STRATEGIC IT ACCOUNTABILITY BOARD
AGENDA
Friday, August 22, 2014
11:00 a.m. – 12:00 p.m.
STARK LIBRARY
I. Administrative System Modernization Program 2.0 and Change Coordination Board –
Discussion (Renee Wallace)
II. InfoSec Policy Changes – Endorse (Cam Beasley, Tod Maxwell)
I. Identity and Access Management – Update (C.W. Belcher)
*UT Login
*Toopher
IV. University Data Centers – Update (Michael Cunningham)
V. Longhorn Innovation Fund for Technology – Update (Brad Englert)
ASMP 2.0 and Change Coordination Board - Discussion
Overview
The Administrative Systems Modernization Program (ASMP 2.0) is a large-scale, multi-year initiative to
replace the core human resources, payroll, financial, and student systems, implement a new technical
architecture, and decommission the mainframe in 2020. The program is a significant investment in our
future operational effectiveness and success relies on a committed and cooperative effort from the
entire campus.
Resource Constraint Risk
Priorities and initiatives originating in other campus units will likely compete for the same resources
needed to meet ASMP 2.0 objectives and may be dependent on modifications or enhancements to
systems about to be replaced, creating a program risk that must be managed. Systems about to be
replaced should be minimally maintained (bug fixes, statutory changes) to free up resources.
Constraints within central business areas:
Individuals from central functional and technical teams are being redirected to the program
Others remaining in HR, Payroll and Finance will contribute to the program as subject matter
experts in addition to maintaining business continuity until the new systems are implemented
Staff from student administrative areas are developing business requirements for a replacement
system and coordinating procedural or policy changes that will facilitate transition
Constraints outside the central business areas:
Hundreds of other campus employees will be participating in advisory groups, design workshops,
readiness activities and training, in some cases with a substantial time commitment
Many of the systems owned and operated by colleges and other units interact directly with core
systems (HR/Payroll and Finance) and will need to be adapted
The mainframe hosts approximately 600 non-core applications that must be retired or replaced.
The project team is providing coordination and advisory support to assist in this effort, but the
work to move off the mainframe will primarily be performed by the owning units
How do we balance ASMP 2.0 success with other priorities?
A coordinated approach with an overall institutional perspective is needed to:
Sustain business continuity during the new system implementation
Avoid overloading staff (campus-wide) with competing demands
Ensure our ability to meet regulatory or statutory compliance requirements
Avoid proliferation and investment in mainframe systems that must eventually be replaced
Support strategic university priorities
Proposed Solution for discussion: Establish a Change Coordination Board
Leveraging the existing IT governance committees, a structured and predictable process will be
implemented for identifying potential conflicts in priorities and facilitating resolution. The Change
Coordination Board will provide a forum to ultimately decide priorities that cannot be resolved in the
committees. The process will provide transparency into planned IT projects across campus and an
opportunity to:
Determine at an early stage whether or not interfaces to central systems can be accommodated
and if so, coordinate with the ASMP 2.0 schedule to avoid rework by the requesting unit
Consider alternative solutions to meeting the business need
Identify similar needs in multiple areas for possible collaboration
The work of the Change Coordination Board will raise awareness with campus business leaders about
competing demands and provide the forum to work collaboratively to achieve institutional priorities.
InfoSec Policy Changes - Endorse
Background
The Internal Audit Committee has asked that the following recommendations related to purchasing and
managing University owned IT devices be addressed in IT security policies as they are related to
vulnerabilities identified in audits conducted in units across campus. An AIC working group has been
working since Jan-2014 to develop the framework for these changes. These changes have been
discussed with AIC, BSC, OIT, and the Executive Compliance Committee.
Primary Findings
1.
2.
The University is unable to consistently identify IT resources on campus (e.g., laptops, desktops,
servers). If devices cannot be identified, they cannot be secured and managed properly. The
inability to identify devices for security and management purposes is growing worse as more
devices become portable and as users bring multiple devices to campus. The inability to identify IT
resources allows for increased security vulnerabilities.
The University is unable to verify devices are being professionally managed, which leads to
unnecessary risks involving sensitive university data.
Implications of Findings
1.
2.
3.
4.
Many department man-hours are devoted to responding to security events.
Lost productivity for end users of systems who manage their own devices.
Inconsistent or non-existent system management processes in place in units.
Inventory management consumes a number of needless man-hours every year.
Recommendations
1.
Create a new policy statement requiring University owned IT devices to be purchased and
processed through the local IT support staff or via IT Shared Services. More specifically,
implement the recommendation that was previously endorsed by IT Governance as a best
practice as the campus policy. An exception process will be possible for unique situations.
2.
Create a new policy statement requiring all university owned IT devices to be managed by
professionally trained personnel. Industry recognized certifications and continued professional
development will be required to demonstrate professional training. An exception process will be
possible for unique situations.
3.
Create a new policy statement requiring more tightly controlled management practices around
the use of administrator-level accounts on university owned IT devices. Eighty to ninety percent
of all university computer breaches are successful because the end-user is operating as the system
administrator. An exception process will be possible for unique situations, which would allow for
shared administrative access (e.g., when faculty must locally manage specialized software or tools
on their systems).
1
InfoSec Policy Changes - Endorse
InfoSec Policy Changes – DRAFT Memo
Subject: Operational: Policy Changes to Improve IT Resource Management and Security
Faculty and Staff:
As the use of information technology (IT) resources continue to evolve on campus, it is important that we also take
sensible precautions with regard to managing and securing these devices so that we can protect the data and
information assets of our faculty, staff, and the University.
As a result of Internal Audit findings and UT System policy changes, the University will enact new IT policies that
will help to afford new controls to ensure campus units are consistently managing the information resources of the
university. These policies have been reviewed and endorsed by IT Governance, the Internal Audit Committee, and
the Executive Compliance Committee.
These modifications will be published to the Information Resources Use and Security Policy
(http://security.utexas.edu/policies/irusp.html) and will be made effective August 01, 2015.
The changes specifically address the following necessary IT process improvements on campus:
1. The need for a defined training and certification program for IT support staff that will help ensure these staff
are professionally trained, confident in using the various IT toolsets on campus, and growing in their skill sets
throughout their tenure at the University.
2. The need to ensure IT inventory is being properly accounted for, securely configured, and consistently managed
by involving IT staff in the processing of IT procurements.
3. The need for more tightly controlled management practices around the use of administrative accounts for IT
resources.
Many campus units have had such controls in place for a number of years, and your vigilance and effort is greatly
appreciated, but it is important that the University ensure IT resources are being consistently managed and
secured across the campus.
Your local IT support staff are taking steps to work these changes into their procedures.
If you have any related questions or concerns, you may contact either your local IT support staff or contact the
Information Technology Services Help Desk by telephone at 512-475-9400 or by e-mail at
help@its.utexas.edu. Questions regarding the policy changes can be directed to the Information Security Office at
security@utexas.edu. And the following Web site can be consulted for more information:
Information Resources Use and Security Policy
http://security.utexas.edu/policies/irusp.html
Sections 5.4.7, 5.22.4, 5.23.5
Thank you very much for your help and cooperation with this effort.
Kevin P. Hegarty
Vice President and Chief Financial Officer
Gregory L. Fenves
Executive Vice President and Provost
2
InfoSec Policy Changes - Endorse
UTLogin Transition – Update
About UTLogin
UTLogin is the new centralized authentication service that replaces the legacy Central Web
Authentication (CWA) system, which uses Fat Cookie as an authentication mechanism, used by
many university web applications. The CWA system has reached its end of life and is being retired
due to significant security issues and because it cannot meet the current business needs of campus.
Timeline for Transition
In November 2012, the Architecture & Infrastructure Committee endorsed the schedule for
transitioning university applications to UTLogin and retiring the CWA service. CWA applications
were organized into four transition groups and began moving to UTLogin in July 2013. The first
three transition groups completed their moves to UTLogin on June 30, 2014. UT Direct (Transition
Group 4) is scheduled to move to UTLogin on September 16, 2014, concluding the transition
process and allowing the retirement of the CWA system.
Transition Status
As of August 15, 2014, of the 210 servers and applications in the CWA environment:
95.7% (201 servers) have completed the transition process or are being retired
3.8% (8 servers) are on schedule (UT Direct and related servers)
0.5% (1 server) is behind schedule (Admissions Batch Print system). Admissions technical
staff are actively working to transition this system to UTLogin.
1|U T L o g i n T r a n s i t i o n – U p d a t e
Two-Factor Authentication – Update
About Two-Factor Authentication
The prevalence of “phishing” attacks on university systems is increasing at an alarming rate across
the country, in Texas, and within the UT System. Phishing fraudsters steal passwords in order to
redirect paychecks, view W2 forms to access sensitive personal data, and commit identity theft.
With two-factor authentication, the regular password login process is enhanced with an additional
authentication step that leverages something the user possesses (such as a mobile phone). Adding
this second authentication factor provides a defense against common phishing scenarios.
Toopher
As of July 8, 2014, two-factor authentication has been required to update paycheck bank routing
information and to download W2 forms. A user-friendly and secure tool called Toopher enables
this two-factor authentication step. Since two-factor authentication was deployed approximately
4,000 university employees have used the service to view or update their payroll information.
Toopher is compatible with Apple iOS and Android mobile devices, eliminating the need for a
separate one-time password key fob or other device. It also provides the ability to make two-factor
authentication “invisible” to the user by automating the second factor authentication step when
the user is in a trusted location, such as his/her office or home.
Next Steps – Fall 2014
ITS and the ISO are working with Toopher to provide additional authentication options that do not
require a mobile device, including pre-generated one-time passwords and a “call me” function. An
enhancement to support one-time password key fobs is also being pursued for those cases where
the user cannot use any other authentication mechanism.
ITS is also working with Financial Information Systems to plan the deployment of two-factor
authentication for updating non payroll-related bank routing information and viewing tax forms
(direct deposit for student scholarship payments, employee travel reimbursements, etc.).
As part of the Identity and Access Management (IAM) strategic roadmap, an Identity Assurance
Framework will be introduced this fall (late October) that will assist campus departments in
objectively assessing the risks involved in their online applications and determining whether twofactor authentication is needed to mitigate those risks.
1
Two-Factor Authentication – Update
University Data Centers – Update
High Availability and Security
The University Data Center (UDC) at the Computational Resource Building went into production
in October 2010. Since 2010, the UDC has provided high availability services in a very secure
environment. With significant focus behind the scenes, the UDC Operations and Engineering
Team maintains a 24x7 security and monitoring environment. The Operations and Engineering
Team has exceeded its Service Level Agreement of 99.98% availability and delivered 100%
uptime year over year.
1
University Data Centers – Update
University Data Centers – Update
Supporting the Migration of Commodity Servers
With the inception of the commodity server policy initiative, the UDC has supported numerous
migrations from across campus. Today, the UDC hosts all of ITS core systems in addition to
hosting a cross section of systems from 42 business and academic units from across campus.
This systems inventory continues to grow and currently exceeds 1,100 plus physical systems
and 1,200 plus virtual systems.
In some instances, systems migration consists of moving a physical machine out from under a
desk or from a closet into the secure environment of the data center. In other instances, this
migration effort consists of moving the owner’s applications and data to a virtual server already
hosted in the data center and then retiring the physical machine. A total of 66 physical servers
and 301 virtual servers were migrated calendar year 2014.
2
University Data Centers – Update
2014-2015 LIFT Award Recipients
The following proposals were selected to receive funding from the Longhorn Innovation
Fund for Technology (LIFT) for the 2014-2015 academic year.
Thrive @ UT: Using Technology to Promote UT Students’ Emotional
Intelligence and Academic Success
Thrive@UT will be a mobile app geared towards the personal development of emotional
wellness and life success of college aged students.
Participants: Dr. Chris Brownson, Counseling and Mental Health Center; Dr. Ricardo Ainslie
Department of Educational Psychology; Elana Bizer, Counseling and Mental Health Center; Katy
Redd, Counseling and Mental Health Center
CARL: The Cloud-based Advanced Robotics Laboratory
The Cloud-based Advanced Robotics Laboratory (CARL) will enable UT students, faculty, and
staff to use, program, and experiment with human-centered robots for educational and
research purposes.
Participants: Luis Sentis, Mechanical Engineering; Aloysius Mok, Computer Science; Matt
Mangum, Faculty Innovation Center
Dynamic Virtual Earth Science Collections
The Virtual Earth Science Collection will make more than four million specimens held in the Nonvertebrate Paleontology Laboratory collections virtually accessible thru an online database.
Participants: Ann Molineux, Jackson School of Geosciences & Non-vertebrate Paleontology Lab;
Tomislav Urban, Texas Advanced Computing Center & Data Management and Collections; Faye
Geigerman, Jackson School of Geosciences & Non-vertebrate Paleontology Lab
Bringing the Tools of Research Direct to the UT Classroom: Systemic, a
Virtual Lab for Students
The Virtual Lab will build on the existing app, Systemic, and allow students to independently
explore astronomical data, through visualizations, games, and a specialized curriculum.
Participants: Dr. Stefano Meschiari, Department of Astronomy; Dr. Joel Gree, Department of
Astronomy; Dr. Randi Ludwig, UTeach Primary
Environ
Environ is an educational game that puts students in a position to appreciate the complexity and
difficulty of the decisions that world leaders must make.
Participants: Peter Elam, Center for Teaching and Learning – Digital Media Institute; Matt O’Hair,
Center for Teaching and Learning – Digital Media Institute, Digital Median Institute Student
Staff; Faculty and Graduate Student Subject Matter Experts
1
2014-2015 LIFT Award Recipients