Academic webserver to be decommissioned

8 04 2013

Robyn Dickinson sent out the note below in regards to the academic webserver on Monday. If you have active webpages or content on the server that you need access to, please remove it and/or contact TAG immediately. We will do our best to help you find a new home for your data. Since the server has been a target for malicious attacks, your data is already at risk! If you do not do anything, you will lose access to anything stored on that server. If you have any questions, please contact your tag representative or email tag-members@royallists.scranton.edu.

Thanks for your prompt attention!

Previously, you received a notice from our division that we had planned to decommission the public facing server academic.scranton.edu in the summer of 2012. In the past, this server housed web pages for the University’s academic departments, related organizations, and individual faculty. Academic administration and department pages have now been converted into the University’s web content management system (CMS). What remains are primarily individual faculty web pages and a few other organizations; we have identified each of you as still having active web pages residing on this server.
Recent vulnerability scans of this server have identified multiple weaknesses in the operating system. Due to these vulnerabilities, this server has become the target for attacks from foreign countries seeking to access our enterprise computer systems. I am writing to alert you that we will now be taking steps to remove public facing access to this server as of June 15, 2013. This means that after June 15, you will only be able to access the web pages that remain on this server from within our own network on campus. On August 15, 2013 the server will be retired and you will no longer be able to access any of its content.

Faculty members should watch for additional information about this transition coming from the Faculty Technology Advisory Committee (TAG) and can send questions to TAG-members@scranton.edu If you would like assistance moving your web pages into the University’s web Content Management System (CMS), please contact Aileen McHale from the Center for Teaching and Learning Excellence (CTLE) at aileen.mchale@scranton.edu. Training for staff and faculty on how to use the web CMS is also available through IT Services by contacting Jack Williams, our IT Training Specialist, at jack.williams@scranton.edu to sign up for a class.

I appreciate your attention to this matter,


Comments : Leave a Comment »
Tags: , ,
Categories : Announcements, CMS and University Website

TAG Meeting 2013-04-03

3 04 2013

TAG met for our third and final Spring 2013 meeting this morning, and it was a meaty one. Here’s what’s going on:

1. TAG Leadership for 2013-2014

Continuing the discussion from our March meeting, we’ve officially agreed to move to a rotating, 2-year-term, 2-co-chair leadership model for 2013-2014. Jeremy and Kristen nominated Dave (currently a Faculty Senator) to take over for Jeremy as co-chair in 2013-2014 and serve as TAG’s liaison to the Faculty Senate. We held a not-quite-strictly-parliamentarian vote among the faculty TAG members present, which passed with no audible or visible dissent, so Dave will start his 2-year term in Fall 2013… or more likely Summer 2013. Kristen will stay on for 2013-2014 and then rotate off, to be replaced by a new co-chair in 2014-2015.

2. Identity Finder Automated Scans

Jim brought Adam Edwards, our new Information Security Officer, with him to the meeting to talk about an Information Security Office/IT Client Services Identity Finder Proposal on Automating Scans. For those just joining us, Identity Finder software scans your computer for sensitive, unsecured Personally Identifiable Information (PII). It’s been installed on faculty computers since 2011 (Windows only – Mac and Linux users can skip this part). To date, the scans have been encouraged but entirely voluntary and entirely user-initiated.

The Information Security Office and IT Client Services are jointly proposing implementation of weekly, automated, required Identity Finder scans (see the proposal for details). Adam explained the rationale — if IR knows where sensitive data is stored on campus, it’s easier to protect that vulnerable data and avoid embarrassing FERPA violations. It’s also easier and faster to fix and return malware-infected machines if IR knows whether or not the machine had any sensitive data on it. Here’s how the proposed scans would work:

  • Every Friday at 12:30pm (or the next time your work machine was turned on), Identity Finder would automatically begin a scan.
  • Scans would be limited to only certain types of sensitive data – e.g., Social Security numbers, drivers’ license numbers, credit card numbers, and birth dates.
  • The Information Security Office would receive reports on the scan results. Adam would see the number of hits, and a masked view of the PII found, but he would NOT be able to see the file or the full PII picked up in the scan.
  • If a computer frequently had many hits identified, Adam would reach out to that user to help them better manage their sensitive data (so that the Information Security Office’s efforts would be focused on the largest sets of the most vulnerable data).

Adam has been testing with a small group. This Friday he’ll be rolling out the automated scans to all PIR staff members for another 2-3 weeks of testing. Adam noted that they are working on finding the most effective and efficient ways to scope the scans to minimize scan time.

TAG members mentioned a few concerns:

  • Scan length and performance effects — Kristen and Kim had run test scans on their machines that took much longer than expected (Kristen’s was 7 hours and 45 minutes, with a noticeable impact on performance).  Jim said that the subsequent scans are much faster, since you can set Identity Finder to ignore locations with many false positives – his scan takes about 3 hours. With respect to performance, Identity Finder does have a throttling capacity, such that it is not supposed to impact other applications. Adam explained that continued testing with PIR will help him make the scans faster and less noticeable.
  • Scheduling — Kevin and Katie noted that many faculty members (and their computers) are not on campus on Friday afternoons, especially if a scan needed multiple hours. We discussed a few options – for example, scheduling for Tuesday or Thursdays during the 11:30-1pm time slot, having an option to skip a scan if your machine had already been scanned within the past week, being able to pause a scan, doing monthly instead of weekly scans, pinging computers to automatically turn on and scan in the middle of the night, warning everyone to run their first scan overnight, etc.

To help resolve some of these issues and identify other areas of concern for faculty, TAG members volunteered to serve as test subjects for automated scans. Adam said that he’d like to work through the PIR staff first but will then reach out to TAG members for additional testing and scoping.

We invite our fellow faculty to contact us with other concerns or questions.  If you’d like to try Identity Finder, it should already be installed on your (Windows) machine, and you can find a Quick Guide for getting started at http://www.scranton.edu/pir/its/identityFinder.shtml.

3. Academic Server Decommissioning

An official memo from IR will be coming out in the next few days announcing a timeline for the decommissioning of the academic server (academic.scranton.edu), which has been in the works since mid-2011.  The server has been heavily targeted by attacks, so due to security concerns, academic.scranton.edu will no longer be *public-facing* beginning June 15. Internal access (via a campus IP address) will still be available until August 31 in case users need more time to move content. Adam explained that a firm deadline was needed in order to mitigate the major risk of a supposedly retired server still being public-facing.

Adam would like to work with people who still have public content on the server to migrate to either the CMS or another campus server.  (Content was supposed to have been migrated to the Content Management System (CMS), but there is still some active content there that was not migrated for one reason or another – some of it could not be accommodated within the CMS’s available functionality.) He has already met with the CTLE and the Library about moving the development pages for the Academic Integrity Tutorial. TAG will help reach out to faculty members who still have either individual content or organizational content on academic to determine what needs to be migrated where, and what level of support, assistance, or training is required. Adam will send Kristen information about the remaining directories and a list of faculty usernames connected to content on academic. After the official IR memo comes out, TAG will follow up that communication with those faculty members. (Faculty members who had individual pages on academic were contacted back in 2011 about moving their content, so hopefully most of this migration work is already completed.)

This discussion brought up some broader concerns about web development resources on campus. Tim described some of the difficulties he had finding a home for the Sheep Brain Dissection Guide. Eugeniu mentioned that some faculty members who had migrated their content from academic to the CMS reported that the Google ranking of their page had gone down in search results. The local WordPress server (sites.scranton.edu) might be a new option for student and faculty web development, but the extent of this service is still being discussed. We didn’t come up with any answers on this, but as always faculty members may contact TAG with other concerns, questions, or suggestions regarding web development on campus.


Comments : Leave a Comment »
Tags: , , , , , , ,
Categories : CMS and University Website, Minutes, Network and Infrastructure, Outages, TAG Administrative

State of IT – Notes from September IT Forum

3 10 2012

Last week, CIO and Vice President for Planning Jerry DeSanto presented on the “State of IT” at the semester’s first IT Forum. His talk provided some really interesting insight into how CIOs strategically plan for the future – see his slides (in pptx) for more detail.

Some of the trends that Jerry discussed:

  • Consumerization – consumers bring their interest in technology to the workplace, and increasingly they’re also bringing their own devices (BYOD) to the workplace as well. For CIOs, this means a shift to supporting a wider variety of devices, with less depth of support for any one device/platform.
  • Cloud services – as we use more cloud computing services, we rely less on the computing power of our desktop computers. Thin clients let users access software from the cloud, so you don’t have to be at a specific workstation to use certain software.
  • Security – cloud computing raises a lot of issues in terms of security and data management – e.g., who owns the data? Is it secure? Is it exportable? Terms of service become very important. IR is working on some additional security initiatives, like two-factor authentication (for high risk data users), forced password changes, and guidelines for remote access (under development) – that is, how to safely work with restricted/confidential data from a non-University device.
  • Teaching and Learning – lots of new developments here – MOOCs, learning analytics, software licensing…
  • Network – The redundancy and reliability of the University network have become increasingly important. At the same time, there are increasing demands on the network (video streaming, gaming…). Our network just underwent a huge upgrade – our bandwidth is now 500 Mb, as compared to 50 Mb back in 2008.
  • Big data – corporations are increasingly leveraging data about their consumers to make decisions and to get a competitive edge. We might start seeing some of these techniques used in higher ed.
  • Business continuity – disaster recovery is really important. We have a good on-site data center, but we need an off-site backup as well.
  • Workforce and services – soft skills are becoming as important in IT as technical skills. As more software-as-a-service tools become available, there’s less need for home-grown solutions.

So there are lots of challenges ahead for Jerry and the IR division. Jerry has given TAG some questions he has about campus technology needs – we’ll be talking at our meeting today about how we can get input from the rest of the faculty. (More notes to come.)


Comments : Leave a Comment »
Tags: , , , , , , , ,
Categories : Announcements

FERPA considerations for cloud services

11 09 2012

I sat in on today’s meeting of IMAC (the Information Management Advisory Committee) on behalf of TAG. There were two major items discussed – a revision to the Records Management & Retention Policy (which I don’t think will have much direct impact on faculty) and a set of Guidelines for the Use of Cloud Computing Services.

The Guidelines are not policy – the document just list some of the concerns and considerations faculty and staff should be aware of when signing up for cloud services like Gmail, Google Docs, Dropbox, Facebook, Twitter, Pinterest, PayPal, etc.

The Guidelines are currently in draft format, so I’ve been asked not to distribute them outside of TAG. Non-TAG members, the new Guidelines will be sent out in 3-4 weeks, but in the meantime take a look at former Information Security Officer Tony Maszeroski’s Guidance on the Use of Cloud Applications by Individuals – the new Guidelines are similar in content.

One of the major concerns with using cloud services for University-related work (like teaching) is that it introduces all sorts of privacy and security issues. Almost all student information, like grades, transcripts, class lists, etc, is classified as restricted or confidential (see the Information Classification Policy) due to FERPA.

Classified or restricted information should not be stored or transferred on non-University systems, so faculty need to be very aware of what information we’re sharing with what third parties. If you’re using cloud tools or social media as part of your class or lab, you need to be very conscious of any potential privacy violations, and be upfront with students about the terms of service.

(See EDUCAUSE’s 2010 report on Privacy Considerations in Cloud-Based Teaching and Learning Environments. Colorado Community Colleges Online has posted some scenarios relating to respecting FERPA in an online classroom.)

I don’t think this is an issue that most faculty are very aware of, and I’d like to get a sense of how TAG can help faculty sort out these considerations in their classes. So let me know what you think – What questions do you have? What resources or references would be useful?


Comments : 5 Comments »
Tags: , , , , , , , ,
Categories : Announcements, Online courses, Security

Google Drive

25 04 2012

We know there are a lot of Google fans out there on campus, so we thought we’d pass along this link from Information Security manager Tony Maszeroski:

“Who owns your files on Google Drive?”

Or if you need background, “The Google Drive FAQ.”


Comments : Leave a Comment »
Tags: , , ,
Categories : Announcements, Security

TAG Meeting Notes 12/1/11

2 12 2011

[Updated 12/08/11 with links to additional information]

TAG met yesterday to catch up on all our initiatives. Here’s the latest:

  • The Learning Management System (LMS) Work Group has formed and will begin meetings this week.
  • The Mobile Apps work group met at the beginning of November. Meeting minutes are available (PDF). The meeting was mostly dedicated to getting everyone caught up on the existing mobile app and mobile website.  The minutes indicate that any new mobile development will occur within the existing University app (made by Straxis), but this point seemed undecided during the meeting itself. Kristen is seeking clarification from group leader Connie Wisdo on this question.

Sandy Pesavento (education) has withdrawn from the group due to time conflicts, but Andy Berger (physics) has volunteered to serve as a faculty representative along with Ben Bishop and Kristen Yarmey.

  • The Novel Pedagogy Group has received funding from the College of Arts and Sciences to design a mediated classroom that will accommodate the new pedagogies they are exploring. The group is working with Jim and OIT to mediate the room, which is intended to be a model of what the University could do should it prove effective.
  • Members of TAG met with IR in early November to discuss the results of last summer’s TechQual survey. Kristen will post the results and highlights of the discussion on this site under a separate title.  We’ve been asked not to share the results, but we did post a summary of the discussion.
  • IR invited TAG to provide feedback on a rough draft of a new Incidental Use Policy during last month’s IMAC meeting. Jeremy will post specifics about the policy on the TAG site under a separate title.
  • IR is in the process of hiring a new manager to coordinate the work of the Office of Instructional Technology.
  • Progress is being made on the Academic Technology Plan. Anne Marie interviewed several faculty members and administrators to get a sense of what the Plan should include.
  • Faculty directory. At our last meeting TAG discussed the faculty directory’s inability to list more than one department affiliation for a single faculty member. Anne Marie discussed this concern in a Banner meeting earlier this week.  There are several similar issues with Banner not being able to describe employee designations (e.g., emeritus, program director, department chair…).  It seems like the University needs to have a larger conversation about data storage and sharing – Banner wasn’t really designed to handle all of these designations. Anne Marie will look into how other universities handle data sharing.
  • Computerized testing. Teresa spoke with colleagues at Villanova University and found out that they use Par software to conduct secure, controlled online testing.  The downside to Par is that it doesn’t integrate with Villanova’s LMS (Blackboard). Jim will look into Par to see what options we might be able to provide for computerized testing on campus.
  • Security Awareness Training. The email announcement for IR’s security awareness training program went out early by accident. All faculty are encouraged to complete the training program – it’s  a series of short videos, totaling around 60 minutes.  The idea is to expand a general user’s knowledge and understanding of security issues.  See Jeremy’s post from 11/14/11 for details.
  • We talked briefly about the Oracle outage on 11/10 and the wireless outage on 11/16. IR has an incident policy now that indicates how and what information about outages should be disseminated.  During the Oracle outage, information was displayed on my.scranton showing alternate ways for users to access Angel and email. RoyalDrive was not included, but this has been fixed.  Jim is meeting with the rest of the IR team this week to figure out what happened during the 11/16 outage. His goal is for IR to be able to send out early notifications when something is happening.
  • The email transition is a go! The email team itself transitioned this week. Students will be transitioned at the end of December after exams. We discussed the best time to convert faculty, and the best option seems to be January.  We’ll transition in batches, by department. Notifications with more details will be sent out on paper and via email, but here’s essentially what will happen:
    1. You will get email notification in advance, and a final email notice the day of the transition. If your department’s migration is happening at a time that will not work for you, you should contact IR right away to reschedule.2. Your email account will move to Live @ EDU during the night.  Server email will be migrated automatically.

    3. When you log in to my.scranton the next day, you’ll see a new tab with instructions for accessing your new account through the web portal, and instructions for migrating local mail [with Transend Migrator].  You will also need to update your mobile devices and any other email clients (Gmail, MacMail) with new POP3 information.

    4. Your email address will be firstname.lastname@scranton.edu. You will still receive email sent to your existing email (lastnamef2@scranton.edu), but you can’t send out email from that address, so you will need to update it in email listservs, etc.

    5. Training will be available that week to help you get started.  We asked Jim if short screencapture tutorials could be made available as well.

    6. Calendars won’t be migrated until later in the spring.

    7. Office 2010 will be pushed out around the same time.


Comments : 2 Comments »
Tags: , , , , , , , , , , , , , , ,
Categories : Email, TAG Administrative

Web Quota Spam, DO NOT CLICK

5 11 2011

It was just brought to our attention that there is a phishing e-mail going around campus with the subject “Dear Account User‏”

This is spam, please do not click on the link. They will attempt to get your login information and compromise our network.

The text of one such e-mail is below.

From: onwatch1@wavecable.com
To: undisclosed-recipients: ;
Date: Sat, 05 Nov 2011 10:02:53 -0700
Subject: Dear Account User‏
Dear scranton.edu Subscriber,

We are currently carrying-out a upgrading mantainance process to all scranton.edu account. Please click the link below to boost your scranton.edu webmail quota.


Comments : Leave a Comment »
Tags: , , ,
Categories : Email, Security

TAG Meeting Notes 10/27/11

27 10 2011

TAG met this morning to catch up on our projects. Here’s the latest:

  • A Learning Management System (LMS) Work Group is forming to review and evaluate alternatives to Angel. Connie Wisdo in ITDA will lead the group. There are six spots available for faculty participants, and (as of a few minutes after our meeting!) we now have a full slate of volunteers:

Tara Fay, Biology
Julie Nastasi, Occupational Therapy
Keith Yurgosky, Communications (part time)
Maureen Carroll, Math
Teresa Conte, Nursing
Wesley Wang, Economics/Finance

The group will also include 3 representatives from CTLE (including Eugeniu), 5 representatives from IR, and 4 students (graduate, undergraduate, and adult).  CTLE and IR will begin drafting evaluation criteria this month in preparation for the first full group meeting in December. The goal is to make a decision by May so that we can run both Angel and the new LMS in parallel in 2012-2013.

  • The Mobile Apps work group is forming to guide the design and development of mobile applications for teaching and learning. This group will begin meeting in November. Connie will lead this group as well, and it will include representatives from Alumni and PR. Faculty member participants are:

Ben Bishop, Computing Sciences
Sandy Pesavento, Education
Kristen Yarmey, Library

  • The University now has an in-house WordPress Network (http://sites.scranton.edu), available to be used for University blogs. Currently the only users are the Admissions office, though the Library will be migrating its blogs to the local server during Intersession. Anyone interested in migrating or starting a University blog should put a request in Project Tracking under “Systems.”
  • Continuing education opportunities. Wilkes University is hosting an Apple Education Seminar on November 17. Villanova University is hosting a Technology Expo on April 26, 2012.
  • IT Roadmap. Jeremy and Kristen met with IR to discuss their project list for 2011-12. The email conversion timeline is still uncertain, but IR expects that the first test conversions will begin in November and that student conversions may be done after final exams end. Faculty and staff conversions will likely be in January. IR will continue to communicate with TAG about the most optimal time for faculty conversions. Questions about the conversion came up during the last Faculty Senate meeting.
  • Faculty directory. TAG shared concerns with IR about the faculty directory’s inability to list more than one department affiliation for a single faculty member. The fix for this problem is more complex than we anticipated and will involve working with several University departments.
  • TAG will meet with IR on November 10 to discuss results from the summer TechQual survey.
  • CTLE has two upcoming events for faculty. On November 9, Margarete Zalon will lead a faculty-to-faculty exchange on management of bibliographic resources. On November 17, there will be a Faculty Advancement Series event on peer review and writing for journals. CTLE also has hired a new associate director, Brian Snapp.
  • CTLE is exploring options for classroom response systems (also known as clickers).  They have a demo scheduled with Top Hat Monocle, and a TechCon is researching other options. Sandy mentioned that there are tools like PollEverywhere available that utilize text messaging rather than clickers.
  • Jeremy, Sandy, Anne Marie, and Jim all attended the recent EDUCAUSE conference. Items of interest included Penn State’s open source WebLion application for program assessment, Pearson/Google’s new OpenClass learning management system, QR codes, mobile education, Google+, and Google Hangouts.
  • At the last Faculty Senate meeting, a motion passed that asks the Provost to provide updates on various academic initiatives.  The motion included the Academic Technology Plan that TAG members have contributed to.
  • The newly reconstituted IRAC group met, with two TAG members (Dave and Paul) serving as faculty representatives. Their recent meeting focused on the TechQual survey results, which will be discussed with TAG on November 10.
  • Teresa provided further insight on the Nursing department’s need for computerized testing. We discussed several options, including the purchase of Chromebooks or the use of specialized, restrictive software. OIT’s budget cannot maintain any new mediation, so the construction of a full computer lab would mean that other mediation could not be maintained. Jim would like to know if any other departments have this kind of need. TAG will continue to explore possible solutions to this issue.
  • This week’s IT Forum was on Data Security and Classification. (Kristen will post specific notes.) We discussed how faculty might be exposed to and educated about different data types and security procedures.
  • Jeremy reported on a classroom mediation issue in the Loyola Science Center. He asked if OIT could provide email updates to faculty to let them know if/when a computer or projector is not functional in one of the classrooms where they teach. Jim is exploring this idea with OIT.

Comments : Leave a Comment »
Tags: , , , , , , , , , , , ,
Categories : TAG Administrative

IT Forum on Data Security

16 10 2011

Announcement from IR about an upcoming IT Forum:

Classifying, Handling, and Securing University Information

IT Services will conduct an IT Forum on Tuesday, October 25, 2011, at 11:30 a.m., in The DeNaples Center 405, dealing with classifying, handling, and securing University information, both electronic and paper. The discussion will focus on, first, classifying our information into easy to understand categories. Secondly, how to properly handle that information in our daily routines. Finally, we’ll discuss how to secure that information.

October is CyberSecurity Awareness Month and this forum should bring attention to the threats we face each day, with the use of electronic devices. We’ll also discuss the benefits of using Identity Finder, and the SANS Security video training available, as well. Registration is required.

To register, go to: https://ssbprd.scranton.edu/appprd/uis2.log?f=yiaevnt.event .

Lunch will be served.
Prizes will be given.
Jack Williams, IT Trainer, will give the presentation.


Comments : Leave a Comment »
Tags: , , ,
Categories : Announcements, Security, Technology Training

Identity Finder: Coming Soon on KBOX

5 05 2011

Today’s IT Forum with trainer Jack Williams was all about Identity Finder. What faculty need to know:

  • Sometime next week, KBOX will push out a new program to your computer called Identity Finder.
  • Identity Finder is a software tool that scans your computer for unsecured Personally Identifiable Information (PII).  It looks for things like Social Security numbers, credit card numbers, bank account numbers, passwords, etc (full list here) using pattern recognition and contextual analysis.
  • While the program will be automatically installed by KBOX, it won’t run automatically – so you can choose when you want to run it.  Jack recommends running it once each quarter.
  • When you do start the program, it will scan all of the files saved on your computer (including any email and email attachments that you have saved locally) and search for PII.  Jack noted that the scan can take a long time (average 3.5 hours), but you can run it in the background as you do other work.
  • At the end of the scan, Identity Finder will show you a list of any information it has identified as potential PII.  You can then review that report and decide how to act on each item. Options are to “shred” (delete completely from your machine), “scrub” (redact the sensitive information from the document), “secure” (password-protect the file), “quarantine” (save to a secure location, i.e. a folder on RoyalDrive), “recycle” (send to recycling bin), or “ignore” (for false positives – the file will be ignored in future Identity Finder scans).  If Identity Finder picks up PII in a Thunderbird email file, Jack recommends deleting it by going through Thunderbird rather than through Identity Finder.
  • You’re the only person who can review your scan results (there’s no automatic reporting back to IR, for example). When the scan is complete, Identity Finder sends a brief report back to a central management server indicating what PII has been found and what PC it is on.  It does not allow that central server to access the actual files on your machine.  The only people who can access that central server are the staff of the Information Security Office, and they will review Identity Finder reports from a University machine only in two situations: 1) if the security of a machine has been breached, or 2) if the head of a department or area requests the reports to validate the security of machines in their area.
  • Step-by-step instructions will be available here.  Jack has also posted basic and detailed instruction guides (PDF).

Please pass the word along to your fellow faculty members so that no one’s caught off guard next week, and let me know if there are any questions. Thanks!

————–

Updated 5/6/11 with correction from Jim regarding reporting


Comments : Leave a Comment »
Tags: , , ,
Categories : Announcements, Security

« Previous Entries Next Entries »