TAG met for our third and final Spring 2013 meeting this morning, and it was a meaty one. Here’s what’s going on:
1. TAG Leadership for 2013-2014
Continuing the discussion from our March meeting, we’ve officially agreed to move to a rotating, 2-year-term, 2-co-chair leadership model for 2013-2014. Jeremy and Kristen nominated Dave (currently a Faculty Senator) to take over for Jeremy as co-chair in 2013-2014 and serve as TAG’s liaison to the Faculty Senate. We held a not-quite-strictly-parliamentarian vote among the faculty TAG members present, which passed with no audible or visible dissent, so Dave will start his 2-year term in Fall 2013… or more likely Summer 2013. Kristen will stay on for 2013-2014 and then rotate off, to be replaced by a new co-chair in 2014-2015.
2. Identity Finder Automated Scans
Jim brought Adam Edwards, our new Information Security Officer, with him to the meeting to talk about an Information Security Office/IT Client Services Identity Finder Proposal on Automating Scans. For those just joining us, Identity Finder software scans your computer for sensitive, unsecured Personally Identifiable Information (PII). It’s been installed on faculty computers since 2011 (Windows only – Mac and Linux users can skip this part). To date, the scans have been encouraged but entirely voluntary and entirely user-initiated.
The Information Security Office and IT Client Services are jointly proposing implementation of weekly, automated, required Identity Finder scans (see the proposal for details). Adam explained the rationale — if IR knows where sensitive data is stored on campus, it’s easier to protect that vulnerable data and avoid embarrassing FERPA violations. It’s also easier and faster to fix and return malware-infected machines if IR knows whether or not the machine had any sensitive data on it. Here’s how the proposed scans would work:
- Every Friday at 12:30pm (or the next time your work machine was turned on), Identity Finder would automatically begin a scan.
- Scans would be limited to only certain types of sensitive data – e.g., Social Security numbers, drivers’ license numbers, credit card numbers, and birth dates.
- The Information Security Office would receive reports on the scan results. Adam would see the number of hits, and a masked view of the PII found, but he would NOT be able to see the file or the full PII picked up in the scan.
- If a computer frequently had many hits identified, Adam would reach out to that user to help them better manage their sensitive data (so that the Information Security Office’s efforts would be focused on the largest sets of the most vulnerable data).
Adam has been testing with a small group. This Friday he’ll be rolling out the automated scans to all PIR staff members for another 2-3 weeks of testing. Adam noted that they are working on finding the most effective and efficient ways to scope the scans to minimize scan time.
TAG members mentioned a few concerns:
- Scan length and performance effects — Kristen and Kim had run test scans on their machines that took much longer than expected (Kristen’s was 7 hours and 45 minutes, with a noticeable impact on performance). Jim said that the subsequent scans are much faster, since you can set Identity Finder to ignore locations with many false positives – his scan takes about 3 hours. With respect to performance, Identity Finder does have a throttling capacity, such that it is not supposed to impact other applications. Adam explained that continued testing with PIR will help him make the scans faster and less noticeable.
- Scheduling — Kevin and Katie noted that many faculty members (and their computers) are not on campus on Friday afternoons, especially if a scan needed multiple hours. We discussed a few options – for example, scheduling for Tuesday or Thursdays during the 11:30-1pm time slot, having an option to skip a scan if your machine had already been scanned within the past week, being able to pause a scan, doing monthly instead of weekly scans, pinging computers to automatically turn on and scan in the middle of the night, warning everyone to run their first scan overnight, etc.
To help resolve some of these issues and identify other areas of concern for faculty, TAG members volunteered to serve as test subjects for automated scans. Adam said that he’d like to work through the PIR staff first but will then reach out to TAG members for additional testing and scoping.
We invite our fellow faculty to contact us with other concerns or questions. If you’d like to try Identity Finder, it should already be installed on your (Windows) machine, and you can find a Quick Guide for getting started at http://www.scranton.edu/pir/its/identityFinder.shtml.
3. Academic Server Decommissioning
An official memo from IR will be coming out in the next few days announcing a timeline for the decommissioning of the academic server (academic.scranton.edu), which has been in the works since mid-2011. The server has been heavily targeted by attacks, so due to security concerns, academic.scranton.edu will no longer be *public-facing* beginning June 15. Internal access (via a campus IP address) will still be available until August 31 in case users need more time to move content. Adam explained that a firm deadline was needed in order to mitigate the major risk of a supposedly retired server still being public-facing.
Adam would like to work with people who still have public content on the server to migrate to either the CMS or another campus server. (Content was supposed to have been migrated to the Content Management System (CMS), but there is still some active content there that was not migrated for one reason or another – some of it could not be accommodated within the CMS’s available functionality.) He has already met with the CTLE and the Library about moving the development pages for the Academic Integrity Tutorial. TAG will help reach out to faculty members who still have either individual content or organizational content on academic to determine what needs to be migrated where, and what level of support, assistance, or training is required. Adam will send Kristen information about the remaining directories and a list of faculty usernames connected to content on academic. After the official IR memo comes out, TAG will follow up that communication with those faculty members. (Faculty members who had individual pages on academic were contacted back in 2011 about moving their content, so hopefully most of this migration work is already completed.)
This discussion brought up some broader concerns about web development resources on campus. Tim described some of the difficulties he had finding a home for the Sheep Brain Dissection Guide. Eugeniu mentioned that some faculty members who had migrated their content from academic to the CMS reported that the Google ranking of their page had gone down in search results. The local WordPress server (sites.scranton.edu) might be a new option for student and faculty web development, but the extent of this service is still being discussed. We didn’t come up with any answers on this, but as always faculty members may contact TAG with other concerns, questions, or suggestions regarding web development on campus.
Leave a Reply