Present: Mark Aldenderfer, Arlene Allen, Larry Carver, Chris Dempsey, Doug Drury, George Gregg, Catherine Masi, Mark McGilvray, Jennifer Mehl, Elise Meyer, George Michaels, Alan Moses, Linda Moskovits, Joan Murdoch, Larry Murdock, Stan Nicholson, Dan Ringwald, Fuzzy Rogers, Glenn Schiferl, Kevin Schmidt, Deborah Scott, Jan Smith, Chris Sneathen, Jamie Sonsini, Bob Sugar, Paul Weakliem, Craig Welsh
Network Citizenship
A draft of a network citizenship document was presented by Kevin Schmidt. This document is intended to be a tool to manage the networks and to help determine network administrator’s responsibilities for maintenance and security. Kevin is currently building a list of known network administrators. Document requirements that were highlighted include: Departments can nominate a person, but the nominee must be approved by the hostmaster based on outlined requirements for subnets and network administrator responsibilities. Departments must be able to account for the source of their traffic, including wireless, which has significant implications as such systems frequently lack sufficient accounting as required by this document. And their accounting must still stay within the Electronics Communication Policy. 802.1x should go a long way towards providing solutions to providing data to campus network security and network management personnel regarding the source systems and responsible individuals for network traffic observed on the campus backbone. The objective is to strengthen the role of network administrators as managers of a significant operational resource (i.e., subnets) by articulating baseline campus needs relative to allocated networks. Due to the serious nature of this issue, comments are definitely welcome. Please have any responses in by Nov. 5 so Kevin can incorporate them for the upcoming BEG meeting. It was asked whether the ITPG would ultimately need to approve this document and the response was no. Kevin is communicating responsibilities down as per his job description, and this is a comment and feedback opportunity. Academic Senate consultation was considered, but as this is an operational issue and the steps are clearly defined, it should not be necessary. OIT does not have the staff for enforcement; departments will have to deal with that aspect on their own. A model of staff shared between departments is already in existence. However, lack of support is not an option. Cases of known or suspected compromise must be reported. The hostmaster may reduce the requirements for specific systems for a limited duration based upon an evaluation of the risks associated with a well-defined implementation. Kevin will email a copy of this document to ITPG members and solicit comments. Copies will then be sent to all departments; target for implementation is 3-4 weeks. Requests for assessment from departments should be expected in order to establish preparedness, which will allow proactivity as opposed to reactive behavior.
SB1386
Doug reported that UCSB guidelines have been developed, reviewed, and adopted that specified that even if we could not prove an attack was successful in obtaining data, we should assume the data was accessed and compromised, and notify the affected individuals of the possible compromise. However, the California state Office of Privacy Protection recently published a guideline that stated it should be assumed that data WERE NOT acquired unless evidence of acquisition can be found. UCOP legal experts have agreed that campuses may take this document as guidance and implement the same approach. A revised draft including this change was distributed to the mailing list. UCOP legal counsel is drafting further guidance regarding campuses responsibilities in providing audit capabilities and investigating incidents. The campus is currently dealing with an incident that would be affected by this proposed revision. Although some felt that notification of a possible compromise was preferred, more people felt that the stricter rules would generate more notifications of possible compromises that would ultimately be ignored by the affected individuals. There was general agreement that our guidelines should be consistent with the other UC campuses and with UCOP legal guidance. ITPG concurred that Doug should proceed with the revision and prepare a presentation for the ITB. It is expected that UCOP will be providing suggestions on ways of managing systems and discovering proof of compromised databases. ITPG’s guidance regarding the current incident was to proceed under the new guidelines, unless UCOP’s guidelines are not distributed soon or are not helpful, in which case the notifications regarding the current case should be sent and the revised guidelines will be refined for future cases.
Oblix
The new architecture working well and Arlene is working towards deployment next week. There seems to be no problems with the code, and the current aim is greater security.
IT Budget Subcommittee
A subcommittee of the campus Budget Coordinating Committee has been formed to look at whether there are better and cheaper ways that we can deploy IT on campus. This subcommittee consists of faculty, staff, and senior administrators. ITPG members participating on the committee include: Deborah Scott, Alan Moses, Bill Koseluk, Elise Meyer, and Bob Sugar. The committee is looking into five areas to research possibilities resulting in greater efficiencies and lower costs: planning, resource allocation, security, baseline services, and IT funding. Bob Sugar indicated the two main purposes are to provide general advice to the Chancellor, and to look into areas for streamlining and effectiveness. ITPG comments included the request for open campus forums to discuss the findings of the subcommittee, a question whether the subcommittee would be looking at things at the data interchange layer (NB: currently no), and whether development efforts could be focused on IT. Comments are welcome and should be forwarded to Elise.
Back to ITPG Meeting Schedule
