DRAFT ADDRESSING IT SERVICES RISKS AND RISK SYMPTOMS

LU ITS Response to TSUS IT Auditor (March 2009)

LU ITS Response to TSUS IT Auditor

¨  IDENTIFIED RISKS AND RISK SYMPTOMS ¨  Risk Symptoms Raising Security Concerns ¨  Risk to University Reputation

IDENTIFIED RISKS AND RISK SYMPTOMS

“Data Center resource constraints and critical path requirements prevent effective management of internal IT operations and risk management of other defined University priorities and initiatives (such as the Banner implementation, online curriculum, and fund-raising efforts)* as evidenced by the following risk symptoms”

- TSUS Office of Audits and Analysis (Required Communication with Lamar University)

*Emphasis Added

ITS Clarifications on Data Center Constraints and Online Curriculum

¨  Data Center Constraints at LU are have not been a constraint for Online Curriculum for an entire academic year. ¤ Blackboard has been hosted offsite by Blackboard

since Summer ‘08. ¤ GoCourse is hosted in Dallas by HEH and has always

been.

ITS Clarifications on Data Center Constraints and Advancement

¨  Data Center Constraints at LU will soon no longer be a constraint for University Advancement. ¤  LU has signed a contract to host both Millennium and

MIP Accounting offsite with the software maker Sage Software.

ITS Clarifications on Data Center Constraints and Banner

¨  To Ensure Banner Success, Data Center Consolidation and Operating Environment Standardization Must Continue …

Delays In: Retiring legacy systems?

ITS Response: ¨  IBM Systems Deprecated (3 Racks of Hardware) ¨  Legacy Cisco Firewalls Deprecated and Replaced with State-of the-Art Fortinet Firewalls ¨  End-of-Life Hardware Removed and Systems Virtualized (MSS Help Desk and Three Legacy

Evisions MAPS Servers) ¨  All Remaining Legacy Systems are Slated for Virutalization With Deprecation to Follow ¨  Virtual Readiness Assessment (VRA) in Process to Identify Other Systems for Virtualization ¨  Luminis Portal, Recruitment Plus, Millienium, MIP Accounting All Moving to Off Site Hosting

(Provided by Software Manufacturers) ¨  Plus System Deprecation Scheduled EoY 2009 (Currently a Production System for Student

Records) ¨  Director, EAI Has Mapped All Application Relationships and Systems Dependencies to Reduce

Risk Related to Plus-Banner Migration

Enterprise Applications and Integration First Overview of Project Inter-Relationships

Delays In: Engineering/reducing the number of operating environments? ITS Response: ¨  2 Standard Operating Environments Selected: Red Hat Enterprise Linux

(RHEL) and MS Windows ¨  Deprecated

¤  AIX (Legacy Banner Plaform) ¤  SUSE Linux (DNS)

¨  By EoY 2009 ¤  Will Deprecate VMS (Plus System) ¤  Will Virtualize Sun Systems for SACS ¤  Migrate File Services from Single Mac Server

¨  CONTINUED RISK: Number of Systems Not Managed By ITS ¤  Distance Education ¤  Library ¤  Departmental Servers

Delays In: Engineering a multi-tiered Enterprise IT architecture?

ITS Response: ¨  Banner ERP: Oracle Database Clustering RAC has

been successfully implemented, along with redundant load balancers (F5) for the application tier

¨  New Firewalls are Redundant (Active-Active) ¨  Virtualization Accomplished via High Availability

Architecture ¨  All New Initiatives Following Zachman Architectural

Framework (Staff Training Included)

COMPLETED: Architecture SGHE Unified Digital Campus (UDC - Production)

COMPLETED: Architecture SGHE Unified Digital Campus (UDC - Test)

Zachman Architectural Framework

Delays In: Engineering an IT Security architecture accommodating the re- engineered architecture mentioned above (Firewalls, DMZ, DNS, DHCP, Active Directory, WSUS, etc.)?

ITS Response: ¨  New Firewalls (Active-Active) Established Allowing Full Network

Segmentation (DMZ + LAN Segmentation) ¨  DNS Migrated From Single Point of Failure on Non-Standard IBM

SuSE Linux to Fully Redundant Standard RHEL Servers ¨  DHCP Consolidation Underway ¨  New Active Directory Established Following MS Best Practices

(College of Business Migration to New Domain Architecture Underway)

¨  WSUS Server Established. ¨  Microsoft Premier Support Contract Established.

Re-Designed Network Segmentation

Delays In: Establishing a security policy and functioning security program? ITS Response:

¨  ITS Participation in Bi-Weekly President’s Security Meeting to Brief Campus Leadership on Current Security Issues

¨  Organizing IT Security Analysts into Best Practices-Driven Security Operations Center (SOC)

¨  Staff currently updating security policy based on SANS Institute Guidelines and verifying compliance with TAC 202

¨  End User Licensing Agreement for Wireless Networking ¨  Revised AUP under development

Delays In: Updating system documentation including policy/procedure

ITS Response:

¨  Need Further Clarification, As Systems Documentation Exists on ITS Departmental Fileshares

¨  Numerous Procedures Exist for Various IT Processes. Need Further Clarification as to Deficiencies.

Change Management Process

Delays In: Re-designing comprehensive Disaster Recovery IT procedures ITS Response:

¨  Disaster Recovery Plans are Interative in Nature, Requiring Constant Refining as They are Exercised

¨  Disaster Recovery Plan Coordinator Appointed (John Genuardi) ¨  DRP Coordinator Currently Documenting Procedures in Anticipation

of Next Hurricane Season ¨  Duplicate of Critical Systems (Servers, Networking and Firewalls) in

Place in San Marcos Data Center to Support ERP and Reporting Environment

¨  ITS to Present Proposal for Automation of Systems Replication in Early April 2009 (Significant Cost Item: Approximately $500,000)

Delays In: Designing comprehensive Business Continuity (non-IT) procedures

ITS Response: ¨  Beyond Scope of ITS

Delays In: TAC 202 compliance

ITS Response: ¨  Need Further Clarification. TAC 202 is Large.

Delays In: Resolving staffing concerns and competencies

ITS Response: ¨  ITS is Realigning Resources to Address Staff

Competency Issues, Though Additional Clarity on Auditor’s Concerns Could Be Helpful

¨  Additional Resources From SGHE Retained to Augment Critical Areas With Major Deficiencies, Espcially in Banner Area

Next Steps in Enterprise Applications (Organizational Changes)

Power consumption not being monitored to assist in critical mass bottleneck decision-making processes

ITS Response: ¨  In the Process of Collecting Bids for Complete Data

Center Re-Engineering Project (Significant Expenditure Anticipated: $500,000)

¨  End-to-End Power Generation and Provision System Tested on a Quarterly Basis

¨  Fail-Over Simulation During Winter Break: Yielded Confirmation of Successful Outcome

¨  Substantial Decrease in Load on Data Center Power As a Result of Current Deprecation, Virtualization, and Off Site Hosting Efforts

Self-identified (QAT) and reported concerns that: Network bandwidth may not be sufficient to support Banner resource requirements

ITS Response: ¨  LEARN Connectivity Project (Network, Firewalls and

Packet Shapers) Addresses Connectivity Issues

Self-identified (QAT) and reported concerns that: Data base capacity may not be sufficient for student conversion

ITS Response: ¨  Student Conversion Underway With No Data Base

Capacity Issues ¨  Additional Capacity to Be Added to SAN to

Address Future Growth – to Include HEH Programs and Centralized Enterprise-wide Scanning via Banner XTender (Moderate Cost Item: $200,000)

Self-identified (QAT) and reported concerns that: Engineered reporting infrastructure does not meet LU’s needs

ITS Response: ¨  SGHE working with LU to Implement Operational

Data Store (ODS) in 2009.

Necessity to allow and rely on non-centralized custodianship and administration of distributed satellite data centers and servers across campus

ITS Response: ¨  Three racks have been removed and a fourth is in the process

of removal.

¨  Further consolidation of data centers is now subject to political and not a physical constraints.

¨  Progress to date includes work with College of Business in which critical systems have been relocated to the Data Center (only systems remaining in CoB are there for performance reasons – need for physical proximity)

Unsecured satellite network closet doubling as general storage room

ITS Response:

¨  Need further clarification as to location of this network closet

¨  Continued Risk: Some Data Closets are outside the control of ITS, and administered by various Information Technology Specialists (unclear as to the scope of their functions)

“Current operational transition activities and lack of unified approach will continue to prevent Lamar University from addressing long-standing and immediate security concerns as evidenced by the following risk symptoms”

Risk Symptoms Raising Security Concerns

Disrupted, dismantled, or otherwise inadequate internal control framework (which must be addressed before any outsourcing strategy can be successful)

ITS Response: ¨  Initial Change Management Procedures in Place for the First

Time in IT Services ¨  Estabished Regular Maintenance Window ¨  Established Enterprise Maintenance Calendar, Coordinated

With Academic and Administrative Calendars ¨  Established Enterprise Service Desk ¨  Beginning to Adopt ITIL Model ¨  Security Staff Has Been Introduced to COBIT ¨  ITS to Recommend New Service Desk Software ($35K)

Unreliability and instability of “My.Lamar” portal, in addition to significant modifications (known and unknown) regarding security and access authentication processes

ITS Response:

¨  Moving to Hosted Solution for Portal ¨  LDAP Implementation in 2009 to Address

Authentication

No standardized change control process or methodology ITS Response:

¨  Initial Change Management Procedures in Place for the First Time in IT Services

¨  Estabished Regular Maintenance Window ¨  Established Enterprise Maintenance Calendar,

Coordinated With Academic and Administrative Calendars

¨  Established Enterprise Service Desk ¨  Beginning to Adopt ITIL Model ¨  ITS to Recommend New Service Desk Software

No security policy or established security program

ITS Response:

¨  Inaccurate, as there is a fledgling IT security program anchored in the President’s Bi-Weekly Security Meeting

No security awareness training for campus constituents

ITS Response: ¨  Further Clarification Needed

Lack of standardized computer “image” and specifications for desktop/server purchases and deployments

ITS Response: ¨  Currently Being Address Through Vendor Premier

Desktop Program ¨  Computer Lifecycle to Be Determined by Executive

Leadership ¨  Exploring “Thin Client” Technology (Citrix?)

ITS Believes TSUS IT Auditor’s Calls for the Following Violate Academic Freedom

¨  “Approved Software” Policy ¨  “Audit” of software residing on users’ computers ¨  “Audit” of administrative privileges on users’

computers ¨  “File-Sharing” Software Policy

Lack of “approved software” policy

ITS Response: ¨  Considerations of Academic Freedom Prohibit This

Inability to “audit” software residing on users’ computers

ITS Response: ¨  Considerations of Academic Freedom Prohibit This

Inability to “audit” administrative privileges on users’ computers

ITS Response:

¨  Considerations of Academic Freedom Prohibit This

Lack of “file-sharing” software policy

ITS Response: ¨  Considerations of Academic Freedom Prohibit This

Recent EDI server compromise during Admissions implementation

ITS Response: ¨  IT Services for this functional area have been moved

to a secure hosted solution ¨  Existing staff member transitioning to role more

appropriate to IT skill level

The lack of itemized detailed costs related to the Banner implementation Excerpt from QAT report submitted to state as of August 31, 2008

Project Item Report to Date

Initial Estimated Project Cost

$4,105,900.00

Last Reported Estimated Project Cost

$4,105,900.00

Current Estimated Project Cost

$4,805,900.00 Notes: Includes all funding sources Includes optional consulting fees to be used as needed

Explanation of Variance between Last Reported and Current Project Cost

•  Contract for additional SunGard resources: Student Lead and remote programming support

•  Creation of Business Analyst Positions

Cost Expenditures to Date (Fiscal Year)

$1,394,186.00 (Project-To-Date: $2,840,361.00)

Description of Cost Tracking Mechanism

Expenditures will be posted to the SunGard Banner Finance system used by Lamar University. These expenditures will be extracted and monitored using MS Excel. Expenditures will be verified against vendor invoices and project estimates.

Expenditures, Encumbrances, and Budget Adjustments (Since August 2008)

¨  Expenditures Sept1, 2008 – Mar 17, 2009: $1,277,578.30

¨  Outstanding Encumbrances: $ 374,797.04

¨  Budget Adjustments after September 1, 2008: ¤  BossCars Software $ 92,074.00

(included in ots enc)

¤  Oracle License True-Up (increase in headcount) $ 188,551.00 (included in expend.)

Incomplete or inadequate Disaster Recovery (IT) and Business Continuity (non-IT) documentation and processes during/after the transition period ITS Response: ¨  Staff members responsible for this item no longer

work for University ¨  New staff member has this as Priority Issue

¨  ITS addressing disaster recovery for computing services within context of university business continuity planning

“In the event of another security breach or incident, the risk of public criticism and potential liability for Lamar University will significantly increase because there is a 4-year public record of identified, documented, and unresolved consultant and audit findings to date:”

Risk to University Reputation

IT Response: Bottom Line Up Front 18 Months of Consistent Progress Bottom Line: We Are Implementing Best Practices for

Infrastructure and Security. These Practices Include, But Are Not Limited to:

¨  Standardized, Redundant and High Availibilty Systems ¨  Multi-Tiered Security Architecture

¨  New Firewalls – Dorms, Datacenter, Perimeter (Allowing Network Segmentation and Demilitarized Zone)

¨  Antivirus – Clients and Servers (Identifying Unprotected Systems) ¨  Data Center Improvements Within Fiscal Limitations

¨  Integrated End-To-End Power System Fail-Over Testing ¨  Virtualizing Operating Environments ¨  Adoption of Software as a Service (SaaS) Model Where

Appropriate To Improve Service and Reduce Risk

Audit Documents Referenced (Welcoming a New CIO: July 2005 – September 2007)

¨  Information Technology Consultant’s Report (July 2005)

¨  Report to Management on Review of Information Technology – Lamar University (August 2007)

¨  Network Security Controlled Penetration Test Report (August 2007)

¨  Internal Correspondence: Office of the Director of Network Services and IT Strategic Planning; subject: Findings from DIR Penetration Test (September 2007)

Audit Documents Referenced (ITS Transformations: April – November 2008)

¨  TSUS Management Advisory Letter dated April 14, 2008

¨  TSUS Management Advisory Letter dated July 18, 2008

¨  The July 2008 letter to Lamar State College-Port Arthur outlining a breach of Lamar University’s system

¨  Report to Management on Audit of Research Time and Effort Reporting – Lamar University (August 2008)

¨  Texas Project Delivery Framework Monitoring Report [LEAP System Upgrade for ERP] (November 17, 2008)

Audit Documents Referenced (Today’s Challenge: Banner Student Jeopardy 2009)

¨  Email dated January 12, 2009 citing the failure to process Fall 2009 admissions applications in Banner and 10 MONTH DELAY in implementation

¨  SunGard Higher Education Draft Executive Summary: Lamar University – Programming Team and Banner Technical Support Assessment (January 21, 2009)