Committee on IT Infrastructure
October Meeting Summary
CITI Attendees: Neal Axelrod, Mitch Creem, Glyn Davies, James Davis, Rick Greenwood, Nick Hernandez, Tom Lifka, Sam Morabito, Steve Olsen, Terry Ryan
Guests: Nick Reddingius (OIT), Michael Schilling (CTS), Don Worth (AIS)
Agenda Topic:
- Policy and Guidelines on Stewardship of Electronic Information Resources
Jim Davis reviewed and highlighted the main points of University of California Policy on Stewardship of Electronic Information Resources Draft and conferred on selected topics; points were introduced at this meeting, but will continue to be an ongoing discussion before the draft is presented for final review. The document has already been taken to the CSG and the privacy board and will soon be reviewed by the ITBP and UC Senate.
The bullet points below represent discussion points from both the CITI and CSG meetings:
- UCLA should produce clear documentation that interprets and responds appropriately to these guidelines from a institutional view.
- We need an inventory of protected information. We then need to focus security plans and policy in those key protected areas and ensure that the staff are acting according to the security policy through training and certification.
- The document is written from a business and risk management perspective, without much comment on the mission of research and education and the need to balance security; privacy against the overarching requirements of Universities are to remain open for faculty and students to access and share information.
- The document should be explicit about the types of data within its scope.
- We need to understand where the real vulnerabilities exist. An inventory of the entire campus could take years and end up not addressing the real problems in a timely way.
- We need to develop best practices, for which individual units can respond.
- The single biggest factor facing every campus is “securing and protecting” the desktop computer that connects into the campus network.
- There needs to be visibility into the networks (as of now, we only see a small percentage of ports). Due to the low visibility, there may be unintended consequences, such as the shutting down of whole subnets rather than one compromised host when an attack occurs.
- Some network firewalls are being implemented in a “sludge hammer” way – doing the job of protecting, but in the process effectively shutting down “open” networks for access and sharing of services. UCLA needs to find the right security model that allows access and data sharing to be unrestricted, while reducing the risks of attacks. As of now, it is easier to put up a firewall and thus restrict a network than to ensure that every host (computer or server) is protected with up-to-date software patches and virus checking.
- There is increased pressure on Information Technology (IT) staff to implement these policies and guidelines. CSG discussed the idea of providing cover/protection for staff members who practice all due diligence but are vulnerable to circumstances beyond their control.
- Paul Craft of External Affairs has done a great deal of work create a “Basic Security 101” and can be leveraged for the requirements in training.
Recommendations:
- In response to Section 3A (page 2) : Information Management Planning that deals with electronic information security and continuity planning and disaster recovery and Section 6 (page 7): Continuity Planning and Disaster Recovery, CITI has agreed to proceed with a disaster recovery plan that extends outside central systems into all mission critical systems on campus, represented by all Vice Chancellor operations. Don Worth is leading a working group of data owners to conduct comprehensive planning, resulting in coordinated planning and implementation. Research and educational data will not be addressed, but there is a need to begin a discussion on how to scope such an effort.
In terms of campus oversight (3B, page 2) , UCLA is well positioned with various governance groups that are dealing with security policy including: the Privacy Board, Data Council, Applied Security Task Force, IRB, CITI, ITPB, and various FERPA and HIPPA groups. The need, however, is to connect the activities of these groups together to better understand roles and responsibilities of each and then to better integrate an intuitional view and response around the topic of “stewardship of electronic information resources”. It was recommended that Ross Bollen, the UCLA IT Security Officer reporting to OIT, be charged to bring together this institutional view and response.
- For Section 3B (page 3): Inventory and Classification of Electronic Information, Davis proposed that we build upon the existing Data Council to take the action planning. This will require a re-definition of the group’s role and scope of responsibility.
- Purchasing should be brought in to support the response to Section 3C (page 3): “Inventory and Classification of Electronic Information”, “Release and Disclosure” regarding vendors, minimum requirement for network connectivity, and encryption.
- It was recommended that Ross Bollens, UCLA IT Security Director, convene working groups to respond to Section 4A (page 5): Campus Information Security Program, which asks each campus to establish information security programs that includes risk assessment, security measures, incident response planning, security awareness training and education, and appropriate review of agreements for compliance with federal, state and university policy. One of the first goals should be to map out people/group by roles and accountability.
- CSG recommended that IT Security Officers from their corresponding units be used to begin the response to Section 7 (page 8): Common IT Architecture.