8/16/02 UCITPSO meeting, UC Santa Cruz

Guests

Johanna Majedi, Director, Communications and Computing Services, California Polytechnic State University San Luis Obispo

Welcome

Kent Wada, as the usual convener, was absent due to illness and was expressly missed.

Joint session with the UC IT Auditors

Karl Heins introduced the group of UC IT Internal Auditors. This group, convening for the first time themselves, agreed to meet jointly with UCITPSO for information sharing and exploring areas of common interest. Internal Audit reports to the University Regents, and to the campus Chancellors. Their duties as presented are three-fold:

1) performing audits (evaluating and reporting on controls);

2) advising on controls;

3) investigating.

Internal Audit works on projects rather than assuming an ongoing monitoring or enforcement stance. They serve as an authoritative voice to management, who receive their reports and provide responses. Several Auditors expressed the desire to leverage this towards common improvements, e.g. awareness of policy implications, need to update policy, develop standards, articulate responsibilities.

Another point of discussion was when to contact Audit in the investigative process. Suggestions included when there are financial or confidentiality issues, as part of a standard Incident Response team or in a whistleblower context.

Common concerns between IT Auditors and UCITPSO group included:

* outdated policies.

* need for policy consolidation

* clarity around responsibilities regarding IT systems.

There was interest in the subgroup working on a wishlist of policies, standards and best practices. Some examples to leverage include [UCITPSO contact]:

UCSC - Enterprise Systems Standards [Janine Roeth];

Berkeley - DRAFT Security Policy [Karen Eft].

Other items of note were the Wireless Audit done at UCSF [Ellen Amsel and see below]

ACTION: Ross and Karl will solicit interest to form a small group between UCITPS and IT Audit to pursue issues of common interest and concern.

UCOP Report

IR&C Staff Positions Update

Ross provided status on the current UCOP/IR&C management transition. This included the arrival of Kristine ("Kris") Hafner as interim AVP/IR&C following the departures of Bill Campbell and Jim Dolgonas, as well as the still vacant IT Policy position formerly held by Martha Winnacker. The candidate search for the IT Policy position was not successful; the position and its duties are under discussion. An outside executive recruiting firm, A.T. Kearney, who are currently involved in several other UC IT management recruitments, has been selected to assist in this process.

Internet Payment Gateway

Karl and Ross provided a status report on a proposal for Internet payment gateway(s) for UC. A proposal based on Cybersource for a UCOP-based service is not proceeding, and UCLA is evaluating whether or not its existing payment services could be expanded to serve other campuses. UC Berkeley's credit card solution is based on CyberSource, has been fully operative over a year now and has proved quite successful.

PKI

Campuses are at different points in the deployment of PKI Participants noted a need for clarification of the current services' status and capabilities. There was specific concern about the need for common models to aid developers of certificate-aware applications. It was suggested that UCOP focus on developing such structures or standards to avoid duplication of effort around the campuses or worse, omission of a necessary component. UCSF mentioned the model for verification - i.e. mapping the certificate to the person/directory - which doesn't exist as a UC-wide standard although other campuses may have already addressed it locally. Several campuses are involved in the PKI initiative, especially developing certificate-aware applications

ACTION: Ross will talk with David Wasley (UCOP) and David Walker (UCOP), recently hired by IR&C from the California Digital Library, about the feedback from UCITPSO and the collaboration between Directory Services and PKI-projects..

Campus Reports

UCSC Experience with ARIS/DeepSight

Steve Zenone provided some insight on UCSC's experience with the SecurityFocus ARIS (now renamed DeepSight) service. UCSC provides logs from their highly-tuned IDS systems to the service, which acts as an early warning system through the return of reports and aggregated data from other participating organizations. The service has been useful through improved and focused reporting with better identification "real" threats.

Anti-Virus Email Filtering

Campuses are using a variety of anti-viral email filtering tools, including Sophos and MailScanner, TrendMicro and McAfee. Campuses that are actively using Sophos include UCI, UCR, UCSD and UCSC. Berkeley is using TrendMicro and UCLA is using McAfee. The % of email containing viruses seems to range from 2%-10% at many campuses. None of these campuses had current concerns about the added load on their mail server, though a slight delay in delivery of mail was noted.

Many campuses are looking at SPAM filters as well. UCSF has a "deliver to the desktop" philosophy based on MiaVia , which allows the user to deal with messages highlighted as SPAM. That will soon be rolled out in the School of Medicine. UCI is looking at SPAM Assassin; UCSD noted that they had a high rate of false positives with SPAM Assassin; UCSC has had similar feedback in small tests.

Wireless

Mark Valade described a survey of wireless access points (WAPs) on the UCSF campus; WAPs were discovered via search with scanning tools. The survey found approximately 250 WAPs, of which 15 had not been installed by ENS of UCSF. Of those 15, there were 5-6 WAPs that allowed unauthenticated access through to the Internet.

Jose mentioned that the UCSF Medical Center is pursuing some 802.11b pilots, with some consideration about the risks of interference, e.g., with other equipment operating in the same band. Through a general discussion, it appeared that the concern was less for spectrum contention between dissimilar applications than for similiar, e.g. multiple 802.11b access points.

Ross mentioned IS-5 as a possible vehicle to address construction and wireless LANS. This Business and Finance Bulletin covers radio, television and microwave deployment and licensing, and dates to 1977. Johanna Madjedi commented on the status of wireless networking on Cal State campuses where fewer wireless network expansions have been launched to date, primarily due to the more centralized network management and limited funding. She mentioned additionally that CSU had an airwaves policy.

Policy

John DeGolyer presented UCLA's work on key issues in an overall security policy. This work comes out of their Information Technology Planning Board, which is the IT governance body at UCLA. The issues that UCLA has identified include Security and Enterprise Directory issues and touch on a number of emerging themes, e.g. use of email for University business. Berkeley notes that they use email for official communications to students - students must maintain an accurate address. UCSC is pre-assigning accounts to all student this fall as a step in this direction.

Berkeley has a draft Campus Information Technology Security Policy which is being developed by the Campus Information Security Committee, a standing subgroup of the e-Berkeley Steering Committee. This document extends on the e-Berkeley policy work through more definition of roles and responsibilities.

Lunch

Sharing of Data/Personally identifiable information/IP addresses

The group discussed sharing of data with outside parties, e.g. vendors or non-UC. UCSC's use of ARIS/DeepSight was provided as one example of doing this with a commercial vendor. There was general agreement that IP addresses may be used to get information about individuals - UCSC has worked with ARIS/DeepSight to ensure that requests past IP addresses are deferred to the University for handling through standard release of information procedures. Other ideas are to limit retention periods of data that goes to external vendors.

There is agreement that standard language should be written into contracts with external vendors based on campus policies or state or federal laws, although no model language yet exists. Ross suggested that Business and Finance Bulletin RMP-8 ("Legal Requirements on Privacy of and Access to Information") might be a vehicle for new policy language regarding outsourced service providers' handling of UC information.

"Good Passwords"

Karl Heins provided some background on the issue. UC's external auditor PriceWaterhouseCoopers (PwC) has been the source an admonition to improve passwords through shorter periods of mandatory password changing, a common practice amongst external auditors. Karl provided some insight into the role of the external auditor and how recommendations of external auditors are handled within UC.

A goal is to develop an adequate response regarding authentication controls to external auditors. This may incorporate the issues related to multiple passwords vs. single sign-on, one-time passwords, etc. Encryption as a response alternative to password changing recommendations was also suggested. As further resources, UCSF Medical Center has a document regarding strong password controls. Berkeley suggested the use of references such as SANS password policy if we wish to develop a UC policy.

UCITPSO Futures

The final UCITPS session for 2002 is scheduled for October in UC Riverside. Kent previously proposed a format change to the meetings, towards two-day sessions twice a year. There was general support for this proposal, to begin in calendar year 2003. Some alternatives to the exact format of the days were discussed to minimize travel time and overnights. These Johanna Madjediπs suggestion for day-long meeting extending into the evening to reduce the meeting,

including travel, to two days out of the office. That is a format used by CSU for their periodic meetings. Specific venue and date(s) of the first 2003 meeting are still to be determined.

Adjournment