Faculty Council Briefing
Larry Conrad
VC for IT and CIO
Stan Waddell
Exec Dir and Info.
Security Officer
January 14, 2011
CENTRAL AND DISTRIBUTED
IT SERVICES
its.unc.edu
The Role of CIO
 The CIO role has two distinct aspects
• Division head for central IT (ITS)
• Overall responsibility for coordinating IT
services across campus units
 Provisioning a cohesive IT architecture
 Providing campus-wide IT infrastructure
 Campus-wide IT policies
 Overall responsibility for IT security
 Carolina Counts IT “champion”
its.unc.edu
3
Key Services ITS Provides
 Central IT infrastructure
• Learning Management System
• Centrally supported classrooms
• Centrally supported computer labs
• Research computing configurations
• Enterprise applications, e.g., ConnectCarolina
• Central Help Desk
• 24/7 computer rooms
• E-mail/calendaring
its.unc.edu
4
Key Services ITS Provides
 Central IT infrastructure
• Hundreds of servers in the 3 ITS computer rooms
• Networked attached storage
• Server housing/hosting
• Campus network
• Campus telephone system
• IT security office
• CCI program
• Software site licensing program
its.unc.edu
5
Key Services ITS Provides
 Central IT infrastructure
• Campus directory services
• Single sign-on environment
• www.unc.edu
its.unc.edu
6
Key Services Distributed
IT Provides
 Organizations such as OASIS in A&S
• A spectrum of IT services
• Some duplication of central services
• Best at providing
 Unit-/discipline-specific applications
 Discipline-specific support
 Faculty computer support
• Coordination with central IT services to ensure
seamless support to campus units
• Partnership with ITS on IT security
its.unc.edu
7
Key Services Distributed
IT Provides
 Central vs. distributed services
• Certain services are best provided locally and some
centrally
(see the following “economic framework” graphic)
• The focus of the Carolina Counts initiative is to
allow campus units to leverage central services
more effectively and where appropriate
its.unc.edu
8
Proposed Model for Rebalancing
Central vs. Distributed
DRAFT: Centralized vs. Distributed IT Services
1
2
3
4
5
Communications infrastructure (network and phone system, phone conferencing)
Email and Calendar (Exchange*)
ITS Data Centers*
Hardware acquisition and maintenance contracts negotiation (Leverage CCI, Hardware
Maintenance contract negotiation*)
Campus-wide business applications (UNC-ALL*)
Research Cluster Condos *
User account management (Active Directory*)
Software Acquisition*
Network Attached Storage*
DRAFT
IT Security (Encryption Software for Laptops, Patch Management)*
Virtualized Servers*
Collaboration applications ( SharePoint, wiki, web conferencing)
Research computing support
24/7 Help Desk Support*
Web site hosting
Video conferencing
its.unc.edu
9
9
Proposed Model for Rebalancing
Central vs. Distributed
DRAFT: Centralized vs. Distributed IT Services
1
2
3
4
5
IT Training
Instructional applications development (Course Redesign Services*)
Database administration and support
Instructional support
Instructional Facilities (Classroom Config. & Support, Student Virtual Comp. Lab)*
Research computing applications
System administration
Web site support
Web site development
On site support
Unit-specific business apps
DRAFT
Specialized discipline or unit-based support
* Indicates Carolina Counts Priority Project
Scale: 1-5
1=Hosted in school/dept. 5=Centralized in ITS
Centralized service (ITS hosted)
Distributed service (hosted in schools or departments)
its.unc.edu
10
Cohesive IT Environment
 ITS and distributed IT groups are working
together
• Coherent IT architecture for the campus
• Comprehensive approach to IT security
• IT policy development and compliance
• Upgrade the Carolina IT infrastructure, which
has lagged behind in recent years
• Achieve the Carolina Counts IT objectives
• Make the technology fade into the background…
its.unc.edu
11
Major IT Initiatives
 Modernizing the Carolina IT environment
• New communications funding model
• New research computing funding model
• New IT governance structure for the campus
• New enterprise systems base: ConnectCarolina
(Student, Finance, HR)
• Blackboard to Sakai transition
• MS Exchange for e-mail and calendaring
• Upgrade the campus network core and off
campus connectivity to 10 Gb
its.unc.edu
12
Major IT Initiatives
 Modernizing the Carolina IT environment
• Upgrade of the research computing cluster
• Outsource student e-mail to MS Live@edu
• Carolina Counts IT Partnership (Bain)
• New cell phone stipend program
• Improving information security
 State Auditor information security findings
 New information security policies
 “It takes a village…” approach
its.unc.edu
13
INFORMATION SECURITY
its.unc.edu
Information Security Level Set
 Information Security deals with the protection
of three characteristics of Data
• Confidentiality – Keeping data private
• Integrity – Keeping data accurate
• Availability – Keeping data accessible (even in
disasters)
its.unc.edu
15
Carolina Under Attack!
 Campus Wide
• 30,000 attempted hacks per day
• Thousands of systems have malware on them in any one
year
• ~1000 systems isolated a year
• >30-60 systems forensically analyzed by ITS, Information
Security per year
• Hacker motivations and the perpetrators have changed
its.unc.edu
16
Info Security Challenges
 The decentralized nature of campus data
 The open network at Carolina
 The University is a valuable target in the
eyes of the bad guys: “a destination resort”
 These challenges force us to concentrate on
securing sensitive information
its.unc.edu
17
Definition of Sensitive
Information
 “Sensitive Information” includes all data, in its
original and duplicate form, which contains: “Personal
Information”
•
Examples of Sensitive Information may include, but
are not limited to:
 Identifiable research data
 Protected Health Information
 Students records
 Public safety information
 Financial donor information
 Information concerning select agents (controlled substances)
http://help.unc.edu/6475 Definition of Sensitive Data
http://help.unc.edu/6604 Legal References for Sensitive Data
its.unc.edu
18
Information Security at UNC
 Leadership from the CIO Office:
the Chancellor’s vesting of responsibility
for campus IT security with the CIO
 ITS Information Security Office
 Information Security Liaisons
 Campus IT Professionals
 Staff, Students, and Faculty
• It takes a commitment from all of us
its.unc.edu
19
Security Liaisons
 They work with the ITS Info Security team
 Each Department has at least one
 They can help:
• With reporting security incidents
• Getting clarification on policy
• Communicating information from the security
office
• Implementing policy
• Help with general information security concerns
its.unc.edu
20
Incident Management
What to do?
 First, do no harm
•Any time you suspect a critical
system or one which hosts or
processes sensitive data is
compromised, STOP and do a
critical Remedy ticket to ITSSecurity.
its.unc.edu
21
Vulnerability Management:
Scanning and Patching
 Systems storing sensitive information must be
scanned for vulnerabilities at least monthly
• Scans can identify missing patches and improperly
configured services
• Give guidance on how to remediate vulnerabilities
 Identified vulnerabilities must be remediated
• Critical: within 1 week
• Medium: within a month of identification
its.unc.edu
22
Mobile Devices
 Mobile Devices that store sensitive
information must be encrypted
 Includes media (tape, thumb drives,
external hard drives…)
 Pretty Good Privacy (PGP) laptop
encryption is available
• Administratively funded
• Can be installed by departmental support
• Reduce risk of lost data due to forgotten
passwords
its.unc.edu
23
Mobile Devices Continued
 Should be scanned for vulnerabilities
 Should use the Sensitive version of
Symantec End Point Protection (antivirus)
 Should be authorized by the dean or
department head
 Must be patched and/or updated
regularly (i.e. MS update for laptops or
cellular provider system updates for
smart phones)
its.unc.edu
24
Info Security Policies
• A long overdue policy base to operate
from in protecting the campus
its.unc.edu
 Information Security policy
 Information Security Standards policy
 General User Password policy
 Sys. and Appl. Administrator Password policy
 Transmission of Sensitive Information policy
 Security Liaison policy
 Vulnerability Management policy
 Incident Management policy
 Data Governance policy
25
Highlight:
Data Governance Policy
 The policy defines the governance
structure for management of institutional
data and establishes procedures for data
classification.
 No one person or unit owns UNC Data
 Groups should have processes in place for
granting and revoking access to data
 Eliminate data when it has reached the
end of its retention period
its.unc.edu
26
Highlight:
Password Policy
 Requires password complexity
 Requires password expirations
 Prohibits password sharing
 Prohibits generic accounts
 Requires changes in situations where the
password may have been compromised
 This applies to all passwords not just the
ONYEN
its.unc.edu
27
What this means to faculty…
 We all have a responsibility to protect the
University and its data—particularly sensitive data







Policies apply campus wide
When in doubt ask (report issues)
Use strong passwords
Don’t surf web on machines with sensitive data
Patch and configure correctly (scan to verify)
Encrypt sensitive data and only use when needed
Ensure servers are supported/maintained by
competent systems administrators
its.unc.edu
28
Key Upcoming Projects
 Systems Administrator Assessments
• Ensure appropriate skills for Sys Admins
• Identify servers storing sensitive information
• Identify Service clusters which can provide
systems administration support (fee based)
 Campus Perimeter Firewall
• Construct a workable strategy for enhancing
security at the campus network border
its.unc.edu
29
Contact Information
 For issues involving system security, call
919-962-HELP or send e-mail to:
security@unc.edu.
its.unc.edu
30
QUESTIONS?
its.unc.edu