Faculty Council BriefingLarry Conrad Stan WaddellVC for IT and CIO Exec Dir and Info.

Security OfficerJanuary 14, 2011

its.unc.edu

CENTRAL AND DISTRIBUTED IT SERVICES

its.unc.edu 3

The Role of CIO

The CIO role has two distinct aspects• Division head for central IT (ITS)• Overall responsibility for coordinating IT

services across campus units Provisioning a cohesive IT architecture Providing campus-wide IT infrastructure Campus-wide IT policies Overall responsibility for IT security Carolina Counts IT “champion”

its.unc.edu 4

Central IT infrastructure• Learning Management System• Centrally supported classrooms• Centrally supported computer labs• Research computing configurations• Enterprise applications, e.g.,

ConnectCarolina• Central Help Desk• 24/7 computer rooms• E-mail/calendaring

Key Services ITS Provides

its.unc.edu 5

Key Services ITS Provides

Central IT infrastructure• Hundreds of servers in the 3 ITS computer

rooms• Networked attached storage• Server housing/hosting• Campus network• Campus telephone system• IT security office• CCI program• Software site licensing program

its.unc.edu 6

Key Services ITS Provides

Central IT infrastructure• Campus directory services• Single sign-on environment• www.unc.edu

its.unc.edu 7

Key Services Distributed IT

Provides Organizations such as OASIS in A&S

• A spectrum of IT services• Some duplication of central services• Best at providing

Unit-/discipline-specific applicationsDiscipline-specific supportFaculty computer support

• Coordination with central IT services to ensure seamless support to campus units

• Partnership with ITS on IT security

its.unc.edu 8

Key Services Distributed IT

Provides Central vs. distributed services

• Certain services are best provided locally and some centrally (see the following “economic framework” graphic)

• The focus of the Carolina Counts initiative is to allow campus units to leverage central services more effectively and where appropriate

its.unc.edu 9

9

9

Proposed Model for Rebalancing Central vs. Distributed

DRAFT

DRAFT: Centralized vs. Distributed IT Services1 2 3 4 5

Communications infrastructure (network and phone system, phone conferencing)

Email and Calendar (Exchange*)

ITS Data Centers*

Hardware acquisition and maintenance contracts negotiation (Leverage CCI, Hardware Maintenance contract negotiation*)

Campus-wide business applications (UNC-ALL*)

Research Cluster Condos *

User account management (Active Directory*)

Software Acquisition*

Network Attached Storage*

IT Security (Encryption Software for Laptops, Patch Management)*

Virtualized Servers*

Collaboration applications ( SharePoint, wiki, web conferencing)

Research computing support

24/7 Help Desk Support*

Web site hosting

Video conferencing

its.unc.edu 10

Proposed Model for Rebalancing

Central vs. Distributed

DRAFT

IT Training

Instructional applications development (Course Redesign Services*)

Database administration and support

Instructional support

Instructional Facilities (Classroom Config. & Support, Student Virtual Comp. Lab)*

Research computing applications

System administration

Web site support

Web site development

On site support

Unit-specific business apps

Specialized discipline or unit-based support

* Indicates Carolina Counts Priority Project

Scale: 1-5 1=Hosted in school/dept. 5=Centralized in ITS

Centralized service (ITS hosted)

Distributed service (hosted in schools or departments)

DRAFT: Centralized vs. Distributed IT Services1 2 3 4 5

its.unc.edu 11

Cohesive IT Environment

ITS and distributed IT groups are working together• Coherent IT architecture for the campus• Comprehensive approach to IT security• IT policy development and compliance• Upgrade the Carolina IT infrastructure,

which has lagged behind in recent years• Achieve the Carolina Counts IT objectives• Make the technology fade into the

background…

its.unc.edu 12

Major IT Initiatives Modernizing the Carolina IT

environment• New communications funding model• New research computing funding model• New IT governance structure for the

campus• New enterprise systems base:

ConnectCarolina (Student, Finance, HR)• Blackboard to Sakai transition• MS Exchange for e-mail and calendaring• Upgrade the campus network core and off

campus connectivity to 10 Gb

its.unc.edu 13

Major IT Initiatives

Modernizing the Carolina IT environment• Upgrade of the research computing cluster• Outsource student e-mail to MS Live@edu• Carolina Counts IT Partnership (Bain)• New cell phone stipend program• Improving information security

State Auditor information security findingsNew information security policies“It takes a village…” approach

its.unc.edu

INFORMATION SECURITY

its.unc.edu 15

Information Security deals with the protection of three characteristics of Data• Confidentiality – Keeping data private• Integrity – Keeping data accurate• Availability – Keeping data accessible (even in

disasters)

Information Security Level Set

its.unc.edu 16

Carolina Under Attack!

Campus Wide• 30,000 attempted hacks per day

• Thousands of systems have malware on them in any one year

• ~1000 systems isolated a year

• >30-60 systems forensically analyzed by ITS, Information Security per year

• Hacker motivations and the perpetrators have changed

its.unc.edu 17

Info Security Challenges

The decentralized nature of campus data

The open network at Carolina The University is a valuable target in

the eyes of the bad guys: “a destination resort”

These challenges force us to concentrate on securing sensitive information

its.unc.edu 18

Definition of Sensitive Information

“Sensitive Information” includes all data, in its original and duplicate form, which contains: “Personal Information”• Examples of Sensitive Information may

include, but are not limited to: Identifiable research data Protected Health Information Students records Public safety information Financial donor information Information concerning select agents (controlled

substances)http://help.unc.edu/6475 Definition of Sensitive Datahttp://help.unc.edu/6604 Legal References for Sensitive Data

its.unc.edu 19

Information Security at UNC

Leadership from the CIO Office:the Chancellor’s vesting of responsibility for campus IT security with the CIO

ITS Information Security Office Information Security Liaisons Campus IT Professionals Staff, Students, and Faculty

• It takes a commitment from all of us

its.unc.edu 20

Security Liaisons They work with the ITS Info Security

team Each Department has at least one They can help:

• With reporting security incidents• Getting clarification on policy• Communicating information from the

security office• Implementing policy• Help with general information security

concerns

its.unc.edu 21

Incident ManagementWhat to do?

First, do no harm•Any time you suspect a critical system or one which hosts or processes sensitive data is compromised, STOP and do a critical Remedy ticket to ITS-Security.

its.unc.edu 22

Vulnerability Management: Scanning

and Patching Systems storing sensitive information

must be scanned for vulnerabilities at least monthly• Scans can identify missing patches and

improperly configured services• Give guidance on how to remediate

vulnerabilities Identified vulnerabilities must be

remediated• Critical: within 1 week• Medium: within a month of identification

its.unc.edu 23

Mobile Devices Mobile Devices that store sensitive

information must be encrypted Includes media (tape, thumb drives,

external hard drives…) Pretty Good Privacy (PGP) laptop

encryption is available• Administratively funded• Can be installed by departmental

support• Reduce risk of lost data due to forgotten

passwords

its.unc.edu 24

Mobile Devices Continued

Should be scanned for vulnerabilities Should use the Sensitive version of

Symantec End Point Protection (antivirus)

Should be authorized by the dean or department head

Must be patched and/or updated regularly (i.e. MS update for laptops or cellular provider system updates for smart phones)

its.unc.edu 25

Info Security Policies

• A long overdue policy base to operate from in protecting the campusInformation Security policyInformation Security Standards policyGeneral User Password policySys. and Appl. Administrator Password policy Transmission of Sensitive Information policySecurity Liaison policyVulnerability Management policyIncident Management policyData Governance policy

its.unc.edu 26

Highlight:Data Governance

Policy The policy defines the governance

structure for management of institutional data and establishes procedures for data classification.

No one person or unit owns UNC Data

Groups should have processes in place for granting and revoking access to data

Eliminate data when it has reached the end of its retention period

its.unc.edu 27

Highlight:Password Policy

Requires password complexity Requires password expirations Prohibits password sharing Prohibits generic accounts Requires changes in situations where

the password may have been compromised

This applies to all passwords not just the ONYEN

its.unc.edu 28

What this means to faculty…

We all have a responsibility to protect the University and its data—particularly sensitive data

Policies apply campus wide When in doubt ask (report issues) Use strong passwords Don’t surf web on machines with sensitive

data Patch and configure correctly (scan to verify) Encrypt sensitive data and only use when

needed Ensure servers are supported/maintained by

competent systems administrators

its.unc.edu 29

Key Upcoming Projects

Systems Administrator Assessments• Ensure appropriate skills for Sys Admins• Identify servers storing sensitive

information• Identify Service clusters which can

provide systems administration support (fee based)

Campus Perimeter Firewall• Construct a workable strategy for

enhancing security at the campus network border

its.unc.edu 30

Contact Information

For issues involving system security, call 919-962-HELP or send e-mail to: security@unc.edu.

its.unc.edu

QUESTIONS?