minutes - services - anu · minutes committee university information and communications technology...

Minutes COMMITTEE University Information and Communications Technology

Governance Committee

Meeting 3/2016

DATE / TIME Wednesday, 22 June, 1:00pm – 2:42pm

VENUE Ross Hohnen Room, Chancelry

PART 1 – PROCEDURAL ITEMS

1. Announcements, Apologies and Disclosures

Attendees:

Executive Director, Administration and Planning Chris Grange (Chair) Deputy Vice-Chancellor, Academic Professor Marnie Hughes-Warrington Deputy Vice-Chancellor, Research Professor Margaret Harding

(via telephone) College Dean Professor Stephen Bottomley College General Manager David Akers Director, Information Technology Services Karen Hill Chief Financial Officer Alastair Sinton Director, Service Improvement Group Michael Nelson University Librarian Roxanne Missingham Attendees for specific items:

Item 11. RIMS Project – Project Variation and update Director, Research Services Division Dr Douglas Robertson Deputy Director, Research Services Division Kathrin Kulhanek Program Manager, RIMS Paul Regis PART 4. IT Infrastructure Projects PART 5. IT Security and Risk PART 6. Financial and Business Items PART 7. General Business PART 8. Other Business Associate Director, ITS Infrastructure Services Darren Alexander Manager, ITS Cyber and Digital Security David Howse Manager, ITS Finance Jonathan Nest Apologies:

Nil Secretariat:

Executive Officer, ITS Kus Pandey

UICT Meeting 3/2016 – 22 June

2

2. Arrangement of Agenda

In addition to the already starred items, the Committee agreed to discuss the following items:

Item7: One ANU IT - update

Item 8: CRM Tool – update

Item 17: Disaster Recovery and Data Centre Strategy

Item 18: Enterprise Storage and Cloud Enablement – update

3. Minutes

The draft minutes from the previous UICT meeting (UICT Document 2016/48: https://erms.anu.edu.au/wcc/faces/wccdoc?dDocName=ERMS1783493), held on 12 April 2016, were endorsed by the Committee without revision.

4. Business Arising and Action Items

ACTION

ITEM MEETING ACTION BUSINESS

OWNER STATUS EXPECTED

COMPLETION

43 Meeting 5/2015 (2/12/2015)

CRM - Business Case PVC, IO In progress - update submitted to this meeting

21/09/2016

16-3 Meeting 1/2016 (25/02/2016)

IT Service Delivery Model – Regular Briefing Papers

Director, ITS

Submitted to this meeting

22/06/2016

Open 21/09/2016

Open 11/11/2016

16-7 Meeting 1/2016 (25/02/2016)

RIMS update – Standing item. Specific requests: • Expression of concern to vendor relating to their primary contact for the University, and the contractual recourse available if this is not satisfactorily addressed; • Matrix of vendor contact points; and • Revised scope and work plan

Director, RSD


22/06/2016

RIMS update – Standing item.

Director, RSD

Open 21/09/2016

Open 11/11/2016

16-8 Meeting 1/2016 (25/02/2016)

Product lifecycle plan – Covering all enterprise systems (T1, T2 & T3)

Director, ITS

Open 21/09/2016

16-12 Meeting 1/2016 (25/02/2016)

Future Network Charging Model – Options Paper

Director, ITS


22/06/2016

16-13 Meeting 2/2016 (12/04/2016)

StudyLink project update Director, DSRA


22/06/2016

16-14 Meeting 2/2016

Guidelines for UICT funding Director, ITS


22/06/2016

https://erms.anu.edu.au/wcc/faces/wccdoc?dDocName=ERMS1783493


3

(12/04/2016)

16-15 Meeting 2/2016 (12/04/2016)

Zoom pilot results Director, ITS

Open 21/09/2016

16-16 Meeting 2/2016 (12/04/2016)

On call Teaching and Learning support - Discussion Paper

Director, ITS

Open 21/09/2016

16-17 Meeting 2/2016 (12/04/2016)

Data Integration project to absorb the requirements articulated in the Student Admissions Portal project proposal

Director, ITS


22/06/2016

16-18 Meeting 2/2016 (12/04/2016)

Data Integration update - Standing item.

Director, ITS


22/06/2016

Open 21/09/2016

Open 11/11/2016

16-19 Meeting 2/2016 (12/04/2016)

Enterprise Storage and Cloud Enablement – EOI report

Director, ITS


22/06/2016

16-20 Meeting 2/2016 (12/04/2016)

Dropbox - Evaluation Director, ITS


22/06/2016

No changes were made to these items.

5. Future Agenda Items

TOPIC BUSINESS

OWNER PROPOSED

MEETING

Annual Giving Software (A&P) Director, Alumni Relations and Philanthropy

unknown

The Committee noted that it was unclear whether Alumni Relations and Philanthropy still wished to submit a funding proposal.

NEW

ACTION

ITEM ACTION BUSINESS

OWNER EXPECTED

COMPLETION

16-21 Confirm with Director (Alumni Relations and Philanthropy) before removing from Future Agenda Items list.

Director (ITS) 21/09/2016

6. Terms of Reference and Membership

a. Student Representation

The Director (ITS) advised that a student, Raqeeb Bhuyan, who is also an ANUSA General Representative had enquired about attending UICT as an observer.

The Committee discussed the request, and asked the Director (ITS) to further investigate with ANUSA to fully establish the grounds of the enquiry. Overall, the


4

Committee agreed that while the typical UICT meeting agenda is complex, operational and involves a great deal of confidential financial detail that would preclude a standing observer, individual requests made in advance to observe specific items would be considered on their merits by the Committee.

NEW

ACTION


OWNER EXPECTED

COMPLETION

16-22 Investigate expression of interest in observing UICT with ANUSA and PARSA


The Deputy Vice-Chancellor (Academic) entered the meeting at 1:09pm.

b. Membership

The Director (ITS) advised the Committee that the College Dean representative member, Professor Stephen Bottomley, had reached the end of his term on the committee, and that UICT Meeting 3/2016 would be his last as a Committee member. It was agreed that this matter should be referred to the Senior Management Group (SMG) to nominate a new College Dean representative.

NEW

ACTION


OWNER EXPECTED

COMPLETION

16-23 Request nomination from SMG of a College Dean representative to replace Professor Bottomley on UICT


PART 2 – UPDATES AND STRATEGIC ITEMS

7. One ANU IT - update

As per Action Item #16-3, the Committee considered the paper submitted by the Director (ITS) on the Service Delivery Reform project, Creating the One ANU IT: IT Service Delivery Reform – The Way Forward (UICT Document 2016/56: https://erms.anu.edu.au/wcc/faces/wccdoc?dDocName=ERMS1786252). The paper articulated the manner in which the University would transition from current service provision to the new IT business model. An earlier draft of this paper was first reviewed and endorsed by the Committee during Meeting 2/2016 on 12 April 2016. The Director (ITS) advised the Committee that she had recently given presentations on this project to:

Colleges of Sciences IT Committee

CMBE/CPMS School Managers meeting

CMBE Executive meeting

CPMS Executive meeting

CAP School and Department Managers meeting

School Managers Meeting

ScA IT, MHS IT, RSES IT and RSP IT staff

RSC IT, Physics staff

All ITS Staff The Director (ITS) advised that her next steps would be:

The formation of the supporting governance structures: a dedicated project team, responsible for the delivery of the project, building the business engagement function, and incorporating College/School IT Managers into changed/new roles; and

To hold a Change Management briefing with HR, and agreement on organisational change approach.



5

She also reported that an Oakton secondment had commenced in order to provide business analysis, project support and stakeholder engagement. This work includes the delivery of a service catalogue and appropriate frameworks to ensure information is available in preparation for technical integration.

COMMITTEE DECISION: Noted

EDITED

ACTION

ITEM ACTION

BUSINESS

OWNER EXPECTED

COMPLETION

16-3

One ANU IT standing item. Should include specific detail on:

Outcomes achieved prior to that UICT meeting; and

Intended deliverables scheduled to occur before the next UICT meeting.

Director (ITS) Ongoing

8. CRM Tool – update

The Committee noted an update from the Director (ITS) on the CRM Tool, which addressed the Committee’s request during the December 2015 UICT meeting that ITS:

Return to the user community to further analyse user requirements;

Analyse market segments within the ANU to narrow down priority areas for a CRM;

Run an Expression of Interest (EOI) activity to analyse the current market;

Benchmark sector usage in recognised leaders of these sub-groups (e.g. UNE for student engagement); and

Build a business case as a result of these combined activities. Further requirements gathering and ANU market analysis were submitted to UICT Meeting 2/2016, in the document CRM requirements Area Prioritisation (UICT Document 2016/20). The Expression of Interest (EOI), which requested that respondents advise compliance against the requirements and also provide an understanding of how they would implement a CRM at the University, produced the following results:

Eight responses were received, two of which were likely to be ruled out early due to non-compliance against the requirements.

The approaches were highly varied, ranging from a small implementation time frame and cost, to a longer term phased approach.

Three responses were received from separate implementation partners for the same software. The variations in approach and costs were significant and would need to be examined.

Some responses provided an indication of the strategy they would take for an implementation at the University while others focused purely on a technical implementation.

The initial meeting of the Evaluation Panel (the Panel) agreed that:

Due to the maturity of the market, a number of software options had the ability to meet the University’s requirements; however, it was the approach to the implementation, and the working relationship with the implementation partner, that would be crucial to any successful implementation of a CRM;

The Panel needed to understand the lessons learned from other Australian university implementations; and

The Panel had reviewed the responses and were now proceeding to demonstrations/briefings from the five shortlisted responders, to be held on 1 July.

The Director (ITS) advised that benchmarking of sector usage has commenced and would be complete by 30 June 2016, in order to inform the CRM Business Case; which is intended to be released for comment on 15 July 2016 and to be submitted to UICT Meeting 4/2016 in September. In particular, she highlighted the following issues:


6

1. While the high level requirements are very similar across the University, policy

decisions on use (such as definitions of a customer, who will ‘own’ a customer record, who will manage different groups, etc.) have not yet been addressed due to the lack of maturity of the University’s business processes in this space. Formulating a cohesive policy will require a deep appreciation of the users and use cases across campus, and the currently identified Business Owner is new to the University. If these issues are not addressed before the implementation of a tool, it will impact on the use and consequently the success of the tool.

2. Panel members’ availability has impacted the timeframes for the EOI process and consequently the Business Case delivery to UICT. In order to assist Panel members, ITS is providing as much support as possible, but the Director (ITS) flagged that this issue may delay the production of the Business Case.

3. As a result of the time required to complete the CRM activities, areas across the

University may choose to implement interim solutions which may be hard to move away from if the University proceeds with the purchase and implementation of an enterprise CRM.


9. UICT Funding Guidelines

At UICT Meeting 2/2016, held on 12 April, the Committee discussed a draft set of guidelines for UICT funding and provided feedback. A revised draft was submitted for consideration (UICT Document 2016/60). This draft incorporated the request to include product lifecycle projects, and also proposed a threshold of $100,000 for UICT projects or programs of work, reasoning that the administration costs of maintaining Q funded projects for amounts below this may offset the benefit of such requests. The Deputy Vice-Chancellor (Academic) highlighted that the Committee may wish to consider splitting the UICT budget so that a proportion was set aside for standard business requirements, such as product lifecycle and statutory compliance, to ensure these activities are unaffected by other ICT projects. The Committee then discussed the proposed funding thresholds, and observed that setting a minimum of $100,000 for funding proposals had the potential to inflate business cases which would be more appropriately run as pilots. A concern was also raised that setting a threshold would also create an expectation that projects under this size would have to be funded by recurrent budget, which would not be feasible for some business units. The Committee also questioned whether the magnitude of the UICT Fund was sufficient, and noted that the SMG had strongly endorsed this query at its most recent meeting. The Committee asked that the guidelines:

Emphasise the need for senior sponsorship and include this earlier in the documentation;

Reassess the need for a funding threshold, in order to allow a pathway for pilot projects that may lead to larger initiatives, using a project proposal rather than a full business case;

Make the need for scheduling and prioritisation of project timelines more clear, to manage expectations that funding approval might otherwise imply an immediate commencement of project work;

Clarify the difference between the prioritisation criteria Business Process Impact and Direct Payback;

Ensure the links between Flagship SISC projects and the UICT are made clear; and

Articulate that UICT funding is not available for recurrent purposes.


7

EDITED

ACTION

ITEM ACTION

BUSINESS

OWNER EXPECTED

COMPLETION

16-14 Guidelines for UICT funding: Edits from Meeting 3/2016 to be incorporated and distributed for Committee endorsement via email

Director (ITS) Prior to

21/09/2016

10. BMS – Tier 1 System recommendation

The Committee considered a submission from the Director (ITS) and Director (Facilities and Services Division), relating to the Building Management Systems (BMS) on the ANU Acton campus. It noted that these systems operate across a range of buildings, including high-priority research facilities, and play a critical part in ensuring the smooth operation of the University. For example, the BMS monitors freezers to ensure that the required temperature is maintained. If the freezers were to fail, irreplaceable research samples could potentially be destroyed, stopping entire streams of research. F&S and ITS have reviewed the IT infrastructure of the BMS, and have produced a series of 46 recommendations for general improvements, and three specific recommendations for the relevant systems – BAS, Sigma and IELVS (UICT Document 2016/61: https://erms.anu.edu.au/wcc/faces/wccdoc?dDocName=ERMS1784518). These recommendations were classified as:

Critical - significant risk to operation of system and a high chance of failure;

Essential - items to ensure system operates at an appropriate level – medium risk; or

Desirable - low risk, but would enhance operation of system. Of these recommendations, 24 were rated as Critical, 15 as Essential and 8 as Desirable. One of the main recommendations was to separate the IT infrastructure from the day-to-day business activities of operating the system. It was therefore proposed that ITS should take responsibility for the IT infrastructure, while F&S retains ownership of the BMS systems and their day-to-day operation. To support this change, and to ensure that the BMS received the planning support, the paper proposed that the UICT endorsed recommendation G01: Recognise the 3 BMS environments as Tier 1 Enterprise Systems. Another issue highlighted for the Committee was that the BAS system was no longer supported by the vendor and was on an IT platform that will be out of support by January 2020. The decommissioning of this system will take a number of years, due to the time and cost involved. The Committee noted that some of the recommendations would need to be addressed through dedicated projects, while others could be handled as either projects or Business As Usual (BAU). F&S and ITS were working together to determine how the recommendations would be addressed, what the associated costs and resource requirements would be, and to prepare project proposal(s) as required for UICT consideration. The Committee commended the report’s author, Adam Reed; and endorsed the request to recognise the BAS, Sigma and IELVS Building Management Systems as Tier 1 Enterprise Systems, agreeing with the intention to decommission the BAS system in the first instance, followed by the Sigma system once it reached end of life.

COMMITTEE DECISION: BAS, Sigma and IELVS Building Management Systems recognised as Tier 1 Enterprise Systems



8

NEW

ACTION

ITEM ACTION

BUSINESS

OWNER EXPECTED

COMPLETION

16-24 Submission of Project Proposals relating to F&S/ITS collaborative review of F&S IT systems (UICT Document 2016/61)

Director (F&S) and

Director (ITS) 2017

PART 3 – 2016-2017 PROGRAM OF WORK

Research Portfolio

11. RIMS Project – Project Variation and update

The following staff attended for this item, entering the meeting at 1:26pm: Dr Douglas Robertson, Director (Research Services Division) Kathrin Kulhanek, Deputy Director (Research Services Division) Paul Regis, RIMS Program Manager This was a standing item, as per Action Item #16-7. Additionally, at UICT Meeting 2/2016, the Committee requested the following specific details be updated at UICT Meeting 3/2016:

Expression of concern to vendor relating to their primary contact for the University, and the contractual recourse available if this is not satisfactorily addressed;

Matrix of vendor contact points;

Revise and condense the risk assessment, noting the document is too large and complex; and

Revised scope and work plan The Project Variation (UICT Document 2016/65) and update (UICT Document 2016/55) were submitted, in response to these requests. No discussion occurred during meeting in relation to these points, as the focus was on the Stage Gate 1 deliverables. The Deputy Director (RSD) advised that although the project was seeking approval to reset the official start date of the project, and while funds had already been expended, there were no expectations that the project budget would be overspent overall, as savings would be made wherever possible, to offset the delay. The Committee questioned what deliverables would be produced between this meeting now and the Stage Gate 1 on 31 December 2016, as projected in the new project timeline. The RIMS Program Manager proposed that the newly assembled project team would review lessons learned from the Research projects that have been delivered in the past three years; get common ground on the scope of Converis’ ability to deliver; and then start planning what could be delivered first, based on need and operational readiness for delivery. The RSD staff noted that the Audit and Risk Management Committee of Council (ARMC) had specifically requested that a formal assurance strategy be put in place, including documentation of the project planning. The project will also be subject to regular auditing, and this will be reported at the project’s Steering Committee, and at UICT. This documentation would include the build plan, the business process change management plan, and what would be in scope for delivery via Converis, and what would be delivered by other ANU systems. The Director (RSD) assured the Committee that a well-defined scope would be delivered at Stage Gate 1, following a process which would vet scope against technical capabilities, alongside a consultation with the research community to confirm requirements. It was agreed by all that the current Business Case did not articulate a detailed design scope, and that this planning process would be required to finalise the scope.


9

The RSD staff also clarified that the College Liaison Officers were being consulted not so much for the ‘as is’ process, but instead to inform the future processes being designed as part of the business transformation within the project.

COMMITTEE DECISION: RIMS Project Variation request (UICT Document 2016/65) was endorsed

EDITED

ACTION

ITEM ACTION

BUSINESS

OWNER EXPECTED

COMPLETION

16-7

RIMS - Standing Item. Specific requests from Meeting 2/2016:

Expression of concern to vendor relating to their primary contact for the University, and the contractual recourse available if this is not satisfactorily addressed;

Matrix of vendor contact points;

Revise and condense the risk assessment, noting the document is too large and complex; and

Revised scope and work plan (to be addressed by Meeting 5/2016)

Director (RSD)

22/6/2016 (overdue)

RIMS – Standing Item. Specific requests from Meeting 3/2016:

Revised Business Case, including: o detailed scope (showing Converis

customisations, business process changes, and highlighting which systems would be decommissioned as a result of implementation)

o updated budget

11/11/2016

The RSD staff exited the meeting at 1:43pm

Academic Portfolio

12. StudyLink – Project Proposal and update

As per Action Item #16-13, a status update for StudyLink, dated 7 June 2016, was submitted to the Committee (UICT Document 2016/58). The Director (ITS) advised that Phase 1 was delivering well, and was ahead of schedule. The Deputy Vice-Chancellor (Academic) spoke to the Project Proposal (UICT Document 2016/59), explaining that the scope of Phase 1 had been contained due to limited timeframes to delivery all requirements. Phase 2 now sought to:

1. Implement College-specific enhancements not included in Phase 1 (to run 1/4/2017 to 29/5/2017); and

2. Begin a comprehensive review of the Manual Data Upload (OLA) process in early October 2016, producing a cost benefit analysis of various integration methods between StudyLink and Campus Solutions to improve this process, with advice to be submitted to UICT in early 2017 on whether the required changes are best implemented via the Data Integration Project or web services.

The College General Manager (Colleges of Science) strongly endorsed the proposal, noting there was universal support across all Colleges for these enhancements.


10

The Chair questioned whether a decision on Phase 2 was premature given Phase 1 is not yet in production. While supportive of the second phase works, he suggested a final decision should be subject to any competing priorities that might emerge after Phase 1 went live.

COMMITTEE DECISION: StudyLink Phase 2 Project Proposal (UICT Document 2016/59) was endorsed subject to the successful delivery of StudyLink Phase 1.

Corporate Services Portfolio

13. Data Integration – Project Proposal and update

Already approved as a part of the 2016-2017 UICT Program of Work, the Director (ITS) submitted a Project Proposal (UICT Document 2016/75) for the Committee’s approval of direction and further funding, noting its importance, as a Flagship SISC project. The current status update, dated 9 June 2016, was also submitted (UICT Document 2016/57). The Committee considered the proposal to use an Enterprise Service Bus as the technology solution to speed up development and reduce integration costs, noting that the costings for the project were fluid and still in discussion. With a timeline from July 2016 to December 2017, the outcomes outlined in Phase 1 and 2 of the proposal were:

1. Pilot project: successful deployment of integrations between nominated quick win systems (Student Administration System, Library System, StarRez, Syllabus Plus and Wattle).

2. Establish the central integration platform. 3. Establish an Integration Competency Centre (ICC) and integration team with

sufficient skills and expertise. 4. Implement associated processes and techniques to build and manage integrations

more efficiently. Documentation and guidelines. The Committee confirmed with the Director (ITS) and Director (SIG) that the recommendation had been based on a comprehensive procurement process.

COMMITTEE DECISION: Data Integration Project Proposal (UICT Document 2016/75) was endorsed

14. Collaboration – Project Proposal and Requirements Analysis

Noting that the Collaboration project had been approved as a part of the 2016-2017 UICT Program of Work, the Committee considered the Project Proposal (UICT Document 2016/62) and the Requirements Analysis document (UICT Document 2016/63) submitted by Director (ITS). The focus of the project is to explore the replacement of Alliance as the University’s primary collaboration tool, from 1/7/2016 to 30/11/2016, with the key outcomes for the project being to prepare:

1. A Business Case for a replacement tool for Alliance. 2. A data migration strategy from Alliance to the relevant platform/s, recognising that it

has acted as a quasi-ERMS for years, and that there are many valuable documents stored in it.

3. An initial review and clean-up of existing Alliance data. Given the difficulty in obtaining a Project Manager (PM) and Business Analyst (BA) for three to four months, seed funding was sought to enable the provision of a PM and a BA for 12 months. These staff would prepare a Request for Proposal, the resulting Business Case, the migration


11

data analysis and the project plan; and would be allocated to other UICT projects if this project did not progress any further. The Committee discussed the issues raised by this project, recognising:

the latest version of the Alliance platform (Sakai) is heavily dependent on social media, and would not suit the University’s requirements;

the major requirement of an Alliance replacement that was articulated by the University community was document collaboration;

the data migration would be a significant business project, which would require data to be mapped to areas of subject matter expertise for assessment regarding retention/disposal and collaboration with University Records.

COMMITTEE DECISION: Collaboration Project Proposal (UICT Document 2016/62) was endorsed

PART 4 – IT INFRASTRUCTURE PROJECTS

15. 10 year ICT Infrastructure Plan

The following staff attended for this and the remaining items, entering the meeting at 1:58pm: Darren Alexander, Associate Director (ITS Infrastructure Services) Jonathan Nest, Manager (ITS Finance) David Howse, Manager (ITS Cyber and Digital Security) The Director (ITS) submitted a 10 year ICT Infrastructure Plan (UICT Document 2016/64), in recognition that in addition to the approved Data Network Transformation and Storage and Compute projects, further investment is required in the University’s core infrastructure systems which would affect the following areas:

Audio Visual InfoCommons

Information Commons IT equipment

Managed Print

College Printer Fleet Consolidation

ITS and Information Commons Printer Fleet

Enterprise Architecture Framework

Data Centre (upgrade provision)

Web server replacement

Oracle Hardware

Network Management Systems

Microsoft monitoring and Email The Committee welcomed the document, agreeing with the assessment by the Director (ITS) that previous ICT infrastructure investments had not always been visible, even at senior levels of management; and that the University had not been as strategic as it could have been as a result. The Director (ITS) also highlighted the linkages with this proposal and the One ANU IT project, given that Colleges would not be investing in such things as storage and compute themselves. She emphasised that the plan was not intended to be prescriptive beyond the five year mark as the technology landscape would change dramatically during this period. The Committee debated the need to review the architecture of the implied directions contained within each sub-element of the plan, questioning whether a like for like replacement was the appropriate direction, or whether there was a need to integrate innovation in the plan. Overall, there was consensus that prioritisation was the next step, to allow a deeper examination of the choice between replacement versus a change of direction for each sub-element.


12

The Executive Director (Administration and Planning) queried whether the University should continue to approach these investments with the same financial approach, and whether they might be financed alternatively to smooth out the capital expenditure implications. The Director (ITS) agreed that an architecture piece was required to reveal what could be transformed and decommissioned, and to reveal the levels of maturity across the University’s ICT infrastructure to determine the ability to respond to new technologies, recognising a desire to be agile.

NEW

ACTION


OWNER EXPECTED

COMPLETION

16-25

10 year ICT Infrastructure Plan – edits required:

Include alternative financial options;

Analysis of long-term business options available for each sub-element; and

Prioritise the sub-elements.


16. Future Network Charging Model

The Committee considered a proposal by the Director (ITS) to revise the future approach to recharge cost recovery, which is the mechanism associated with charging the ANU community and a limited number of external tenants on the Acton campus for use of the University’s copper, fibre, microwave and wireless networks (UICT Document 2016/66). Currently, the cost pool associated with this recharge is defined in a briefing note applying to all Service Divisions from Dr Brok Glenn, Executive Director (Administration & Planning) on 7 Dec 2012 (https://erms.anu.edu.au/wcc/faces/wccdoc?dDocName=ERMS1786711), and is based on an annual physical audit of network ports. This Briefing Paper outlined three potential charging models, and recommended that the Committee endorse the third, which would determine usage via the useable floor area as defined within Archibus. ITS had worked in collaboration with the Finance and Business Services Division to produce a model which aimed to be equitable, have influence on demand, efficiency and cost-consciousness, in accordance with the Australian Government Cost Recovery Guidelines (July 2014). The Committee discussed the merits and disadvantages of changing the charging model, noting that there was an appetite for change and simplicity; and requested that more feedback be gathered from the University Community before a decision could be reached. This matter would then be forwarded to the Senior Management Group of the University for a decision. Professor Bottomley left the meeting at 2:28pm.

NEW

ACTION


OWNER EXPECTED

COMPLETION

16-26

Future Network Charging Model:

Edits required: o Feedback from focus group discussion

(subset of School Managers) o Feedback from next Service Division

Directors’ and College General Manager meeting

Submission to the University’s Senior Management Group




13

17. Disaster Recovery and Data Centre Strategy

The Committee considered a submission from the Director (ITS) which provided an update on risk and audit activities involving both IT Disaster Recovery and Data Centre operations. This submission described a number of outstanding audit recommendations that ITS was actively remediating. These audit remediation activities, in conjunction with efforts to position both ITS, and the wider University in anticipation of One ANU IT, had resulted in the initiation of two strategic assessment engagements:

1. Data Centre Strategy This activity was designed to assess the current and future state requirements for Data Centre operations at the University, and will interview key stakeholders, analyse current operations, analyse industry trends and deliver a Data Centre Strategy for consideration by UICT for direction, and funding discussions to determine the preferred future Data Centre operating model for the ANU. This work commenced on 30 May 2016, and was projected to take approximately three months to finalise.

2. Disaster Recovery Framework

This activity was designed to assess and update the ANU IT Disaster Recovery Framework, including an assessment of current ICT DR and Business Continuity Planning (BCP) documentation, interviews with key stakeholders across the University to understand system operational and recovery objectives, identification of key parties within an ICT DR context and refresh both the Business Impact Analysis (BIA) and IT Disaster Recovery documentation. In addition to the BIA and DR documentation, the Framework will also suggest a future roadmap of activity for ongoing testing of systems in line with the University’s DR objectives. This work commenced on 16 May 2016, and was projected to take approximately three months to finalise.


18. Enterprise Storage and Cloud Enablement - update

The Committee received an update from the Director (ITS) on developments in the Enterprise Storage and Cloud Enablement Project, which outlined the tasks completed and the activities that were currently in progress. The Enterprise Storage and Cloud Enablement project was the first major project to utilise the Infrastructure and Cloud Enablement Roadmap and IT Strategy to produce a business case. Approval was given to approach the market with an RFP (Request for Proposal), which occurred using the UPCO ePortal on 19 April 2016. The RFP aimed to obtain solution design proposals from vendors, with detailed costings, to gauge the replacement cost of the existing, ageing storage and compute infrastructure. A revised business case and recommendation report will be prepared for UICT to seek its approval before proceeding to the next phase of the project. The Associate Director (ITS Infrastructure Services) advised that the tender process had reduced the eight original vendor proposals down to three, and were now seeking presentations to satisfy the final requirements, and that he was confident of the University achieving a successful, long-term partnership following this process.


19. Network Drive Incident 29022016 - PIR

The Director (ITS) submitted a Post Incident Report following the Network Drive Outage on 29 February 2016 (UICT Document 2016/68).


14


PART 5 – IT SECURITY AND RISK

20. eLearning Software - Risks and Issues Paper

The Deputy Vice-Chancellor (Academic) submitted a request by the University Legal Office regarding the risks and issues associated with eLearning software acquisition and implementation of eLearning software, including the legal risks and issues arising from key contract clauses found in eLearning software agreements.

The Committee noted that the demand for, and use of, third party hosted (or cloud) eLearning software services by teaching staff was increasing across the University. Teaching staff were acquiring and implementing hosted eLearning software solutions without sufficient policy direction and implementation guidelines from the University. The key issues identified were:

The myriad external legal and regulatory and internal policy constraints to consider when acquiring and implementing eLearning software – including the ANU Enterprise Agreement, privacy law, copyright law, higher education legislation, general contract law and an understanding of the University’s policy position and risk appetite.

Hosted (or cloud) eLearning software solutions being more than simple ‘educational tools’ – in most cases they are complex business IT solutions.

In employing a ‘software as a service’ delivery and licensing model, the eLearning contractual framework is complex and generally comprises two different types of contracts: one for the University and another for its staff and student end users, each with different terms and conditions.

As eLearning software contracts are generally standard IT contracts, the University may find it difficult to negotiate changes to the terms and conditions.

Acquiring and implementing eLearning software requires the right expertise, adequate resourcing and the adoption of IT project management principles – to create a business solution that considers and melds the contractual issues, the business process and the technical requirements and limitations.

In addition to this briefing, the Committee received four schedules detailing:

Broader policy threshold questions - Schedule 1: Policy Threshold Questions (UICT Document 2016/50);

The key contract clauses typically found in eLearning software agreements - Schedule 2: Key eLearning Contract Clauses (UICT Document 2016/51);

A detailed summary of eLearning software issues - Schedule 3: Introduction to eLearning Software Issues (UICT Document 2016/52); and

A sample risk assessment and risk management strategy (based on the Turnitin eLearning software) - Schedule 4: Sample Risk Assessment (UICT Document 2016/53).

The DVC-A highlighted the significant bottleneck created by the need for each contract to be treated as de novo. Instead, she proposed that at the point that staff are engaged or students are enrolled by the University, they should be required to act within a set of guidelines which would address many of these issues, including:

Preference for use of cloud storage areas located within the European Union;

Standard indemnity clauses which would only deviated from on an exception basis;

Standard KPIs for use; and

Ensuring any material created by members of the University was appropriately accessible to the University following the exit of any such person.


15

COMMITTEE DECISION:

1. Noted the paper from the University Legal Office, and expressed appreciation.

2. Endorsed the Deputy Vice-Chancellor (Academic)’s suggestion to create a high-level summary of issues and risks associated with eLearning software, with accompanying recommendations to mitigate risks.

NEW

ACTION


OWNER/S EXPECTED

COMPLETION

16-27 To create a high-level summary of issues and risks associated with eLearning software, with accompanying recommendations to mitigate risks

Deputy Vice-Chancellor (Academic)

and Director (ITS)

21/09/2016

21. IT Security

The Committee considered two matters raised by the Director (ITS):

a. Mobile Device Management – Briefing Paper and risk assessment

A significant number of mobile computing devices (phones, tablets and portable computers) are used by students and by academic and professional staff, many of whom use these devices as their primary means of interacting with ANU systems and services. A number of these risks have been identified both by internal risk reviews and by internal and external audits relating to these devices. For example, the 2012 Deloitte Internal Audit of mobile device data protection (ERMS: https://erms.anu.edu.au/wcc/faces/wccdoc?dDocName=ERMS1786436) and the ITS Working Group on Mobile Device Management (ERMS: https://erms.anu.edu.au/wcc/faces/wccdoc?dDocName=ERMS1786435) These risks include:

A lost, stolen or inappropriately accessed device may expose ANU information to unauthorised third parties. Unlocked devices (or devices which can be easily unlocked) may allow access to data stored on the device, including email, documents, text messages, pictures and address book details. Certain types of information (payment card information, personally identifiable information, health information) may carry compliance requirements; disclosure of such information may lead to penalties for the ANU. Other types of information, such as intellectual property or commercial information may harm the ANU if inappropriately accessed.

Many devices cache or store credentials for services such as wireless networks, email or social media accounts. Found or stolen devices, if inappropriately secured, could allow access to these services with the permissions of the device owner, potentially allowing fraudulent transactions on ANU or external services.

Malicious software applications may give access to data stored on the devices, or allow access to components of the device such as microphones, cameras and GPS.

The Director (ITS) recommended that the University should target the areas of highest risk. This would involve the following steps:

1. Classify data and systems that should not be stored on or accessed through unmanaged devices.

2. Implement an appropriate management solution for approved devices 3. Allow access to designated systems and storage of designated data only on

approved devices 4. Provide appropriate training on risks and responsibilities to all ANU users.




16

She advised that analysis of the scope of these steps was required, and that a costed proposal would be prepared and submitted for UICT consideration.

COMMITTEE DECISION: Endorsed recommendation to target the areas of highest risk, and to consider a Mobile Device Management project proposal

NEW

ACTION


OWNER/S EXPECTED

COMPLETION

16-28 Mobile Device Management - Project Proposal Director (ITS) 2017

b. Multifactor Authentication The Director (ITS) advised the Committee that at the most recent meeting of the Audit and Risk Management Committee of Council (ARMC), a risk highlighted in the 2014 Internal Audit of Identity and Access Management – Phase 2 was considered: Recommendation 7. Implement multi-factor authentication for privileged accounts. ITS reported to ARMC that it does not implement multi-factor authentication for its systems, and that a separate tool would be required to do so. ITS therefore made a recommendation to ARMC that the ANU should accept the associated risk, and close this item. As the peak ICT governance body for the University, the UICT was nominated as the appropriate committee to make this determination on behalf of the ANU. The Director (ITS) explained that multifactor authentication was a security strategy that required the use of two independent factors, and that various audit findings had suggested that the ANU implement multifactor authentication in order to address the risks inherent in using a single factor (typically a password). Although the University had implemented several multifactor schemes for the protection of physical facilities, implementation of multifactor authentication across ANU systems was complicated by the number of systems and the lack of a single authentication environment used to access services. Several options for the increased use of multifactor authentication were examined, and the majority of options were dependant on costly hardware infrastructure, or required further development of the ANU Identity and Access Management system and consolidation of multiple authentication domains across campus into a single domain. The Manager (ITS Cyber and Digital Security) advised the Committee that ITS intended to examine focusing on both Enterprise Applications access, and administrator level access in the future, noting that these were the highest areas of risk and were also much smaller groups and thus more logistically practical to manage. EDAP suggested that it would be important to approach the task efficiently, to make an effort to identify sensitive systems and map a tighter regime for those, including timeframes.


17

COMMITTEE DECISION:

Endorsed recommendation to begin implementing multi-factor authentication in targeted areas of high risk, i.e. Enterprise Systems, but to otherwise accept the risk, on behalf of the University, posed by not implementing multi-factor authentication elsewhere

NEW

ACTION


OWNER/S EXPECTED

COMPLETION

16-29

Multi-factor Authentication: Identify sensitive ANU Enterprise Systems and map a timeframe to implement multifactor authentication where appropriate

Director (ITS) 2017

22. Privacy Report

The Committee considered a report provided by the ANU Privacy Officer, including the following:

Education/Awareness: new PULSE module launched on Privacy;

Policy: A light review of ANU policy will occur in 2016;

Engagement with Privacy Commissioner: National Privacy Awareness lecture held at ANU; and

Advice: Advice continues to be regularly provided to staff. This takes several days a month of the Privacy Officer and Legal Office’s time. Sue Galbraith, Legal Office, continues to attend relevant training opportunities and keep abreast of issues.


PART 6 – FINANCIAL AND BUSINESS ITEMS (Confidential)

23. UICT Program Dashboard

The funding and delivery status of open projects were recorded in the UICT Program Dashboard (UICT Document 2016/71).


24. Project Closure Reports

The Committee received a list of the currently open UICT Project Funds and associated commentary:

PROJECT NAME COMMENTS BUSINESS

OWNER

Chemical Management System

Project Closure Report anticipated for submission to UICT 5/2016

Director (ITS)

Lecture Recording (ECHO 360)

Project Closure Report anticipated for submission to UICT 4/2016


Moodle Enhancements Deputy Vice-Chancellor (Academic)


18

Digital Content Repository Project will commence as a part of the 2016 ANU Online Program


Pre-Award Grant Reporting

This project has dependencies on the completion of other projects, and has not yet started.

Director (PPM)

ES Financials upgrade A Project Closure Report is anticipated for submission to UICT 4/2016

CFO


25. UICT Funding Allocation projection

The current commitment of the overall UICT Funding Pool was detailed in the UICT Funding Allocation projection (UICT Document 2016/72).


26. ICT Acquisitions above $100,000

The Committee received a report detailing the complete ANU-wide 2015 ICT expenditure for total amounts exceeding $100,000, by supplier (UICT Document 2016/73).


27. ICT Acquisitions by Business Unit

The Committee received a report detailing the year to date ANU-wide ICT expenditure by business unit (UICT Document 2016/74).


PART 7 – GENERAL BUSINESS

28. Director, ITS - Report

The Director, ITS will gave a verbal update on the current discussions with Dropbox. She noted that Dropbox were still unable to provide a clear engagement model, and the costs of an Enterprise wide licence were prohibitive. The Committee agreed with this assessment, and requested that ITS further explore this as a value-added service rather than a replacement.


EDITED

ACTION

ITEM ACTION

BUSINESS

OWNER EXPECTED

COMPLETION

16-20 Dropbox evaluation – to explore as a value-added service



19

29. Date of Next Meeting

Meeting 4/2016, 10:00-11:30am Wednesday, 21 September 2016 Ross Hohnen room, Chancelry

PART 8 – OTHER BUSINESS

30. One ANU IT - OLA

The College General Manager (Colleges of Sciences) informed the Committee that the first Operational Level Agreement (OLA) under One ANU IT had been signed earlier that day, covering Science College Administration staff located in:

Peter Baume

Robertson

JCSMR

Jaeger Buildings This will also affect services rendered to:

Centre for Public Awareness of Science

National Youth Science Forum

Australian Science Innovation

Centre of Advanced Microscopy

Science Teaching and Learning Centre

The Committee congratulated all parties.


The meeting closed at 2:42pm.

minutes - services - anu · minutes committee university information and communications technology...

Documents