View
214
Download
0
Tags:
Embed Size (px)
Citation preview
Faculty Council BriefingFaculty Council Briefing
Larry Conrad Stan WaddellVC for IT and CIO Exec Dir and Info.
Security Officer
January 14, 2011
its.unc.edu 3
The Role of CIOThe Role of CIO
The CIO role has two distinct aspects• Division head for central IT (ITS)• Overall responsibility for coordinating IT
services across campus units
Provisioning a cohesive IT architecture Providing campus-wide IT infrastructure Campus-wide IT policies Overall responsibility for IT security Carolina Counts IT “champion”
its.unc.edu 4
Central IT infrastructure• Learning Management System• Centrally supported classrooms• Centrally supported computer labs• Research computing configurations• Enterprise applications, e.g.,
ConnectCarolina• Central Help Desk• 24/7 computer rooms• E-mail/calendaring
Key Services ITS Provides
Key Services ITS Provides
its.unc.edu 5
Key Services ITS Provides
Key Services ITS Provides
Central IT infrastructure• Hundreds of servers in the 3 ITS computer
rooms• Networked attached storage• Server housing/hosting• Campus network• Campus telephone system• IT security office• CCI program• Software site licensing program
its.unc.edu 6
Key Services ITS Provides
Key Services ITS Provides
Central IT infrastructure• Campus directory services• Single sign-on environment• www.unc.edu
its.unc.edu 7
Key Services Distributed IT
Provides
Key Services Distributed IT
Provides Organizations such as OASIS in A&S
• A spectrum of IT services• Some duplication of central services• Best at providing
Unit-/discipline-specific applicationsDiscipline-specific supportFaculty computer support
• Coordination with central IT services to ensure seamless support to campus units
• Partnership with ITS on IT security
its.unc.edu 8
Key Services Distributed IT
Provides
Key Services Distributed IT
Provides Central vs. distributed services
• Certain services are best provided locally and some centrally (see the following “economic framework” graphic)
• The focus of the Carolina Counts initiative is to allow campus units to leverage central services more effectively and where appropriate
its.unc.edu 9
9
9
Proposed Model for Rebalancing Central vs. Distributed
Proposed Model for Rebalancing Central vs. Distributed
DRAFT
DRAFT: Centralized vs. Distributed IT Services1 2 3 4 5
Communications infrastructure (network and phone system, phone conferencing)
Email and Calendar (Exchange*)
ITS Data Centers*
Hardware acquisition and maintenance contracts negotiation (Leverage CCI, Hardware Maintenance contract negotiation*)
Campus-wide business applications (UNC-ALL*)
Research Cluster Condos *
User account management (Active Directory*)
Software Acquisition*
Network Attached Storage*
IT Security (Encryption Software for Laptops, Patch Management)*
Virtualized Servers*
Collaboration applications ( SharePoint, wiki, web conferencing)
Research computing support
24/7 Help Desk Support*
Web site hosting
Video conferencing
its.unc.edu 10
Proposed Model for Rebalancing
Central vs. Distributed
Proposed Model for Rebalancing
Central vs. Distributed
DRAFT
IT Training
Instructional applications development (Course Redesign Services*)
Database administration and support
Instructional support
Instructional Facilities (Classroom Config. & Support, Student Virtual Comp. Lab)*
Research computing applications
System administration
Web site support
Web site development
On site support
Unit-specific business apps
Specialized discipline or unit-based support
* Indicates Carolina Counts Priority Project
Scale: 1-5 1=Hosted in school/dept. 5=Centralized in ITS
Centralized service (ITS hosted)
Distributed service (hosted in schools or departments)
DRAFT: Centralized vs. Distributed IT Services1 2 3 4 5
its.unc.edu 11
Cohesive IT EnvironmentCohesive IT
Environment
ITS and distributed IT groups are working together• Coherent IT architecture for the campus• Comprehensive approach to IT security• IT policy development and compliance• Upgrade the Carolina IT infrastructure,
which has lagged behind in recent years• Achieve the Carolina Counts IT objectives• Make the technology fade into the
background…
its.unc.edu 12
Major IT InitiativesMajor IT Initiatives
Modernizing the Carolina IT environment• New communications funding model• New research computing funding model• New IT governance structure for the
campus• New enterprise systems base:
ConnectCarolina (Student, Finance, HR)• Blackboard to Sakai transition• MS Exchange for e-mail and calendaring• Upgrade the campus network core and off
campus connectivity to 10 Gb
its.unc.edu 13
Major IT InitiativesMajor IT Initiatives
Modernizing the Carolina IT environment• Upgrade of the research computing cluster• Outsource student e-mail to MS Live@edu• Carolina Counts IT Partnership (Bain)• New cell phone stipend program• Improving information security
State Auditor information security findingsNew information security policies“It takes a village…” approach
its.unc.edu 15
Information Security deals with the protection of three characteristics of Data• Confidentiality – Keeping data private• Integrity – Keeping data accurate• Availability – Keeping data accessible (even in
disasters)
Information Security Level Set
Information Security Level Set
its.unc.edu 16
Carolina Under Attack!
Carolina Under Attack!
Campus Wide• 30,000 attempted hacks per day
• Thousands of systems have malware on them in any one year
• ~1000 systems isolated a year
• >30-60 systems forensically analyzed by ITS, Information Security per year
• Hacker motivations and the perpetrators have changed
its.unc.edu 17
Info Security Challenges
Info Security Challenges
The decentralized nature of campus data
The open network at Carolina The University is a valuable target in
the eyes of the bad guys: “a destination resort”
These challenges force us to concentrate on securing sensitive information
its.unc.edu 18
Definition of Sensitive Information
Definition of Sensitive Information
“Sensitive Information” includes all data, in its original and duplicate form, which contains: “Personal Information”• Examples of Sensitive Information may
include, but are not limited to: Identifiable research data Protected Health Information Students records Public safety information Financial donor information Information concerning select agents (controlled
substances)
http://help.unc.edu/6475 Definition of Sensitive Data
http://help.unc.edu/6604 Legal References for Sensitive Data
its.unc.edu 19
Information Security at UNC
Information Security at UNC
Leadership from the CIO Office:the Chancellor’s vesting of responsibility for campus IT security with the CIO
ITS Information Security Office Information Security Liaisons Campus IT Professionals Staff, Students, and Faculty
• It takes a commitment from all of us
its.unc.edu 20
Security LiaisonsSecurity Liaisons
They work with the ITS Info Security team
Each Department has at least one They can help:
• With reporting security incidents• Getting clarification on policy• Communicating information from the
security office• Implementing policy• Help with general information security
concerns
its.unc.edu 21
Incident ManagementWhat to do?
Incident ManagementWhat to do?
First, do no harm•Any time you suspect a critical system or one which hosts or processes sensitive data is compromised, STOP and do a critical Remedy ticket to ITS-Security.
its.unc.edu 22
Vulnerability Management: Scanning
and Patching
Vulnerability Management: Scanning
and Patching
Systems storing sensitive information must be scanned for vulnerabilities at least monthly• Scans can identify missing patches and
improperly configured services• Give guidance on how to remediate
vulnerabilities
Identified vulnerabilities must be remediated• Critical: within 1 week• Medium: within a month of identification
its.unc.edu 23
Mobile DevicesMobile Devices
Mobile Devices that store sensitive information must be encrypted
Includes media (tape, thumb drives, external hard drives…)
Pretty Good Privacy (PGP) laptop encryption is available• Administratively funded• Can be installed by departmental
support• Reduce risk of lost data due to forgotten
passwords
its.unc.edu 24
Mobile Devices Continued
Mobile Devices Continued
Should be scanned for vulnerabilities Should use the Sensitive version of
Symantec End Point Protection (antivirus)
Should be authorized by the dean or department head
Must be patched and/or updated regularly (i.e. MS update for laptops or cellular provider system updates for smart phones)
its.unc.edu 25
Info Security PoliciesInfo Security Policies
• A long overdue policy base to operate from in protecting the campusInformation Security policyInformation Security Standards policyGeneral User Password policySys. and Appl. Administrator Password policy Transmission of Sensitive Information policySecurity Liaison policyVulnerability Management policyIncident Management policyData Governance policy
its.unc.edu 26
Highlight:Data Governance
Policy
Highlight:Data Governance
Policy The policy defines the governance
structure for management of institutional data and establishes procedures for data classification.
No one person or unit owns UNC Data
Groups should have processes in place for granting and revoking access to data
Eliminate data when it has reached the end of its retention period
its.unc.edu 27
Highlight:Password Policy
Highlight:Password Policy
Requires password complexity Requires password expirations Prohibits password sharing Prohibits generic accounts Requires changes in situations where
the password may have been compromised
This applies to all passwords not just the ONYEN
its.unc.edu 28
What this means to faculty…
What this means to faculty…
We all have a responsibility to protect the University and its data—particularly sensitive data
Policies apply campus wide When in doubt ask (report issues) Use strong passwords Don’t surf web on machines with sensitive
data Patch and configure correctly (scan to verify) Encrypt sensitive data and only use when
needed Ensure servers are supported/maintained by
competent systems administrators
its.unc.edu 29
Key Upcoming Projects
Key Upcoming Projects
Systems Administrator Assessments• Ensure appropriate skills for Sys Admins• Identify servers storing sensitive
information• Identify Service clusters which can
provide systems administration support (fee based)
Campus Perimeter Firewall• Construct a workable strategy for
enhancing security at the campus network border
its.unc.edu 30
Contact InformationContact Information
For issues involving system security, call 919-962-HELP or send e-mail to: [email protected].