Information Services Information Technology Committee 10 th June 2014 ITC Workplan for 2014/15 Brief description of the paper The paper is a combination of a committee workplan for 2014/15 and a report on activity during 2013/14. The plan is for discussion and comment the report is for information. The plan and the report were required by KSC for their meeting in October and so has already been reviewed and accepted by KSC. So we are in the slightly strange position of having an acceptable workplan that ITC hasn t seen. This does not mean that we cannot make changes if we wish to, but we can have confidence that it is covering the areas that are important to KSC. ction requested For comment - we will finalise the plan based on comments received. Resource implications Does the paper have resource implications? No Risk ssessment Does the paper include a risk analysis? No Equality and Diversity Has due consideration been given to the equality impact of this paper? Yes There are no diversity implications. ny other relevant information The Review Group will submit annual reports from this point onwards to ITC. Originator of the paper Simon Marsden October 2014 Freedom of information Can this paper be included in open business? Yes
ITC Workplan The ITC committee has a pattern of working based on having 3 meetings a year. The work is divided into the following broad areas: IT Strategy Oversight and input to major IT initiatives Service monitoring robustness, resilience, priorities Security 2014/15 Plan Strategy IT infrastructure Implementing the outcomes of the IT Infrastructure review Overall strategy Review overall guiding principles document. Oversight of major initiatives Research Data Management (IS) Telephone Replacement (IS) Office 365 for staff (IS) University web site content management system change (IS) Delivery of web services to mobile devices (IS) Media Refresh (IS) Service Monitoring The main strands of work planned in this area are: Ongoing monitoring of priorities Roll out of software licensing risk management Policy around availability taking into account planned and unplanned down time Security Ensuring our policy and guidance are current and disseminate best practice. nnual report for Risk Management Committee on security incidents/breaches Multi factor authentication implemented in high risk situations S L Marsden October 2014
2013/14 Review Strategy Within the strategy we have an overall IT Strategy which is concerned with the principles which guide the development of IT services. Within the overall umbrella sub strategies are developed. Over the last year a plan for developing our capability to manage and deliver multi media content was developed resulting in the IT Committee supporting an IS business case in the planning round which received funding. Going forward there will be an initiative to develop the service monitoring of that will be part of the oversight activity in the 14/15 plan. The video services are more closely aligned with the work of the Learning and Teaching Committee and it is expected that the requirements for infrastructure will be driven by their agenda. We have been conducting an IT Infrastructure Review over the summer. The expectation is that we will produce a 5 year roadmap for the development of the IT infrastructure, the roadmap will be reviewed by both ITC and KSC. Timing of the review has resulted in the work being carried out in between meetings of the IT Committee. Oversight and input to major IT initiatives 2013/14 Research Data Management (IS) The RDM services have made good progress with the policy and tools for creating data plans in plans together with technical delivery of data store ie up to 500Gb of active file storage per researcher and the data share ie sharing published data sets in place and data vault ie long term storage is still to be developed. Telephone Replacement (IS) Replacing analogue phones which are near end of life with digital phones has been constrained by funding but has also been included in the infrastructure review. Shared cademic Timetabling (IS) This 3 year project has delivered well, we now have a timetabling unit located in SSG who are running the processes and continuing to further develop the service. The main objectives of delivering personal timetables for students and more effective MI showing teaching space usage have been delivered and the project has closed. The software that we purchased Scientia has been found to have some limitations which have impacted on our delivery, the software is not as reliable as we need and the functions to allow student self sign up for class events eg tutorials will not work in combination with our other processes. Scientia recognise the issues and are engaged on a product re-write which will address the problems but which will take at least 2 years to deliver. In the mean time we have put additional monitoring and process control around the service to greatly reduce the unreliability issue. From a user perspective we managed the peak period through the start of the academic year this year with far less disruption than in the previous year. Office 365 for staff (IS) Our in house Microsoft Exchange service which delivered diary for all staff and email for about 60% of staff has been successfully replaced with Microsoft s cloud service Office 365. The change has been well received. Driven by user demand we are now in the process of
transferring all staff still using Staffmail in the College of Humanities and Social Sciences to Office 365 and have a similar migration for Medicine staff planned. Select Print (IS) Introduction of SelectPrint has allowed us to consolidate on a single printing/copying/scanning service for staff and students. Under our contract with Xerox, we now have a fleet of some 700 multi function devices in place selected from a range of 7 models. Students and staff can print to mfds from their own laptops, computers, pads and phones as well as from University equipment. The service has been very positively received. We have seen an increase in usage of about 50% University web site content management system change (IS) The plan to replace our current content management system Polopoly with the open source system Drupal remains on track for December 2015 delivery. We are just about to start the first site migrations ready for full scale activity starting Januray 2015. Delivery of web services to mobile devices (IS) We developed a strategy to use adaptive web pages ie web pages which adjust their display to the size of the screen they are being used on, rather than custom apps for mobile devices. We have done this successfully for both the ESE and MyEd services and are starting to see the adoption of adaptive design in other services eg some aspects of student self service. The strategy recognises that where an app already exists we can incorporate it into our portfolio but that we should not create apps ourselves. Consequently we have adopted a mobile pp from Blackboard for users of the Learn vle and Microsofts apps for Office 365 users. This is great progress. Use of Video management tools in the Business School (CHSS) The Business School purchased a cloud service called Panopto to support their ambition for captutring and delivering lectures and other video material as part of the Edinburgh MB programme. The service has worked well and is providing really helpful input into the business case for a University wide media service. Business Intelligence (USG) The committee has continued to follow the progress of the BI/MI initiative but does not have a governance role so acts as an additional communications channel for the initiative. Service monitoring robustness, resilience, priorities The availability of services remains a significant concern especially at the start of the academic year. The lessons learned from previous years are being fed into a continuous improvement cycle such that we have seen year on year improvements. The start of 2014/15 was to the required standard with or no significant disruption to services. It is important to recognise that the start of the year will always be a vulnerable period with many processes that have to execute at high volume which are not exercised at volume at any other time of the year and software and hardware that changes between peak cycles. The sub group of ITC set up to monitor the service priorities and the levels of service availability and disaster recovery primarily accorded to each category; high, medium or low reported to ITC in June. They recommended no changes to the high priority category. The group has started to engage with overall availability combining planned, ie system maintenance and unplanned ie faults to work
towards setting an overall target. s a first step monitoring of overall availability has been put in place. The committee oversaw the development of a policy to ensure that the risks associated with breaches of software license conditions are routinely reviewed and managed. The process to assess the risks is currently being piloted across all IS with an expectation of rolling it out more widely early in the year. Security Security risks have been a growing concern throughout the year, within ITC and the Risk and udit committees. The growing concern is a reflection of the increasingly difficult external environment and as a consequence, we have been responding and stepping up our activities. The appointment of the Chief Information Technology Officer has made a significant difference. He has provided a focus our activity. The main areas that have been addressed are: Met with heads of schools and established a network of security practitioners within the University Provided that network with a way to feedback on incidents so that we can learn from each other, track levels of incidents and compare them with other Universities. Put in place a firewall rule that requires all web sites in the University to be registered before they can receive traffic from outside of the University. Understanding what we have and who owns it will provide us with a control to monitor activity and to ensure that web servers are being updated and adequately patched for new security vulnerabilities. Procured an external vulnerability testing service Provided guidance on possible data loss o what constitutes high risk information o what actions need to take if they are using high risk information on mobile devices o encryption tools to mitigate the risks ssessed the risks around the possible theft of passwords. The outcome of this is that we believe we need to implement a second factor challenge, ie something more than a password for some services. The area where there is the biggest risk is student record and BI/MI services where many staff quite correctly have access to many student s personal data. Technical solutions which balance usability and security are being evaluated before a final recommendation is made. Provided an annual report to the Risk Management and udit committees attached.
IT Security 2013-2014 report to Risk and udit Committee During the past year there has been a significant expansion in the level of effort over security evident in the Colleges and Schools. In particular, a very active group has been established in Science and Engineering and this model is now being followed in Humanities and Social Science. review of the various security policies has been made by the ITC Working Group on Security and steps taken to update the policies and to establish new policies where there are obvious gaps. short review was held over the danger of leakage of corporate data when an ESE credential is lost. This has led to further discussions with system owners and a proposal for positive action over changes to the security model for the Student Systems area. Ongoing work has continued with both Janet and other Russell Group institutions on the ability to share information on the number and severity of security incidents. This work only proceeds very slowly as there is still extreme reluctance to admit to events unless the issue is forced upon an institution. During the year there have been 11 security incidents which can be graded as serious. This compares to 14 incidents in the previous year. It should be noted that 3 of these incidents have been in the EUS website area. We are engaged with EUS about how they can improve the security awareness of their web site managers. Date Incident Effect Cause Owner 15-ug-13 IRC Bot infection Network attacks - Inadequate patching Biological Caused DoS issues Sciences 16-Sep-13 Trojan 'Key Logger Potential loss of Responded to HSS information phishing email Compromised Website 500 bytes Inadequate patching Informatics 12-Nov-13 downloaded (style sheets) 29-Nov-13 Phishing ttack bility to read Responded to Staffmail. phishing email 06-Feb-14 Compromised Website Inserted web pages Inadequate patching Biological Sciences 20-Feb-14 Credential Loss Id theft through Guardian-Bad CM bogus adverts password Policy 03-Mar-14 Careless Permissions Publically available Carelessness Geosciences files 01-ug-14 Compromised website dded web links Inadequate patching IS-pps 18-Sep-13 Compromised Website Viagra dverts Inadequate patching EUS 22-pr-14 Compromised Website Viagra dverts Inadequate patching EUS 18-Jul-14 Compromised Website Viagra dverts Inadequate patching EUS