Encryption with 7-Zip – Instructions

3 07 2014

So there was a bit of internet shock earlier this summer when a surprise announcement came out that the widely used encryption utility TrueCrypt was no longer being developed. Previously, our Information Security Office had recommended TrueCrypt as a tool for encrypting personal and confidential information, like human subject data. Now that TrueCrypt has been discontinued, Security Officer Adam Edwards passed along some instructions (.docx) for using an alternative (also free and open source) encryption tool, 7-Zip.

Adam warns:

**One caveat with this option is that there is no central management.  This is important because if a user loses their password the data will be lost. Manual recovery procedures will need to be put in place to ensure there is alternative access in the event of an emergency.  If no manual recovery procedures are put in place and the password is lost the data will be lost.**

Please contact Information Security with questions or concerns. Thanks to Adam (and Information Security Engineer Scott Finlon) for watching out for us!


Comments : Leave a Comment »
Tags: , , , , , , ,
Categories : Announcements, Security

Identity Finder FAQ for Faculty

25 03 2014

[Note: Significant updates made on 2014-05-13, 2014-05-07, and 2014-04-24. Updates on scheduling and encryption on 2014-07-02.]

Back in April 2013, IT Services Director Jim Franceschelli and Information Security Director Adam Edwards came to TAG with a proposal to automate Identity Finder scans on faculty desktop computers. In June 2013, the President’s Cabinet approved the use of automated scans with Identity Finder on University-owned desktops as part of an overall Information Security Data Loss Prevention program. Then-CIO Jerry DeSanto sent an email announcement about the program to all faculty and staff on June 21, 2013, projecting implementation in December 2013.

Since then, Information Security has been working with TAG to pilot test the scans and try to smooth the process as much as possible for faculty. Automated scans have already started for staff, and Information Security would like to move forward with implementation for faculty machines. Currently, automated scans are scheduled to begin on August 1, 2014. Here’s what faculty need to know:

Why is the University doing this?

  • Data security is serious business for higher ed — we have ethical, legal, and financial obligations to protect the personally identifiable information that we have collected from students, faculty, staff, human subjects, etc.
  • If your computer or external media contracts a computer virus, is lost, stolen, or broken into over the network, files containing restricted information are at risk for theft. This information can be used to steal not only your money and identity, but also the money and identities of anyone else who either shares your computer or whose restricted information you store.
  • If you store restricted information for University work, the University would be obligated under state law to notify everyone affected by the breach and could potentially be legally liable.

Does this benefit me at all?

  • Identity Finder can help you protect yourself — use it to search for sensitive, unprotected information on your computer and then take an action (Shred, Scrub, Secure, Quarantine, etc) to secure that information. (Personally, an Identity Finder scan I ran on my machine found old documents containing my SSN that I had stored unencrypted in Google Drive… not smart.)
  • If your computer gets a virus, IT Services can clean and return it to you much more quickly and easily if they have a recent Identity Finder report for your machine.

What is Identity Finder?

  • Identity Finder is security software that scans your (Windows) computer for sensitive, unsecured Personally Identifiable Information (PII) stored in unprotected files.
  • If you run a scan on your machine, Identity Finder will give you a report showing what it found and where. It then gives you options to take action – you can shred the file, scrub (redact) information, secure the file, or move it to a quarantined location. You can also ignore false positives.
  • It works by looking for patterns – for example, a nine-digit number in the pattern ###-##-#### would be picked up as a possible Social Security number. If it picks up something that looks like a Social Security number but isn’t (a false positive), you can tell it to Ignore that result.
  • Identity Finder has been installed on all University Windows machines (via KBOX) since about 2009.

What kind of sensitive/restricted information are we talking about?

  • Restricted information is any piece of information which can potentially be used to uniquely identify, contact, or locate a single person. Restricted information is generally regulated by law or contract and often used for financial, medical, or research identification. (See the Information Classification Policy for additional info.)
  • Identity Finder looks for most types of Personal Identifying Information:
    • Bank Account Numbers
    • Credit Card Numbers
    • Dates of Birth
    • Driver’s Licenses
    • Passwords
    • Passport numbers
    • Social Security Numbers
  • Identity Finder is NOT looking for:
    • Email addresses
    • Mother’s maiden name
    • Personal addresses
    • Phone numbers
    • United Kingdom National Heath Service Numbers, United Kingdom National Insurance Numbers, Canada Social Insurance Numbers, Australia Tax File Numbers
  • If you’d like to get a better understanding of what kind of information Identity Finder picks up, you can run a non-scheduled Identity Finder scan on your machine whenever you’d like.

What are automated scans? 

  • Right now, Identity Finder only scans your machine when you tell it to.
  • Information Security and IT Services plans to run weekly, automated Identity Finder scans (see the proposal for details) on all University (Windows) computers. The idea is that every Friday at noon, all University computers will automatically initiate an Identity Finder scan.

Where is Identity Finder looking? What folders/locations are scanned?

  • Automated scans include:
    • Local filesystems (like your C: drive) and local registry
    • Browsers
    • Attached devices
    • Email —  If you use a local email client (e.g. Outlook or Thunderbird), Identity Finder will scan through your mailboxes that are cached on your computer, however, if you mainly use OWA or other method through a browser, you don’t have a local cached copy, and Identity Finder won’t be able to scan it.
  • Scans do not include the R: drive or most other remote connections.
  • If you’d like to get a better understanding of what the automated scans will include, you can run a non-scheduled Identity Finder scan on your machine whenever you’d like.

What if I have sensitive/restricted/confidential information saved on my computer?  Like confidential human subject research data or client files?

  • ANY sensitive/restricted/confidential information that you are storing ANYWHERE should be encrypted! Without encryption, your data is vulnerable to attack, misuse, and all sorts of other bad things.
  • Information Security recommends using TrueCrypt (which is free and open source) to encrypt your data. Scott Finlon in Information Security wrote up some brief  instructions (PDF) for encrypting a folder of files using TrueCrypt. Update 2014-07-02: Support for TrueCrypt was discontinued in 2014-05, so Information Security now recommends using 7Zip – see instructions (.docx).
  • Information Security has been in ongoing conversations with the IRB about ensuring confidentiality of human subject research data and client files. Members of the IRB had expressed concerns that Identity Finder scans would violate the confidentiality of human subject data. The good news is that data encryption resolves this concern — encryption protects sensitive data from Identity Finder scans as well as from external malicious attacks.
  • Please contact Information Security if you have any questions about protecting confidential data.

How long do the scans take? Will this affect my computer or my work?

  • Identity Finder scans can take several hours if you have a large number of documents.
  • Thankfully, Identity Finder uses a search history to keep track of what files do and do not have matches. Because of this, the initial scan is much slower than subsequent scans, as it has to scan your entire hard drive. Each subsequent scan will only look at new files, changed files, and files that previously reported matches.
  • TAG members have been piloting automated scans since September 19, 2013. We ran our own scans first, and these often took quite a while. After the initial scan, however, subsequent automated scans have been speedy. So far, none of us have experienced any performance issues – the scans are essentially invisible to the user.

My computer went to sleep during the scan. What happens now? Can Identity Finder wake my computer up to scan?

  • Identity Finder scheduled scans are set locally, so they will only be invoked while the computer is on and running — they can’t wake up your computer.

What if I’m not on campus on Fridays and my desktop machine is turned off? What if I’m not on campus on Fridays but am using my laptop? 

  • Automated scans are currently scheduled in batch for Fridays at noon. They will run as long as your computer is turned on – whether or not you’re on campus (or on the University network).
  • If you are offline, the scan will run as scheduled. The report will be sent to Information Security once you reconnect to a network.
  • If your computer is turned off at 12pm on Friday (that is, if the scheduled scan is missed), it will begin with a randomized start time between 30 minutes and 120 minutes after the computer is back up and running.

What happens after the scan is done?

  • When the scan is done, Information Security will get a report from Identity Finder indicating the level of risk for that machine. The report includes the number of hits, but NOT the actual information that was marked as potentially sensitive – that is redacted. The reports show only a masked version of a potentially problematic file and the location where it was found. Reports are only viewable by the Information Security Director (Adam Edwards) and the Information Security Engineer (Scott Finlon).
  • Based off of these reports, Information Security then works one-on-one with users, recommending that users delete the files (if they’re no longer needed) or move them to a more secure, encrypted location. (Adam said that he is working with staff with the most risk first — e.g., people with 1,000 hits or more.)

What if I have a Mac or Linux machine? 

  • Automated Identity Finder scans will only run on Windows machines.

When is this happening?

  • Automated scans are scheduled to begin on University-provided faculty desktop machines on August 1, 2014. (Information Security Officer Adam Edwards sent out a notification to all faculty on May 28, 2014 and a reminder on June 30, 2014).
  • Automated Identity Finder scans are already running on staff machines (and on TAG members’ machines).

What should I do to prepare?

Questions or concerns?

 


Comments : Leave a Comment »
Tags: , , , , ,
Categories : Announcements, Security

Encryption with TrueCrypt

8 03 2014

Update 2014-07-02: Support for TrueCrypt has been discontinued! Information Security recommends using 7Zip instead – see instructions (.docx).

——————————————————————————-

At our last TAG meeting, Adam Edwards and Scott Finlon from Information Security demonstrated automated Identity Finder scans as well as encrypting files with TrueCrypt (which is free and open source :). At our next TAG meeting, we’ll be starting to identify which departments can move forward with automated scans — so as a reminder, you’ll all want to make sure that any confidential or sensitive information stored on your desktop is safely encrypted.

Scott has sent along some brief  instructions (PDF) for encrypting a folder of files using TrueCrypt — the first page is set up and the second is everyday usage.  Please contact Information Security if you have any questions about encryption.

You can also run your own Identity Finder scan in the meantime – see IR’s Quick Guide if you need help getting started.

Many thanks to Adam and Scott for their guidance on this issue!

 


Comments : Leave a Comment »
Tags: , , , , ,
Categories : Announcements, Security, Technology Training, Tutorials

TAG Meeting Notes 2014-02-12

14 02 2014

TAG Meeting February 12, 2014 12:00pm-1:00pm

Attendees:
Jeremy Brees, Tim Cannon, Paul Cutrufello, Kim Daniloski, Dave Dzurec, Eugeniu Grigorescu, Katie Iacocca, Andrew LaZella, Lori Nidoh, Kristen Yarmey

1. Brief Reports

Acceptable Use Policy

CIO Jerry DeSanto announced on February 6 that the new Acceptable Use of Information Technology Resources Policy had been approved by the President’s Cabinet. The new policy is an update to the old Code of Responsible Computing. Many thanks to Jim Franceschelli and Dave Dzurec for co-chairing the committee charged with revision.

PR Department/Program Website initiative

Back in late November, Dave, Kim, and Kristen (along with Hal Baillie, Darla Germeroth, and Ray Schwenk) met with Gerry Zaboski and Lori Nidoh in PR to discuss department and program websites. Also in on the meeting (phoning in from Cedar Rapids) were representatives from Converge, a vendor that PR has hired to help us with initial planning and updates for departmental websites and academic program pages (note: *not* course catalog content/program descriptions, which require formal review).

The main goal from a faculty perspective is to develop content for department/program pages that is consistent across the University website and does a better job of communicating what it is that we do — reflecting the quality of our programs/departments, “telling the story” of the student educational experience, etc. (In 2012-2013 TAG had prepared a proposal for improving and maintaining department/program websites that advocated for additional support for this task.)

Briefly, Converge plans to 1) outline/inventory needed content, 2) do some search engine optimization research (e.g., what terms do users type in to Google when they’re looking for nursing programs?), 3) develop a draft template for page content, 4) get faculty feedback via a campus visit and questionnaire, 5) draft some copy, and 6) help us prepare a long term strategy. Their main output would be a consistent template for department/program pages, and they will create content for up to 50 department/program pages (though the institution has the final say on content). Gerry explained that this way we can get a lot of updates done quickly.

PR and Academic Affairs would like to bring together a steering committee or task force to coordinate this project, with work beginning in March. Gerry has broached this topic with the Committee on University Image and Promotion (CUIP), which includes faculty representatives.  After the November meeting, Kristen and Dave had asked TAG members to identify faculty who might be interested in serving on such a steering committee. Teresa, Sandy, and Dave then volunteered.  However, Lori noted that it has not yet been decided which program/department pages will be selected as the focus of the project, and she was not sure who will make that decision. We agreed that once these programs/departments have been selected, TAG will support the faculty representatives on CUIP in trying to recruit faculty volunteers to participate.

Desire2Learn

Desire2Learn went live in January, and so far the transition seems to be going smoothly (see the LMS transition page for details). About 30 faculty members opted to begin teaching in Desire2Learn in Spring 2014. Courses that are being taught in Desire2Learn have been disabled in ANGEL so that students don’t see them in both places.  Workshops and video tutorials are available for faculty.

Eugeniu reported that there was an issue with merging courses that CTLE wasn’t able to resolve in time for this semester, but it will be resolved in time for summer and fall courses. Another issue has been reported with links – Firefox and Chrome are problematic when trying to display unsecure pages within secure frames.

Mobile Apps

IR’s Mobile Apps feedback group met in December (pptx). Sandy attended as a faculty representative. The group reviewed the University’s current apps — ANGEL Mobile, eAccounts (for RoyalCard), the Straxis app, Student Services app, RoyalSync, and Desire2Learn (which also has two special purpose apps – Binder and Grader) — and discussed what additional features should be mobile accessible.  The Straxis app will be retired at the end of the year and replaced by a locally developed web app for the fall 2014 semester.

Royal Card

Faculty are reminded to visit the TSC to get a new RoyalCard. Take your old RoyalCard or a driver’s license, and you will be photographed.

Windows XP to 7 Conversions

(Jim was unable to attend the meeting but sent an update on this via email.) IT Services is continuing to work on converting all remaining Windows XP machines to Windows 7. Faculty machines are the current priority, with a goal of finishing all faculty conversions by the end of May.  IT Services will contact users to schedule a time and date for conversion — the process takes about two hours.  Dave noted that the history department was almost entirely converted and had no issues.

II. Items for Discussion

Specialized Software/Computer Lab Survey Results

Kristen is still working on putting together the survey results and apologized to TAG members for the delay.

WordPress Network

Kristen reported that at least one additional faculty request for a site on the campus WordPress network (sites.scranton.edu) had been turned down. There seems to be a continuing need among faculty and students for academic web space, particularly since the academic server (academic.scranton.edu) was decommissioned.

At our September 2013 meeting, TAG had requested that IR draft language on service levels for WordPress. Kristen asked Jim for an update on this issue. Jim was unable to attend this meeting but sent an update via email, excerpted here:

We met this past fall and have consulted with the CTLE on various support issues.  Unfortunately at this time, we cannot extend the wordpress offerings.  Looking at the current issues at hand – especially with the CTLE and the conversion to D2L – extending support won’t happen until January 2015 at the earliest. I know there is growing demand and many faculty want to use wordpress as an alternative web site.  Unfortunately the supported options are within the CMS.  D2L does have options for blogging and discussion boards.  I think TAG had offered to look at it from a faculty perspective – any news back on that?

Eugeniu explained that CTLE was unable to provide assistance to IR on support for WordPress at the same time as they are supporting faculty and students during the transition to Desire2Learn.

Kristen asked TAG members for their reactions. The majority agreed that we would like to keep advocating for WordPress but acknowledge that Desire2Learn should take priority at this time. Dave suggested that we revisit the question again in January 2015 as Jim indicated.

III. New Business

Vice President for Planning/CIO

Fr. Quinn announced in December 2013 that Jerry DeSanto would be stepping down as Vice President for Planning/CIO. Associate Vice President Robyn Dickinson will serve as Interim. While the search for a new Provost is taking priority, Dave and Kristen noted that they planned to volunteer TAG’s input (either formal or informal) in any upcoming search for the CIO position.

TAG Leadership for 2014-2015

Kristen will be rotating off as TAG co-chair at the end of Spring 2014. Dave will continue as co-chair for 2014-2015, but will be on sabbatical in Spring 2015.  They asked for one or two volunteers (preferably but not necessarily including a Senator) to serve a two-year term as co-chair. Andrew volunteered to serve in Spring 2015 while Dave is away. We are still in need of another volunteer to serve the full year.

IV. Demonstrations

Adam Edwards and Scott Finlon from Information Security came to the second half of the TAG meeting for two demonstrations.

Firstly, they demonstrated the administrative side of Identity Finder. TAG members have been piloting automated Identity Finder scans, which are running each Friday at noon. Identify Finder scans the user’s computer for any personally identifiable information (PII) in unprotected files. The Information Security Office receives reports that indicate the level of risk for that machine. Anticipating concerns about privacy and confidentiality, Adam and Scott showed a sample report. The report shows the number of hits and the location of each file with hits, but the actual information is obscured. Based off of these reports, Adam then works one-on-one with users to either delete the files or move them to a more secure location. Adam said that he is working with staff with the most risk first (e.g., people with 1,000 hits or more).

Secondly, Adam and Scott demonstrated using TrueCrypt (free open-source disk encryption software) to encrypt files or folders that contain confidential information (such as human subject research data). They have already shown this tool (along with another encryption tool in Identity Finder) to the IRB and would like to make it a recommended standard for campus use. [Update 2014-07-02: Support for TrueCrypt has been discontinued, so Information Security now recommends using 7Zip for encrypting sensitive or confidential data.] TAG members did not bring up any concerns, so we will move forward on this. Adam will share brief written instructions, and we will share them with the faculty as a recommended practice for confidential data.

Adam and Scott would like to start automated Identity Finder scans on faculty computers beginning with departments that would *not* have any confidential subject data stored no faculty desktops. We were not sure that such a distinction could be easily made, but TAG will try to work with department chairs to determine which departments might be willing to begin scans. Scott will send Kristen a list of departments as they appear in Identity Finder (based on Active Directory groups) as a starting point.

Adjournment

The meeting adjourned at 1:10pm. TAG’s next meeting will be Wednesday, March 12 from 12pm-1pm in WML305.


Comments : Leave a Comment »
Tags: , , , , , , , , , , , , , , ,
Categories : Angel and Desire2Learn, Announcements, Minutes, Mobile, Security, TAG Administrative, Website Proposal

TAG Meeting 2013-04-03

3 04 2013

TAG met for our third and final Spring 2013 meeting this morning, and it was a meaty one. Here’s what’s going on:

1. TAG Leadership for 2013-2014

Continuing the discussion from our March meeting, we’ve officially agreed to move to a rotating, 2-year-term, 2-co-chair leadership model for 2013-2014. Jeremy and Kristen nominated Dave (currently a Faculty Senator) to take over for Jeremy as co-chair in 2013-2014 and serve as TAG’s liaison to the Faculty Senate. We held a not-quite-strictly-parliamentarian vote among the faculty TAG members present, which passed with no audible or visible dissent, so Dave will start his 2-year term in Fall 2013… or more likely Summer 2013. Kristen will stay on for 2013-2014 and then rotate off, to be replaced by a new co-chair in 2014-2015.

2. Identity Finder Automated Scans

Jim brought Adam Edwards, our new Information Security Officer, with him to the meeting to talk about an Information Security Office/IT Client Services Identity Finder Proposal on Automating Scans. For those just joining us, Identity Finder software scans your computer for sensitive, unsecured Personally Identifiable Information (PII). It’s been installed on faculty computers since 2011 (Windows only – Mac and Linux users can skip this part). To date, the scans have been encouraged but entirely voluntary and entirely user-initiated.

The Information Security Office and IT Client Services are jointly proposing implementation of weekly, automated, required Identity Finder scans (see the proposal for details). Adam explained the rationale — if IR knows where sensitive data is stored on campus, it’s easier to protect that vulnerable data and avoid embarrassing FERPA violations. It’s also easier and faster to fix and return malware-infected machines if IR knows whether or not the machine had any sensitive data on it. Here’s how the proposed scans would work:

  • Every Friday at 12:30pm (or the next time your work machine was turned on), Identity Finder would automatically begin a scan.
  • Scans would be limited to only certain types of sensitive data – e.g., Social Security numbers, drivers’ license numbers, credit card numbers, and birth dates.
  • The Information Security Office would receive reports on the scan results. Adam would see the number of hits, and a masked view of the PII found, but he would NOT be able to see the file or the full PII picked up in the scan.
  • If a computer frequently had many hits identified, Adam would reach out to that user to help them better manage their sensitive data (so that the Information Security Office’s efforts would be focused on the largest sets of the most vulnerable data).

Adam has been testing with a small group. This Friday he’ll be rolling out the automated scans to all PIR staff members for another 2-3 weeks of testing. Adam noted that they are working on finding the most effective and efficient ways to scope the scans to minimize scan time.

TAG members mentioned a few concerns:

  • Scan length and performance effects — Kristen and Kim had run test scans on their machines that took much longer than expected (Kristen’s was 7 hours and 45 minutes, with a noticeable impact on performance).  Jim said that the subsequent scans are much faster, since you can set Identity Finder to ignore locations with many false positives – his scan takes about 3 hours. With respect to performance, Identity Finder does have a throttling capacity, such that it is not supposed to impact other applications. Adam explained that continued testing with PIR will help him make the scans faster and less noticeable.
  • Scheduling — Kevin and Katie noted that many faculty members (and their computers) are not on campus on Friday afternoons, especially if a scan needed multiple hours. We discussed a few options – for example, scheduling for Tuesday or Thursdays during the 11:30-1pm time slot, having an option to skip a scan if your machine had already been scanned within the past week, being able to pause a scan, doing monthly instead of weekly scans, pinging computers to automatically turn on and scan in the middle of the night, warning everyone to run their first scan overnight, etc.

To help resolve some of these issues and identify other areas of concern for faculty, TAG members volunteered to serve as test subjects for automated scans. Adam said that he’d like to work through the PIR staff first but will then reach out to TAG members for additional testing and scoping.

We invite our fellow faculty to contact us with other concerns or questions.  If you’d like to try Identity Finder, it should already be installed on your (Windows) machine, and you can find a Quick Guide for getting started at http://www.scranton.edu/pir/its/identityFinder.shtml.

3. Academic Server Decommissioning

An official memo from IR will be coming out in the next few days announcing a timeline for the decommissioning of the academic server (academic.scranton.edu), which has been in the works since mid-2011.  The server has been heavily targeted by attacks, so due to security concerns, academic.scranton.edu will no longer be *public-facing* beginning June 15. Internal access (via a campus IP address) will still be available until August 31 in case users need more time to move content. Adam explained that a firm deadline was needed in order to mitigate the major risk of a supposedly retired server still being public-facing.

Adam would like to work with people who still have public content on the server to migrate to either the CMS or another campus server.  (Content was supposed to have been migrated to the Content Management System (CMS), but there is still some active content there that was not migrated for one reason or another – some of it could not be accommodated within the CMS’s available functionality.) He has already met with the CTLE and the Library about moving the development pages for the Academic Integrity Tutorial. TAG will help reach out to faculty members who still have either individual content or organizational content on academic to determine what needs to be migrated where, and what level of support, assistance, or training is required. Adam will send Kristen information about the remaining directories and a list of faculty usernames connected to content on academic. After the official IR memo comes out, TAG will follow up that communication with those faculty members. (Faculty members who had individual pages on academic were contacted back in 2011 about moving their content, so hopefully most of this migration work is already completed.)

This discussion brought up some broader concerns about web development resources on campus. Tim described some of the difficulties he had finding a home for the Sheep Brain Dissection Guide. Eugeniu mentioned that some faculty members who had migrated their content from academic to the CMS reported that the Google ranking of their page had gone down in search results. The local WordPress server (sites.scranton.edu) might be a new option for student and faculty web development, but the extent of this service is still being discussed. We didn’t come up with any answers on this, but as always faculty members may contact TAG with other concerns, questions, or suggestions regarding web development on campus.


Comments : Leave a Comment »
Tags: , , , , , , ,
Categories : CMS and University Website, Minutes, Network and Infrastructure, Outages, TAG Administrative

FERPA considerations for cloud services

11 09 2012

I sat in on today’s meeting of IMAC (the Information Management Advisory Committee) on behalf of TAG. There were two major items discussed – a revision to the Records Management & Retention Policy (which I don’t think will have much direct impact on faculty) and a set of Guidelines for the Use of Cloud Computing Services.

The Guidelines are not policy – the document just list some of the concerns and considerations faculty and staff should be aware of when signing up for cloud services like Gmail, Google Docs, Dropbox, Facebook, Twitter, Pinterest, PayPal, etc.

The Guidelines are currently in draft format, so I’ve been asked not to distribute them outside of TAG. Non-TAG members, the new Guidelines will be sent out in 3-4 weeks, but in the meantime take a look at former Information Security Officer Tony Maszeroski’s Guidance on the Use of Cloud Applications by Individuals – the new Guidelines are similar in content.

One of the major concerns with using cloud services for University-related work (like teaching) is that it introduces all sorts of privacy and security issues. Almost all student information, like grades, transcripts, class lists, etc, is classified as restricted or confidential (see the Information Classification Policy) due to FERPA.

Classified or restricted information should not be stored or transferred on non-University systems, so faculty need to be very aware of what information we’re sharing with what third parties. If you’re using cloud tools or social media as part of your class or lab, you need to be very conscious of any potential privacy violations, and be upfront with students about the terms of service.

(See EDUCAUSE’s 2010 report on Privacy Considerations in Cloud-Based Teaching and Learning Environments. Colorado Community Colleges Online has posted some scenarios relating to respecting FERPA in an online classroom.)

I don’t think this is an issue that most faculty are very aware of, and I’d like to get a sense of how TAG can help faculty sort out these considerations in their classes. So let me know what you think – What questions do you have? What resources or references would be useful?


Comments : 5 Comments »
Tags: , , , , , , , ,
Categories : Announcements, Online courses, Security

TAG Meeting Notes 9/29/11

29 09 2011

We had our first TAG meeting of 2011-2012 this morning.  We had a lot to catch up on from the summer, so apologies for the long notes! As always, post a comment if there are any questions or concerns.

  • New members. Teresa Conte joined us from Nursing as a replacement for Cathy Lovecchio. Ben Bishop (Computing Sciences) joined us late last spring, as did Lori Nidoh (representing Public Relations). S.P. Chattopadhyay is currently on sabbatical, and Kevin Wilkerson has returned from his.
  • Novel Pedagogy Cohort. Jeremy and a few other CAS faculty members have formed a small group to explore and implement new pedagogy techniques in their classes – some of which involve technology while others don’t.  Tools to be explored include lecture capture and clicker systems. If any other faculty are interested in innovative pedagogy, let Jeremy know.
  • Lecture capture.  A team of stakeholders (including TAG members Jeremy, Kristen, Sandy, and Eugeniu) met several times in the spring and summer to review possible products for lecture capture.  The final recommendation was a hybrid solution of Media Site (as a back end) and Crestron HD appliances for the actual capture. Implementation will start in the Science Center and then spread to other departments. Right now, IR is working on setting up the back end servers while VistaComm is implementing the front end capture devices. The goal is to have LSC lecture capture ready to go by Spring 2011, and then expand to other departments next year as funding allows. Sandy and Teresa noted that Education and Nursing would be very interested in implementing lecture capture in their classrooms. Thanks to Jason Oakey over in Instructional Technology for taking the lead on this project!
  • Office 2010.  The upgrade to Office 2010 for faculty and staff is tied to the email conversion (see below) due to the incorporation of Outlook.
  • Windows 7. The upgrade to Windows 7 for faculty and staff machines currently running Windows XP is held up due to a security issue. XP users are currently admin users on their computers. While this gives us a lot of flexibility and control over our own machines, it also introduces security risks – users can accidentally install malicious code.  When we move to Windows 7, IR will change XP users’ roles from admin to standard user accounts. By default, standard users wouldn’t be able to install or delete applications, but ideally there will be a way for users to obtain temporary admin status when they need to install programs. IR is currently working out these privilege management issues, so Windows 7 deployment is pushed back to (tentatively) Spring 2011.   Wesley asked about 64 bit vs 32 bit machines – Jim said that by default new machines will be 32 bit, but faculty who need 64 bit should let him know.
  • Email conversion. The Microsoft Live @ Edu email transition has been delayed by issues with identity management (e.g., automatically assigning set permissions to new hires, and removing permissions from retirees, departing employees, etc). IR is working on a workaround plan that would let us go forward with the email conversion while temporarily skipping over identity management. IR is aware of “crunch times” in faculty schedules, so faculty email conversion will probably wait until intersession or beyond.
  • Personally identifiable information.  Ben asked about security concerns for faculty members who don’t use University email.  Jim recommends that any University business, and especially any University business that involves confidential information, be done using University services (like Angel and Royal Drive). The Identity Finder tool is available to help faculty and staff find any PII that might be on their machines. IR also has security training videos that faculty can watch to get an entry-level awareness of PII.
  • Information Resources Advisory Committee.  IRAC had been inactive for a year but is now reconstituted. IRAC members will be providing input on IR’s service portfolio. TAG members Dave, Paul, Eugeniu, and Lori will be on it as CAS faculty, PCPS faculty, CTLE, and PR representatives, respectively.
  • TechQual. IR ran this customer service survey over the summer. Preliminary results just came in, but IR is still processing them and will present them to IRAC next month.
  • Loyola Science Center. Most of the IT work in LSC is done, but there are still a few equipment issues popping up in classrooms. IR will continue working on this. Remaining projects include lecture capture, the auditorium, and RoomView, a tool that will allow Instructional Technology to monitor and maintain classroom equipment (e.g., whether or not a projector has been left on).
  • Wireless. The wireless upgrade project was approved.  Phase I (freshmen residences, the new Mulberry Street residences, and the LSC) is complete and adds 350 new WiFi points to the campus. Phase II is currently underway and will add 252 WiFi points in 21 buildings (residences, St. Thomas, and the Long Center). Phase III is scheduled for summer 2012 and will include the remaining academic and administrative buildings as well as outdoor coverage.  This is a big improvement – many thanks to the Network Infrastructure staff!
  • CTLE liaison. CTLE used to have two faculty liaisons who focused teaching and pedagogy. They have now added a third faculty liaison, TAG member Sandy Pesavento, to provide input on faculty interests and needs regarding pedagogical uses of technology.
  • Mobile access to Angel. CTLE and IR experimented with Blackboard’s iOS app for Angel, but found it to be a very limited tool, particularly for teachers (e.g., faculty can’t enter grades or interact with Angel dropboxes).  So mobile access to Angel still isn’t conveniently available at this time.
  • LMS review. Our contract with Angel expires in 2013, so a review committee will begin exploring other learning management system (LMS) options in January. Connie Wisdo in ITDA will lead the group. Eugeniu said that we might have an opportunity to use a “free” installation of Blackboard temporarily (on top of our existing Angel installation) so that faculty could try it out. Dave asked whether or not we would be able to migrate courses from Angel into a new LMS. Eugeniu said that from our current version of Angel (7.4), we could export/import single courses into Blackboard, with some imperfections. If we upgraded to v8 of Angel, we’d be able to batch migrate courses. Blackboard would also complement our Royal Card and emergency notification systems, since they’re Blackboard products (Transact and Connect), but it might not be easily tied into Banner.
  • Academic Technology Plan. The Provost’s office has no updates on the Academic Technology Plan.
  • Mobile website and app. Lori shared some analytics to give us an idea of how the mobile website and mobile app are being used. The app has been downloaded 7,604 times (mostly by iOS rather than Android devices). An in-app poll asked about the user’s identity, and 57% of the poll-takers were current students, 28% were alumni, 10% were prospective students, with faculty, staff, and other community members making up only 6%.  New app modules include Admissions and the Library (live but still being tweaked), with an Alumni module on the way. An iPad version is also on the timeline for this year, and hopefully mobile authentication is on the horizon.  The m.scranton mobile site is getting plenty of traffic. The most commonly viewed mobile pages are the home page and the admissions and academics home pages. [Note: Stats on the mobile app are here (in PDF). Stats on the mobile site are here (also in PDF).] PR is also setting up automatic redirects from the full site to the mobile site for recognized mobile devices – right now, the only active redirect is from the full site home page to the m.scranton home page.
  • Faculty websites. We’ve figured out a good workflow for faculty websites with CTLE. Any faculty member who wants to create a new website in the CMS should contact Aileen McHale in the CTLE. The CTLE TechCons will set up the faculty member’s web space, and then can help him or her as needed with templates or other support.  Sandy and Anne Marie would like to encourage faculty members (and any other page admins) to keep their websites current.
  • Continuing education. TAG members interested in learning more about academic uses of technology should keep an eye out for continuing education opportunities, since funding may be available. Jeremy and Sandy will each attend a day of the EDUCAUSE conference, courtesy of the Provost’s office.  Anne Marie and a few representatives from IR will also attend. TAG members who do participate in continuing education are asked to report back and share conference highlights.
  • Computerized testing. Teresa reported on concerns from the Nursing department. Nursing licensing exams are all online, so the department uses computerized testing to help their students prepare for the licensing environment.  Nursing faculty have run into trouble finding places to conduct their computer tests – there isn’t enough space to accommodate large classes, and classrooms that do accommodate that many students have been booked for other courses.  An ideal solution would be a large “shared resource” lab (possibly run by CTLE/Library) that faculty could schedule for tests, with computers set up to restrict access to the testing environment. Anne Marie suggested that we look at how other schools have solved this problem. Teresa will get more details on Nursing needs. Jim asked if other departments have this need, and for what class sizes. Once we have more information, we can agree on a good solution and then seek funding.
  • Our next meeting will be October 27. TAG members are asked to keep collecting (specific!) feedback from other faculty members on technology concerns or issues, and we’ll keep sharing information here as projects continue.

——

Note: Updated 10/24/11 with PDF docs of mobile app and website statistics shared during the meeting.


Comments : Leave a Comment »
Tags: , , , , , , , , , , , , , , , , , , ,
Categories : Angel and Desire2Learn, Email, Minutes, Mobile, Network and Infrastructure, Security, TAG Administrative, Upgrades

Identity Finder: Coming Soon on KBOX

5 05 2011

Today’s IT Forum with trainer Jack Williams was all about Identity Finder. What faculty need to know:

  • Sometime next week, KBOX will push out a new program to your computer called Identity Finder.
  • Identity Finder is a software tool that scans your computer for unsecured Personally Identifiable Information (PII).  It looks for things like Social Security numbers, credit card numbers, bank account numbers, passwords, etc (full list here) using pattern recognition and contextual analysis.
  • While the program will be automatically installed by KBOX, it won’t run automatically – so you can choose when you want to run it.  Jack recommends running it once each quarter.
  • When you do start the program, it will scan all of the files saved on your computer (including any email and email attachments that you have saved locally) and search for PII.  Jack noted that the scan can take a long time (average 3.5 hours), but you can run it in the background as you do other work.
  • At the end of the scan, Identity Finder will show you a list of any information it has identified as potential PII.  You can then review that report and decide how to act on each item. Options are to “shred” (delete completely from your machine), “scrub” (redact the sensitive information from the document), “secure” (password-protect the file), “quarantine” (save to a secure location, i.e. a folder on RoyalDrive), “recycle” (send to recycling bin), or “ignore” (for false positives – the file will be ignored in future Identity Finder scans).  If Identity Finder picks up PII in a Thunderbird email file, Jack recommends deleting it by going through Thunderbird rather than through Identity Finder.
  • You’re the only person who can review your scan results (there’s no automatic reporting back to IR, for example). When the scan is complete, Identity Finder sends a brief report back to a central management server indicating what PII has been found and what PC it is on.  It does not allow that central server to access the actual files on your machine.  The only people who can access that central server are the staff of the Information Security Office, and they will review Identity Finder reports from a University machine only in two situations: 1) if the security of a machine has been breached, or 2) if the head of a department or area requests the reports to validate the security of machines in their area.
  • Step-by-step instructions will be available here.  Jack has also posted basic and detailed instruction guides (PDF).

Please pass the word along to your fellow faculty members so that no one’s caught off guard next week, and let me know if there are any questions. Thanks!

————–

Updated 5/6/11 with correction from Jim regarding reporting


Comments : Leave a Comment »
Tags: , , ,
Categories : Announcements, Security

IT Forum on Identity Finder 5/5

19 04 2011

We’re all invited to the next IT forum (5/5 from 11:30-1pm) to learn more about Identity Finder.  Here’s the invite from IT Services:

Join us at the next IT Forum set for Thursday, May 5, in Brennan Hall, room 509, for an important and interesting look at Identity Finder. This easy-to-use program will allow the entire University of Scranton community to secure the very important information we have stored on our computers.

Identity Finder looks for those files we keep that may be targets for identity theft and other malicious acts. Files holding Social Security numbers, credit card numbers, driver license numbers, bank account data, passwords and more, can be secured to prevent any unauthorized use of your files or data belonging to the University.

Jack Williams, IT Services Training Specialist, will be presenting. All University personnel are encouraged to attend, and lunch will be provided. Please RSVP by e-mailing ITServices@scranton.edu by Monday, May 2.


Comments : Leave a Comment »
Tags: , ,
Categories : Announcements, Security, Technology Training

Campus email will switch to Microsoft Live@Edu

4 11 2010

Here on the TAG site we’ve already talked about how campus email is heading for the cloud.  Now, finally, thanks to IR, we have the news you’ve all been waiting to hear: the email system we’ll be switching to is (drumroll please)…

Microsoft Live@Edu.

There are a lot of details still to be worked out, but here’s what we know so far.

When is this happening?

  • The target date for campus implementation is June 2011.

What’s changing?

  • ALL campus email (faculty, staff, students) will move to the Microsoft Live@Edu platform.  Your email will be stored in the cloud rather than on a campus server (or your local machine).
  • We’ll have more storage space for email- everyone gets 10GB instead of 200MB. Wahoo!
  • Thunderbird will be gone.  We’ll be encouraged just to access email via a web browser, not via a desktop client.
  • You’ll keep the same @scranton.edu email address.  People emailing you won’t notice anything different.
  • Your old email can be migrated into Live@Edu, so you don’t have to worry about losing anything.  Details on migration procedures are still forthcoming.
  • Oracle CorpTime will be gone (not that many faculty members use it anyway!). Campus calendaring will be integrated with our email.
  • We’ll all get 25GB of space on SkyDrive, a cloud storage tool that you can use to access your files from anywhere.  But this isn’t replacing RoyalDrive – you’ll still be encouraged to back up your files to RoyalDrive, at least for the time being.
  • We’ll get easy access to Microsoft Office web apps – so you can do basic editing on Microsoft Word, Excel, and PowerPoint files even if you don’t have Microsoft Office installed on your home machine.
  • Mac users will be able to use Live@Edu just like PC users.

Why is the University doing this?

  • Our old email system was… well… old.
  • Cloud storage for email is MUCH less expensive than our current, on-campus system – about 50% less expensive.
  • Cloud storage is much more robust (and more secure) than storing email on your local hard drive.
  • Microsoft Live@Edu gives us some extra features that our current email system doesn’t provide –  collaboration and productivity tools, calendar integration, etc.

Why not Google?

Google was definitely considered as an option, but after much debate, Microsoft Live@Edu was selected as the best enterprise tool that would accommodate the needs of most University users.  IR shared with us a few reasons why:

  • Live@Edu integrates well with the campus’s existing systems – we already use a lot of Microsoft tools.
  • Google is an advertising-based system, and there were some concerns about ads – both that users would have to see them all the time, and that user email content would be searched and indexed so that ads could be better targeted.
  • IR wasn’t comfortable with Google’s track record on privacy issues.
  • Google doesn’t tell users *where* their data is being stored.  For the University, it’s important that data be stored *within* the United States – especially data containing personally identifiable information.

But I like Google!

  • Google fans can still forward their email to Gmail.  That said, we have to be a bit careful about this – the University has to comply with increasingly strict federal laws, like FERPA, that protect personally identifiable information.  IR is working with the General Counsel’s office to get a better feel for exactly what information makes up a student’s “educational record.”  We’ll post more about this as we get more information.

How can I find out more? How is this transition going to happen?

  • Transition plans are still being made. Jim Franceschelli is heading the project management team and has promised to keep us up to date – and we’ll post information as we get it.
  • Right now, the best way to find out more is to attend the IR Forum on Thursday, November 18, from 11:30am-1pm, at which IT Services will introduce Live@Edu to the campus community.  You’ll need to register with ITServices@scranton.eduUPDATE: If you missed it, see the slides from the Forum (ppsx).

How is TAG going to be involved?

We’ll be discussing this question at our next meeting! We have a few ideas so far, though:

  • We’ll coordinate with IR to help them get faculty prepared for this transition.
  • Jeremy and I have asked for access to some test accounts early in 2011 so that TAG members can get a feel for what barriers or significant changes faculty will be facing.
  • Jeremy and I are thinking of doing some early training for tech-savvy faculty – maybe in April or May 2011. Let us know if you’d be interested in this – you’d likely get to switch over your account early!

Questions or concerns?

  • TAG members will be compiling a list of faculty questions and concerns that we’ll do our best to answer and/or act on as the implementation plan proceeds. LET US KNOW what you’re thinking – either by commenting here or posting to the TAG Discussion List – and we’ll get back to you ASAP.

Comments : 9 Comments »
Tags: , , , , , , , , , ,
Categories : Announcements, Email, Upgrades

« Previous Entries