student Affairs IT Services and Special Programs and will meet quarterly or as needed to assist with division wide IT initiatives and policy establishment and amendment. This committee will be implemented by Fall 2014. 1.7 A U D I E N CE : D E PA RT ME NT S A ND E MPL O YE E C O U N TS The SAITS Department provides IT services to 19 out of 25 departments in the Division. These 19 departments have a total of 219 full-time employees and 487 part-time employees. A detailed list of headcounts by department is provided in Appendix A. In addition, SAITS also provides IT support to the leadership of student organizations, and acts as the IT liaison with vendors who provide services during DSAES events. The current student organizations that SAITS supports are: • • • • • Activities Funding Board Coog Radio Council of Ethnic Organization The Daily Cougar Frontier Fiesta Association Last Reviewed: July 2014 (Version 1.1) • • • • • Homecoming Board Metropolitan Volunteer Program Student Government Association Student Program Board Student Video Network Page 9 of 24 S E CT ION 2: C OL L E GE IT E N V IR ON ME N T 2.1 IT O RGA N I Z A T I O N – G O A LS In May 2013, the DSA, now the Division of Student Affairs and Enrollment Services (DSAES), made the decision to centralize the IT function throughout the division, following recommendations provided by the UIT department as a result of a comprehensive technology assessment process. The Student Affairs IT Services (SAITS) department was established to support the Information Technology needs for 19 departments and 10 Fee-funded Student Organizations. Along with supporting fee-funded student organizations, department computers and websites, we will maintain support for computer labs, kiosks, databases and other dedicated IT resources for the Division of Student Affairs and Enrollment Services. Our student staff positions will continue to provide an experiential learning environment that will be beneficial in lives of future IT professionals and for those looking to learn more about the Information Technology field. Mission Student Affairs IT Services (SAITS) is committed to providing reliable support and innovative technology solutions for department services, programs and resources that sustain an environment dedicated to student success. Vision Working collaboratively, Student Affairs IT Services will maintain an efficient and proactive information technology environment that provides seamless support, elevates staff productivity, and supports Tier One programs, while seeking to contribute to increased student retention and graduation rates. Specific SAITS goals, frequency, and measurements were delineated as part of our SAITS assessment program. The FY14 SAITS assessment plan is available at: http://www.uh.edu/dsa/about_student_affairs/assessment_planning/assessment_plans/fy14/SAITS.pdf Last Reviewed: July 2014 (Version 1.1) Page 10 of 24 2.2 IT O RGA N I Z A T I O N A L C H A RT Last Reviewed: July 2014 (Version 1.1) Page 11 of 24 2.3 IT S E RVI C E C A T A L O G A N D S E RVI C E L E VE L S The service catalog showed in Appendix B represents a comprehensive list of IT services provided to DSAES departments. This catalog reflects all SAITS services provided to staff and student organizations. As part of the SAITS reorganization several services were – and are still being – restructured. S E CT ION 3: R I SK 3.1 AN D S E R V ICE C ONT IN U IT Y M AN AGE ME NT R I S K M A N A GE ME N T – O VE RVI E W Risk management involves two discrete process areas: 1) Risk analysis, and 2) Risk monitoring and control. The identification of risks and their quantification (risk analysis), and the identification of countermeasures to reduce or eliminate threats (risk monitoring and control) play an important role in achieving service continuity and reaching desired service levels to the DSAES audience. The processes used by DSAES to manage risk and service continuity follow industry best practices including the following activities: Risk Analysis a. b. Identification of risks Risk assessment (probability and impact) Risk Monitoring and Control c. d. Identify strategy to manage the risk (risk avoidance, risk transfer, risk mitigation) Identify courses of action should the risk occur (incident/problem management processes, recovery plan Last Reviewed: July 2014 (Version 1.1) Page 12 of 24 3.2 R I S K M A N A GE ME N T A T T H E D I VI S I O N O F S T U DE N T A FFA I RS & E N RO L L ME N T S E RVI C E S The list of risks identified below is associated with most IT services provided by DSAIT. IMPACT 1 PROBABILITY1 RANK2 Facility damage (IDFs) 3 1 3 Supported by UIT Network Operations group. Loss of connectivity (wired) 3 1 3 Supported by UIT Network Operations group. Loss of connectivity (wireless) 3 1 3 Supported by UIT Network Operations group. For performance issues, installation of additional WAPs in high use areas such as board rooms. Loss of service due to infrastructure damage Loss of service due to physical failure 3 1 3 3 1 3 Note: DSAES has IP telephones (Lync and CISCO) UH Exchange supported by UIT Enterprise Systems group. Directory Services (Active Directory) Loss of connectivity 3 1 3 DSAES uses the CougarNet Active Directory services maintained by the UIT enterprise systems group. Mass email (ListServ) Loss of service due to application failure 1 1 1 Computer Labs Physical damage of hardware 1 1 1 DSAES uses UH Listserv which is administered by UIT. Two small labs exist in the Campus Recreation & Wellness center, a few workstations in career services, and two labs in Center for Students with DisAbilities. Physical failure (hardware) 1 1 1 Due to the low probability, failures are taken offline. Software failure 1 1 1 Loss of equipment 2 1 2 Labs have an image and in case any software fails, the image is reinstalled in the computer. Labs are secured at night by the SERVICE Network Services Telephony Email Services 1 2 RISK DESCRIPTION RISK STRATEGY and NOTES 1 = Low; 2 = Medium; 3 = High Rank = Impact x Probability Last Reviewed: July 2014 (Version 1.1) Page 13 of 24 SERVICE RISK DESCRIPTION IMPACT 1 PROBABILITY1 RANK2 (stolen) Desktop and Printing Support Physical Failure (hardware) 2 1 2 Software failure 1 2 2 Loss of equipment (lost or stolen) 2 2 4 IT Security and Information Assurance Compliance violations, Intrusion system 3 1 3 Collaboration (SharePoint) Unavailability of service 1 1 1 Digital Signage Hardware and software failure 2 1 2 Social Media Loss of service 1 1 1 Backup Service (TSM) Loss of service 2 1 2 File Shares Loss of service 3 1 3 RISK STRATEGY and NOTES department facility administrator. The CSD labs have security cameras installed. Note: SAITS supports personal printers and network printers for staff and student organizations. SAITS staff performs troubleshooting and reinstalls software for faculty/staff Several laptops were stolen from employees’ offices in 2012. Now, all AV equipment and laptops are being locked overnight. Note: A security incident was reported by Career Services (cold fusion online application) in early 2014. Used by a few groups for file sharing, task assignment, and check-in equipment. Seven signs have been installed at the UC and UC Satellite. No failures reported. Used for marketing purposes, not for emergency communications All servers are backed up by UIT. Desktop backups are not critical. Backup restores are unusual. Maintained by UIT. No downtime reported by users. 3.3 IT S E RVI C E C O N T I NU I T Y M A N A GE ME N T – O VE RVI EW The goal of IT Service Continuity Management (SCM) is to support the overall business continuity management processes by ensuring that the required IT technical and service facilities (including computing systems, network infrastructure, data repositories, applications, telecommunications, environment, technical support, and service desk) can be resumed within required, and agreed, business levels. 3.4 IT S E RVI C E C O N T I NU I T Y M A N A GE ME N T A T T H E D I VI S I O N O F S T U DE N T A FFA I RS & E N RO L L ME N T S E RVI C E S The Student Affairs IT Services Continuity Management Plan is modeled after the University of Houston Information Technology service continuity plan that covers University-at-large IT assets and services. The DSAES plan is focused on the continuity of IT assets controlled by the DSAES and not those managed or owned by other divisions or the University itself. A copy of the DSA IT Service Continuity Plan is included as Appendix C. Last Reviewed: July 2014 (Version 1.1) Page 14 of 24 S E CT ION 4: R E SOU R CE M AN AGE ME NT 4.1 R E S O U RC E M A N A GE ME N T -O VE RVI E W In an effort to achieve optimal efficiency and effective use of our computing resources, the DSAES considered each of the following practice areas. 4.2. Lifecycle Management • Software Management • Hardware Management 4.3. Connecting Devices to the UH Network 4.4. Data Backup and Record Retention • Backing up and Recovering Data • Managing Record Retention 4.5. Education and Training • Training on the use of hardware and software • Educating on the appropriate use of computing resources Last Reviewed: July 2014 (Version 1.1) Page 15 of 24 4.2 L I FE C Y C L E M A N A GE ME N T 4.2.1. SOFTWARE MANAGEMENT a. Software Acquisition All software purchases are centralized and go through the SAITS .Software is purchased in accordance with University MAPP purchasing procedures through business services. Software is reviewed regularly by SAITS to ensure it is current and meeting the goals of the division. The SAITS personnel (technology manager and information security officer) have p-card authority to purchase IT equipment and software. Most transactions are done with p-card and only if the amount is over $5,000 is handled through a purchase order. b. Software Maintenance (License Management) The SAITS department maintains software licenses and is responsible for property management of the software. SAITS installs and verifies proper installation and operation. DSAES staff primarily use software installed under the University site license. Individual software licenses (specialized) are also maintained by the SAITS and renewed as needed. c. Software Inventory (MAPP 03.03.03) SAITS maintains the inventory of licenses in a local spreadsheet accessed only by UIT. All software purchases are centralized and are requested through the SAITS department. Software inventory is kept up-to-date by SAITS in a spreadsheet maintained by both the SAITS manager and the ISO. An annual practice of software inventory will be implemented by the Division in the near future. In addition, the division is implementing the Microsoft client management solution System Center Configuration Manager in collaboration with UIT, which will produce a software inventory of all the machines in the Division. d. Software Disposal (MAPP 03.03.05) Most software is downloaded from vendors’ sites or through the UIT software site. Software is copied to digital media and shared drives when is used for installation purposes. If the software is outdated or no longer needed, the folder in the shared drive is deleted. If the media (CD/DVD) exists and the software is outdated or no longer needed, the CDs or DVDs are shredded or disposed. If the software can still be used, it is occasionally given away to staff, licensee agreement permitting, and is removed from the software inventory. 4.2.2. a. HARDWARE MANAGEMENT Hardware Acquisition All hardware purchases are centralized and go through the SAITS Department. Purchases are made in accordance with University MAPP guidelines. New staff is provided with standardized technology used by the division, which is based on their job requirements. Most desktop hardware is Dell; these are purchased through the University purchasing site and DIR vendors when possible. i. Digital Tablet Acquisition All digital tablet purchases must be approved by the SAITS department and each department’s appropriate Assistant Vice President. The use of this equipment is restricted to specific department use only. All tablet purchases are funded solely by the requesting department. All maintenance, including required software updates, are managed by department. b. Hardware Replacement Cycle DSAES has a 4-year replacement lifecycle. Budget is allocated accordingly, and equipment is replaced following a cascading replacement plan. Last Reviewed: July 2014 (Version 1.1) Page 16 of 24 c. Hardware Inventory SAITS conducts a yearly inventory of all UH tagged hardware. This inventory is performed in accordance with University Property Management directives and protocol. All desktops come pretagged from Dell. Portable equipment (laptops and handhelds), even when below the university price threshold, are tagged by SAITS. There are several property custodians of IT assets in the Division. d. Disposing Hardware DSAES department’s disposal of inventoried equipment follows MAPP and University Property Management policies. SAITS directs staff to comply with MAPP 10.05.03 to ensure all sensitive data is stored and protected appropriately. When disposing desktops and laptops, hard drives are subject to industry-grade data wiping software prior to being sent to UH property management. Non-inventoried/non-tagged hardware and furniture are disposed of using University Property Management or recycled. 4.3 C O N N E C T I N G D E VI C E S T O T HE UH N E T WO RK SAITS requests that staff and student organizations consult with SAITS prior to connecting any device to the UH network either through a wired, wireless, or tunneled (i.e. VPN) connection. SAITS recommends staff and student organizations use the UHSecure wireless network rather than UHWireless when connecting to the UH wireless network. 4.4 D A T A BA C K U P A N D R E C O RDS RE TE N T IO N SAITS encourages staff to store data that needs to be backed up in the shared drives physically located at the UH Computing Center. Server backups of shared drives are done by UIT following centralized practices. Desktops/laptops belonging to director and executives are backed up using TSM services. 4.5 E D U C A T I O N A ND T RA I N I N G SAITS provides technology training to staff, as needed. The SAITS group maintains technology knowledge and skill through attendance at UIT sponsored training sessions, technology partner program workshops, and attendance at local, regional and/or IT Professional conferences. Last Reviewed: July 2014 (Version 1.1) Page 17 of 24 S E CT ION 5: R E SOU R CE S E CU R IT Y 5.1 O VE RVI E W Resource security pertains to minimizing security vulnerabilities and ensuring confidentiality, integrity, and availability of information resources. To safeguard information assets, the DSAES follows these different practices. 5.2 S E C U RI N G I N FO RMA T IO N 5.2.1 IDENTITY MANAGEMENT (MAPP 10.05.01) Staff and student organizations use DSAES resources using their CougarNet login. All user accounts are provisioned and managed using the University’s CougarNet Active Directory. For those individuals needing access to DSAES resources who are not faculty, staff, or students, the University’s person-of-interest (POI) procedure through PeopleSoft is used to provision a CougarNet account. Service accounts for printers are also provisioned in CougarNet and are granted least privilege whenever possible. The DSAES will be implementing a process for periodically changing local administrative/root account passwords and service account passwords. 5.2.2 CONTROLLING ACCESS TO INFORMATION Access to DSAES information is controlled primarily through DSAES file shares. The DSAES also uses SharePoint for collaboration and sharing of information. For data stored on faculty and staff workstations, that faculty or staff member also assumes the data custodian role for that data and is responsible for taking due care in ensuring its security and backups. All faculty and staff are advised to run Identity Finder on their respective machines to ensure that no sensitive data is being stored on it. SAITS completed running Identity Finder on all DSAES machines in Fall 2013; an annual follow up process will be conducted in collaboration with UIT Security. Most DSAES servers are managed by UIT personnel, and are located in the UH Data Center. Data backups of DSAES servers located at the UH Data Center are under UIT’s responsibility, and covered by a service level agreement (SLA). 5.2.3 ROTATING AND SEPARATING DUTIES All day to day IT operations are currently managed by Lawrence Daniel, Director of Student Affairs IT Services and Sam Nguyen, Manager of Division Info Services. DSAIT will work with UIT Security to ensure processes for rotating and separating duties are put in place and documented in this IRM plan. Last Reviewed: July 2014 (Version 1.1) Page 18 of 24 5.2.4 REPORTING SECURITY VIOLATIONS 10.05.03) AND INCIDENT HANDLING (MAPP Security incidents are reported by faculty/staff to the DSAES ISO. All security incidents, whether actual or potential, are reported by the DSAES ISO to the DSAES IRM and UIT Security . The DSAES ISO works closely with UIT Security to conduct an incident investigation. The DSAES ISO follows all guidelines and recommendations provided in the MAPP 10.05.02 when reporting security incidents. 5.3 S E C U RI N G D E S KT O PS A N D S E RVE RS 5.3.1. PHYSICAL SECURITY Most servers are physically located at the UH Computing Center and follow the university physical security guidelines of that space. There are currently six (6) servers not being hosted in the UH data center, and are managed by the SAITS group; most of these are in the process of being retired. For staff, workstation physical security is the responsibility of the staff to whom the equipment is assigned. Laptops and AV equipment for departmental purposes are stored in a physically secured location (locked) and is under the responsibility of the SAITS team. 5.3.2. MONITORING THE ENVIRONMENT AND ENSURING AVAILABILITY For the servers located at the UH data center, server monitoring is performed by UIT ITAC on a 24x7 basis. There are six (6) servers outside the UH data center, managed by SAITS, which are supported only during regular business hours and only when incidents occur. 5.3.3. SECURITY PATCHING, CONFIGURATION, Last Reviewed: July 2014 (Version 1.1) AND VIRUS/MALWARE PROTECTION Page 19 of 24 All workstations have the latest McAfee enterprise version installed and auto updates are set on all workstations. 5.3.4. SECURE CONFIGURATIONS AND SYSTEM PROVISIONING UPGRADING SYSTEM In computer labs: Students do not have permission to install software in the computer lab machines. If the machine is compromised (virus/malware), the image is reinstalled. Only the DSAIT Manager and the DSAIT Assistant Manager for desktop support have access to administrator password in the machines, and can install and restore applications. Last Reviewed: July 2014 (Version 1.1) Page 20 of 24 A PPE N D I X A: D EP A RT MEN TA L U N IT S PA RT O F DSAES A N D H E A DCO UNT S 1 2 3 4 DEPT CODE H0205 H0206 H0207 H0209 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 H0210 H0211 H0212 H0215 H0216 H0218 H0220 H0223 H0224 H0225 H0226 H0227 H0229 H0231 H0232 H0292 H0471 22 23 24 25 H0553 H0616 H0677 H0678 Note: DEPARTMENT NAME (*) Office of the VP/VC for DSAES (*) Urban Experience VPSA (*) Student Health Center Enrollment Management Services & Production Support Office of Admissions Office of Registration and Academic Records Office of Scholarships and Financial Aid University Career Services(*) Center For Students with Disabilities(*) (*) Veteran Services Counseling and Psychological Services(*) (*) Dean of Students Center for Student Involvement(*) Campus Recreation(*) (*) Center for Student Media (*) University Centers (*) Children’s Learning Center Student Housing – Residential Religion Center(*) (*) Wellness Center Enrollment Services Office of Student Communications & Marketing Center for Leadership and FSL(*) Student Affairs IT Services(*) LGBT Resource Center(*) Women’s Resource Center(*) Sub-Total only (*) DSAES Departments: Total All DSAES Departments: HEADCOUNT FULL-TIME 7 1 29 27 HEADCOUNT PART-TIME 1 16 6 0 41 41 44 10 7 3 19 8 6 17 5 25 31 34 1 3 7 32 4 12 11 5 0 1 2 46 254 22 41 51 217 6 7 12 3 8 1 2 186 380 4 0 2 0 475 752 (*) The IT services and processes of these departments are included as part of this IRM plan. All others excluded. Source: data extracted from PeopleSoft as of 1/27/2014. Last Reviewed: July 2014 (Version 1.1) Page 21 of 24 A PPE N D I X B: SAITS S ER VI CE C A T AL O G IT SERVICE Account and Access Management SERVICE PROVIDER SAITS, UIT Asset Management (planning, lifecycle replacement) Backup Services (servers, desktops) SAITS AUDIENCE Staff, Student Organizations, Vendors, Guests Staff, Student Organizations SAITS, UIT Staff, Student Organizations SAITS, UIT DSAES departments SAITS Students, Guests Database Administration SAITS DSAES departments Desktop/Client & Printer Support Digital Signage SAITS Staff, Student Organizations DSAES departments Collaboration Services (SharePoint) Computer Labs Directory Services (LDAP, Active Directory) Document Imaging Email Services (Exchange) Emergency Communications Event Support (special events) File Shares Hosted Services (UH data center) Mass Email Communications (Listserv, RightNow) Security Risk and Compliance Server Administration (local servers) UIT SAITS, UIT Staff, Student Organizations SAITS, Xerox Staff, Student Organizations Staff, Student Organizations Staff, Student Organizations Staff, Student Organizations Staff, Student Organizations Staff, Student Organizations Staff, Student Organizations SAITS, UIT DPS, UIT DSAESUC A/V SAITS, UIT UIT SAITS, UIT SAITS, UIT DSAES departments, staff SAITS DSAES departments DSAES Marketing DSAES departments Specialized Applications SAITS, external vendors DSAES departments Technology Consulting SAITS Technology Training SAITS Staff, Student Organizations Staff Social Media Last Reviewed: July 2014 (Version 1.1) NOTES Level 1 support: SAITS; level 2 support: UIT Support Center SAITS responsible for asset management for all units except Enrollment Services and SHRL SAITS responsible for backups of desktops and local servers; UIT responsible for backups of servers located in the UH data center Level 1 support: SAITS; level 2 support: UIT Web Services Labs with few workstations located in Campus Recreation, Students with Disabilities, and Career Services Several local databases (MySQL) used for DSAES Web applications, Career Services, Campus Recreation, CAPS, and Health Center SAITS supports content and clients, UIT supports digital signage servers SAITS has OU admin rights to Active Directory. UIT Enterprise Operating Systems provides level 2 support. Level 1 support: SAITS; level 2 support: UIT Support Center DPS is the business owner, and UIT support the technology service UC A/V team managed by Cherryl Grew-Grillen Level 1 support: SAITS; level 2 support: UIT Enterprise Systems Support provided by UIT enterprise systems group Level 1 support: SAITS; level 2 support: UIT Web Services Few servers maintained locally, including Career Services and Campus Recreation (planned for retirement in 2014) Several social media sites maintained by DSAES Marketing group Some applications maintained locally, including Career Services and Campus Recreation (planned for retirement in 2014), and CAPS – Titanium. SAITS advises on IT procurements For desktop/office applications only. Page 22 of 24 IT SERVICE SERVICE PROVIDER AUDIENCE Telephone Services (long distance, fax) Unified Communications (Lync) Video Conferencing Web Publishing and Design UIT Staff UIT Staff, Student Organizations DSAES departments, staff DSAES departments Wi-Fi Wired Network SAITS SAITS, UIT UIT Wireless Group UIT Network Operations Last Reviewed: July 2014 (Version 1.1) Staff, Student Organizations Staff, Student Organizations NOTES Not frequently requested. Division using Lync and CISCO phones All web sites are maintained by the SAITS Web team and most reside in the CMS; UIT supports the CMS. Work orders entered by the SAITS department Work orders entered by the SAITS department Page 23 of 24 A PPE N D I X C: DSAIT B USI NE SS C ON T IN UIT Y P L AN (Separate document attached below) Last Reviewed: July 2014 (Version 1.1) Page 24 of 24 UNIVERSITY OF HOUSTON University of Houston Dean of Students Office - Continuity of Operations Plan Dean ofMANAGEMENT Students Office EMERGENCY Department/Unit Developer PLANNING Revision Date BUSINESS CONTINUITY Plan Development Kamran Riaz October 26, 2012 Student Affairs IT Services Name Phone Number Alt Phone Number Head of Operations Email address Dr. William F. Munson 832-842-6183 832-453-1716 WMunson@uh.edu A: Background Information for Emergency Planning No one can predict when an emergency might happen or how severe it will be. It is prudent to plan for one, especially since these plans can be applied to any major emergency that could threaten the health and safety of the campus community or disrupt University programs and essential operations. This plan should address any kind of emergency that is severe enough to impact the UTEP community including an infectious disease epidemic, severe weather events, fires or explosions, hazardous materials releases, extended power outages, floods, terrorism or mass casualty events. BUSINESS CONTINUITY PLAN (BCP/COOP) A. BUSINESS CONTINUITY PLAN (BCP) To be better prepared, UH personnel and its programs may use this form to complete a Business Continuity Plan (BCP) checklist - to describe how your program will operate during an emergency and to recover afterwards to be fully operational. B. DEPARTMENT OBJECTIVES 2014 Considering your unique mission, describe your teaching, research and/or service objectives: 1. Create and maintain an intellectual environment which supports the rights of University community members to pursue their educational goals in a safe and orderly atmosphere 2. Reduce barriers to student success and persistence by providing information regarding UH policies, procedures, programs, services, and current University events 3. Support academic success and encourage persistence by solving student problems; reduce barriers to academic and personal success by providing, information, and referrals 4. Provide an opportunity for parents and family members of UH students to become connected to the University 5. Support the success of commuter and transfer students through advocacy and programming designed to enhance persistence and engagement. Page 1 BUSINESS CONTINUITY PLAN (BCP/COOP) A. BUSINESS CONTINUITY PLAN (BCP) To be better prepared, UH personnel and its programs may use this form to complete a Business Continuity Plan (BCP) checklist - to describe how your program will operate during an emergency and to recover afterwards to be fully operational. B. DEPARTMENT OBJECTIVES Considering your unique mission, describe your teaching, research and/or service objectives: Mission: 1. The Student Affairs IT Services department is committed to providing reliable support and innovative technology solutions for department services, programs and resources that sustain an environment dedicated to student success. 2. Working collaboratively, Student Affairs IT Services will maintain an efficient and proactive information technology environment that provides seamless support, elevates staff productivity, and supports Tier One programs, while seeking to contribute to increased student retention and graduation rates. Customer Service Considerations: A. Establish an efficient, responsive, and customer service oriented IT department. B. Maintain protocols related to day-to-day customer service needs i. Maintain Department service email ii. Maintain SAITS website iii. Information Resource Management Guide to help establish IT policy and procedures that are reflective of the SAITS mission and UIT policy and procedures Fiscal Considerations: 1. Assess Student Affairs IT needs by department and develop a fiscally responsible budget for FY14, FY15 and beyond. 2. Outline a priority list for software/ hardware replacement and upgrades for each department 3. Based on job function and department specific need, establish standardized tiered computer configurations (i.e. general, mid-level, advanced), which will assure that all software and hardware are consistent. 4. Transfer all IT inventory to the SAITS department Performance Consideration: 1. Establish evaluation and assessment measures that assist with the development of the SAITS department. 2. Create a customer service assessment provide feedback on SAITS’ level of service, response to specific IT needs, and suggested opportunities for growth. 3. Create performance development plans for all members of the SAITS team. Page 2 Third Party Systems: 1. Provide support and assistance for third–party database procurement and system upgrades. 2. Work with departments that currently have third-party database services to outline function, support, and current status as it relates to future usage (i.e. current satisfaction, contract length, upgrade eligibility). 3. Ensure that SAITS staff members are involved with any new third-party database implementation. C. MORE INFORMATION REGARDING YOUR DEPARTMENT Please note below information for your department’s contact. Name Phone Number Primary Contact Lawrence Daniel Email address lrdaniel@uh.edu Dept. locations University Center Bldg. 565 Office: 832-842-4845 Cell: 832-260-3141 Name Phone Number Secondary Contact Sam T. Nguyen Email address email stnguyen@uh.edu Dept. locations University Center Bldg. 565 Third Contact Le T. Nguyen Office: 832-842-6170 Cell: 713-305-6448 Name Phone Number Email address Office: 832-842-6173 Cell: 281-690-7054 email ltnguyen@Central.uh.edu Dept. locations University Center Bldg. 565 Fourth Contact Kyle Stehling Name Phone Number Email address Office: 832-842-6171 Cell: 832-622-3880 email ksstehli@central.uh.edu Dept. locations University Center Bldg. 565 Campus Address UC North 237 Campus Address UC North 237 Campus Address UC North 237 Campus Address UC North 237 Page 3 Name Fourth Contact Phone Number Renita Williams Email address Office: 713.743.6996 Cell: 713-252-0176 email rwillia7@central.uh.edu Dept. locations University Center Bldg. 565 Fifth Contact Darryl Creeks Name Campus Address UC North 237 Phone Number Email address Office: 713.743.5143 Cell: 713.412.1527 email drcreeks@Central.UH.EDU Dept. locations University Center Bldg. 565 Campus Address UC North 237 Please indicate below the principle nature of your department’s operations (check all that apply): Instruction Student life support Laboratory research Research support Other research Facilities support Administration Other (describe): ________________________________ D . EMERGENCY ACCESS TO INFORMATION AND SYSTEMS Is your essential data backed up regularly? Would the information be accessible if your building was closed, or if the University network was down? If access to your department’s information and systems is essential in an emergency, describe your emergency access plan below. This may include remote access (or authorization to allow remote access), contacting IT support, Blackboard, off-site data backup, backup files on flash drives, hard copies, or mobile device storage. All data must be protected in accordance with MAPP 10.05.03, Data Classification and Protection. Identify what critical data and records are backed up, whether the backup is stored on-site or off-site. Simulate a failure scenario that tests the ability to recover “lost” critical data. Describe how your department will respond to the destruction of critical data. If telecommuting is an option for one or more of your staff, include the specifics to ensure compliance. Page 4 • Depending the job junctions, most of the computers are setup on TSM to back-up data nightly. Majority of the office staffs are mapped to network shares on VM to save data. All VM servers hosted at the Computing Center are based in room 210 which has backup nightly. • Servers are physically locating in the individual departments bellow which are being phased out: Service Type Dept Server Name Service/Function App Campus Rec crc-active Class software - Active Network Core CAPS Caps-publicweb Web Server (department website, client survey(s), registration pages) Specialized CAPS TitaniumApp Titanium Schedule application Specialized CAPS Titanium510 Database Server (SQL 2008 R2: Titanium Schedule Database) Specialized Health Center lmm34349 Medical Manager software E . EMERGENCY COMMUNICATION SYSTEMS All UH employees are responsible for keeping informed of emergencies by monitoring news media reports, UH’s emergency website home page, email, and PIER alert messages. To rapidly communicate with our staff in an emergency, we have prepared a call tree. Note: List multiple communication systems that can be used for backup, after hours, when not on campus, or for other contingencies. Phone Email Text messaging Call tree UH web sites Pager Instant messaging Electronic Billboard UH radio station Other Page 5 F . DEPARTMENT ESSENTIAL FUNCTIONS/PERSONNEL List below your department’s functions that are essential to operational continuity and/or recovery, and who is responsible for them. Make sure that alternates are sufficiently crosstrained to assume responsibilities. Essential Function: Student Affairs IT Services -Information Resource Manager People Responsible Primary Lawrence Daniel Alternate Sam T. Nguyen Second Alternate Le Nguyen Phone Numbers 832-842-4845 832-842-6170 832-842-6173 Essential Function: Student Affairs IT Services -Technology Manager People Responsible Primary Sam T. Nguyen Alternate Le Nguyen Second Alternate Lawrence Daniel Phone Numbers 832-842-6170 832-842-6173 832-842-4845 Essential Function: Student Affairs IT Services - Information Security Officer People Responsible Primary Le Nguyen Alternate Lawrence Daniel Second Alternate Sam T. Nguyen Phone Numbers 832-842-6173 832-842-4845 832-842-6170 Essential Function: Student Affairs IT Services – Web Management People Responsible Primary Kyle Stehling Alternate Renita Williams Second Alternate Darryl Creeks Phone Numbers 832-842-6171 713-743-6996 713-743-5143 Essential Function: Student Affairs IT Services – Servers / Databases Management People Responsible Primary Eli Aaron Alternate Sam Nguyen Second Alternate Le Nguyen Phone Numbers 832-842-4672 Office: 832-842-6170 Office: 832-842-6173 Page 6 G . YOUR DEPARTMENT’S LEADERSHIP SUCCESSION List the people who can make operational decisions if the head of your department or unit is absent. Review your department’s key personnel, team leaders, department heads and those responsible for the above essential functions to identify your department’s Emergency Business Continuity Plan. Head of BCP Name Lawrence Daniel Phone 832-842-4845 Alt Phone Number 832-260-3141 First Successor Sam Nguyen 832-842-61710 713-305-4668 Second Successor Le Nguyen 832-842-6193 281-690-7054 H. KEY INTERNAL (WITHIN UH) DEPENDENCIES What are your department’s business interdependencies? What do you need from other departments to perform critical functions? Which departments depend on you to perform their critical functions? All UH departments rely: Payroll, Purchasing, Business & Finance, Fire and Police, Human Resources and Plan Operations. List below the other products and services upon which your department depends on and the internal UH departments or units that provide them. Dependency (product or service): Technology/Network Connections & Support Provider (UH department): IT (713-743-1411) Dependency (product or service): UH DPS Police Provider (UH department): UH DPS Police 713-743-3333 Dependency (product or service): Building Facilities and Operations Safety Building Facilities 713-743-4948 Provider (UH department): Dependency (product or service): Fire Protection, Systems Monitoring, Emergency Notifications UHDPS Fire Marshal's office at 713-743-1635 Provider (UH department): Dependency (product or service): Distribution of Payroll, Checks, & Timesheets in a timely manner Provider (UH department): HRMS (Payroll) 713-743-4275 Dependency (product or service): Purchasing Provider (UH department): Accounts Payable 713-743-8721 I. KEY EXTERNAL DEPENDENCIES Page 7 What are your department’s business interdependencies? What do you need from other departments to perform critical functions? Which departments depend on you to perform their critical functions? List below the products, services, suppliers and providers upon which your department depends. We recommend that you encourage them to prepare continuity of operations plan. Student Conduct Data Dependency (product or service) Primary Supplier/Provider EMS Enterprise Phone Numbers 800-288-4565 Alternate None Dependency (product or service) Supplier/Provider Primary Dell Premier – Shawn Minix Alternate Beth Christofferson Phone Numbers 800-274-7799 ext 5139394 512-513-9588 Dependency (product or service) Primary Supplier/Provider Point and Click Phone Numbers 781-328-0166 Alternate Dependency (product or service) Supplier/Provider Primary Procare Software Phone Numbers 800-338-3884 Alternate Dependency (product or service) Primary Supplier/Provider Phone Numbers Alternate Room Viewer 512-943-9110 Dependency (product or service) Supplier/Provider Primary Medical Manager Phone Numbers 877-932-6301 Alternate Dependency (product or service) Primary Supplier/Provider Class Phone Numbers 1-800-663-4991 Alternate Dependency (product or service) Primary Alternate Page 8 Supplier/Provider Titanium Software Inc Phone Numbers 281-443-3544 Dependency (product or service) Supplier/Provider Primary SmartPublisher Phone Numbers 503-288-7500 Alternate Dependency (product or service) Primary Supplier/Provider QuickBooks Phone Numbers 800-434-6817 Alternate N. DISATER RECOVERY STRATEGIES Condition Critical program space & facilities are damaged or not available Critical equipment is damaged or not available Centrally provided power becomes unavailable Communications via phone, fax, email, and internet becomes unavailable Central Information Systems are nonfunctional. Mission critical data is not unavailable Local information systems (LAN or desktops) become non-functional Staff is impacted by the disaster and not available to work 1 – 2 days 3 – 4 days 5 – 10 days Would move to another building. Would move to another building. Would move to another building. Would move to another building. Borrow equipment from another area/department or make purchases. Borrow equipment from another area/department or make purchases. Borrow equipment from another area/department or make purchases. Borrow equipment from another area/department or make purchases. Would need to procure a generator or move to another building. Utilize cell phones and walkie talkies. Would need to procure a generator or move to another building. Would need to procure a generator or move to another building. Utilize cell phones and walkie talkies. Would need to procure a generator or move to another building. Would have to work as effectively as possible. Would have to work as effectively as possible. Would have to work as effectively as possible. Would have to work as effectively as possible. Would have to work as effectively as possible. Would have to work as effectively as possible. Would have to work as effectively as possible. Would have to work as effectively as possible. Hire temporary staff and train them as soon as possible Hire temporary staff and train them as soon as possible. Hire temporary staff and train them as soon as possible. Hire temporary staff and train them as soon as possible. Utilize cell phones and walkie talkies. 11+ days Comments . Utilize cell phones and walkie talkies. Page 9 Critical business partners or vendors are unable to provide goods or services Borrow equipment from another area/department or make purchases. J. BCP SUBMISSION Department Head(s) Lawrence Daniel Date submitted: June 20, 2014 Sam T. Nguyen Date submitted: June 20, 2014 Borrow equipment from another area/department or make purchases. Borrow equipment from another area/department or make purchases. Borrow equipment from another area/department or make purchases. Title: Dir. Student Affairs IT Services and Special Programs Title: Division Information Services Manager Rev/: 3.10.11 Page 10