BUSINESS SERVICES COMMITTEE (BSC)
Meeting Notes
11/04/11, 1:30 pm to 3:00 pm
FAC 228D
Attendees: Tim Tashjian, Steve Kraal, Fred Friedrich, Mary Knight, Kathy Foster, Renee Wallace, Michael
Bos, Shelby Stanfield, Brad Englert, Kristi Fisher
Guests: John Poulos Julienne VanDerZiel, Cam Beasley, Dana Cook
Absent: Bob Harkins, Kedra Ishop, John McCall, Debra Kress
Laptop Encryption Status and Personally Identifiable Data Breach Plan – Cam Beasley
Cam Beasley presented the University encryption statistics and the newly developed plan for a potential
data breach. At any given time, there are approximately 120,000 computing devices on campus.
Individual campus networks users are limited to five devices accessing the campus network at any one
given time. This access is controlled by EID login. Of the 120,000 devices on campus, 15,000 are
University owned laptops. At this point in time, approximately 22% of laptops are encrypted with
SecureDoc, approximately 27% are encrypted with a device-native software (like FileVault or BitLocker),
and the remaining 51% have unknown encryption status. Encryption and breach statistics are in the
handouts for the meeting.
In the past, two major breaches have occurred. These breaches were in UTDirect and at the McCombs
School. These were major data breaches that affected large groups of people where data was the
primary focus of the theft. Loss of devices occurs mostly when devices are stolen from faculty homes,
left on airplanes, or other mishaps. Loss of most student devices occurs from an opportunistic theft
when a device is left unattended.
The biggest security problem with campus devices is related to individual user failure to download
software security patches. Proper software maintenance is essential to protecting machines. When
software is not updated properly, malicious actors are able to penetrate machines throw software
holes—particularly holes in un-patched browsers. Securing software globally is difficult because there
are so many different devices on campus. Applications are the biggest target on campus.
The committee inquired as to the capacity of the ISO to identify the location of breaches when they
occur. Cam replied that it is possible to identify the locations of the breach. Breaches usually occur with
individual devices in everyday use mode that have gone unprotected with the browser being the most
vulnerable entry point. Mal-actors follow key strokes (key logging) on a user’s machine, steal
passwords, and access the system without the individual user being aware of the activity.
All kinds of data is stolen—personal, research, and institutional data. For each individual breach event,
it costs the University about four hours of job loss per event. The researcher can lose all of his or her
data before detection occurs. A plan to address breaches is in the handouts for the meeting. Cam’s
team is willing to meet with any group of users on campus to help assess security and discuss breach
prevention.
Decision Matrix on When to Involve the Information Security Office in Application Development Projects
– Cam Beasley
Cam Beasley presented the decision matrix for when to engage the information security office when
developing applications on campus. The ISO has teams prepped for both Reactive and Proactive teams
for dealing with application breach events. The reactive group responds to events. The proactive group
helps plan, monitor, completes systems checks, and tests new applications/changes in applications.
Developers should involve Cam and the ISO office as early as possible in the application development
process. The decision matrix for involvement is in the meeting notes.
When dealing with applications, all items related to law, policy, or contract are protected. The
committee inquired as to whether or not standard contract verbiage exists for application contracts.
The response was that yes, contract verbiage does exists. Contact the ISO for the contract language.
Trainee Funding Approach – Julienne VanDerZiel
Julienne VanDerZiel presented the new approach to funding ITS trainees. The change in funding was an
executive decision made to foster cost sharing to support he trainee program. The program will no
longer be totally centrally funded. ITS will pay for six trainees, departments will pay fully or pay into a
cooperative system to support training. Details of the funding options are included in the meeting
handouts. The funding system can be thought of as an insurance system where investment in a pool
yields shared trainees that can support multiple units. The trainee pool can hold 11 members at any
given time.
The committee inquired as to a possible hybrid model where there is some combination of individual
department funding and cooperative funding. AITL considered a hybrid model but was not able to
devise such a system.
The committee also wondered how prioritization will be set for trainee access. The education advisory
group will consider and define a process in the near future.
The next step in the process will be for the education advisory group to survey the community to
determine the demand for the pool so that trainees can be planned accordingly.
The Business Services Committee unanimously approved moving forward with the proposed funding
approach.
Julienne will bring the results back to the committee next month.
Administrative Systems Master Plan Updates/Recommendations – WG#1 representatives
ASMP Workgroup 1 presented their progress to the committee.
The committee had some questions related to the definitions of the words “strategic/mission focused”
on the vertical axis of the Administrative Systems Classification grid. They would like a deeper
understanding of these terms so that they can properly classify systems at the University and make
decisions about the portfolio. The working group will work on these definitions and on fleshing out the
grids.
The committee inquired about the point at which it is appropriate to discuss funding options/a funding
strategy. The group responded that final plan will include a funding strategy and a broad set of funding
options.
Future Agenda Items
1. MyEdu – Shelby Stanfield
2. Trainee Funding Approach—Julienne VanDerZiel
3. iModules – John McCall (schedule for after first of calendar year 2012)