TAG Meeting Notes 2014-02-12

14 02 2014

TAG Meeting February 12, 2014 12:00pm-1:00pm

Attendees:
Jeremy Brees, Tim Cannon, Paul Cutrufello, Kim Daniloski, Dave Dzurec, Eugeniu Grigorescu, Katie Iacocca, Andrew LaZella, Lori Nidoh, Kristen Yarmey

1. Brief Reports

Acceptable Use Policy

CIO Jerry DeSanto announced on February 6 that the new Acceptable Use of Information Technology Resources Policy had been approved by the President’s Cabinet. The new policy is an update to the old Code of Responsible Computing. Many thanks to Jim Franceschelli and Dave Dzurec for co-chairing the committee charged with revision.

PR Department/Program Website initiative

Back in late November, Dave, Kim, and Kristen (along with Hal Baillie, Darla Germeroth, and Ray Schwenk) met with Gerry Zaboski and Lori Nidoh in PR to discuss department and program websites. Also in on the meeting (phoning in from Cedar Rapids) were representatives from Converge, a vendor that PR has hired to help us with initial planning and updates for departmental websites and academic program pages (note: *not* course catalog content/program descriptions, which require formal review).

The main goal from a faculty perspective is to develop content for department/program pages that is consistent across the University website and does a better job of communicating what it is that we do — reflecting the quality of our programs/departments, “telling the story” of the student educational experience, etc. (In 2012-2013 TAG had prepared a proposal for improving and maintaining department/program websites that advocated for additional support for this task.)

Briefly, Converge plans to 1) outline/inventory needed content, 2) do some search engine optimization research (e.g., what terms do users type in to Google when they’re looking for nursing programs?), 3) develop a draft template for page content, 4) get faculty feedback via a campus visit and questionnaire, 5) draft some copy, and 6) help us prepare a long term strategy. Their main output would be a consistent template for department/program pages, and they will create content for up to 50 department/program pages (though the institution has the final say on content). Gerry explained that this way we can get a lot of updates done quickly.

PR and Academic Affairs would like to bring together a steering committee or task force to coordinate this project, with work beginning in March. Gerry has broached this topic with the Committee on University Image and Promotion (CUIP), which includes faculty representatives.  After the November meeting, Kristen and Dave had asked TAG members to identify faculty who might be interested in serving on such a steering committee. Teresa, Sandy, and Dave then volunteered.  However, Lori noted that it has not yet been decided which program/department pages will be selected as the focus of the project, and she was not sure who will make that decision. We agreed that once these programs/departments have been selected, TAG will support the faculty representatives on CUIP in trying to recruit faculty volunteers to participate.

Desire2Learn

Desire2Learn went live in January, and so far the transition seems to be going smoothly (see the LMS transition page for details). About 30 faculty members opted to begin teaching in Desire2Learn in Spring 2014. Courses that are being taught in Desire2Learn have been disabled in ANGEL so that students don’t see them in both places.  Workshops and video tutorials are available for faculty.

Eugeniu reported that there was an issue with merging courses that CTLE wasn’t able to resolve in time for this semester, but it will be resolved in time for summer and fall courses. Another issue has been reported with links – Firefox and Chrome are problematic when trying to display unsecure pages within secure frames.

Mobile Apps

IR’s Mobile Apps feedback group met in December (pptx). Sandy attended as a faculty representative. The group reviewed the University’s current apps — ANGEL Mobile, eAccounts (for RoyalCard), the Straxis app, Student Services app, RoyalSync, and Desire2Learn (which also has two special purpose apps – Binder and Grader) — and discussed what additional features should be mobile accessible.  The Straxis app will be retired at the end of the year and replaced by a locally developed web app for the fall 2014 semester.

Royal Card

Faculty are reminded to visit the TSC to get a new RoyalCard. Take your old RoyalCard or a driver’s license, and you will be photographed.

Windows XP to 7 Conversions

(Jim was unable to attend the meeting but sent an update on this via email.) IT Services is continuing to work on converting all remaining Windows XP machines to Windows 7. Faculty machines are the current priority, with a goal of finishing all faculty conversions by the end of May.  IT Services will contact users to schedule a time and date for conversion — the process takes about two hours.  Dave noted that the history department was almost entirely converted and had no issues.

II. Items for Discussion

Specialized Software/Computer Lab Survey Results

Kristen is still working on putting together the survey results and apologized to TAG members for the delay.

WordPress Network

Kristen reported that at least one additional faculty request for a site on the campus WordPress network (sites.scranton.edu) had been turned down. There seems to be a continuing need among faculty and students for academic web space, particularly since the academic server (academic.scranton.edu) was decommissioned.

At our September 2013 meeting, TAG had requested that IR draft language on service levels for WordPress. Kristen asked Jim for an update on this issue. Jim was unable to attend this meeting but sent an update via email, excerpted here:

We met this past fall and have consulted with the CTLE on various support issues.  Unfortunately at this time, we cannot extend the wordpress offerings.  Looking at the current issues at hand – especially with the CTLE and the conversion to D2L – extending support won’t happen until January 2015 at the earliest. I know there is growing demand and many faculty want to use wordpress as an alternative web site.  Unfortunately the supported options are within the CMS.  D2L does have options for blogging and discussion boards.  I think TAG had offered to look at it from a faculty perspective – any news back on that?

Eugeniu explained that CTLE was unable to provide assistance to IR on support for WordPress at the same time as they are supporting faculty and students during the transition to Desire2Learn.

Kristen asked TAG members for their reactions. The majority agreed that we would like to keep advocating for WordPress but acknowledge that Desire2Learn should take priority at this time. Dave suggested that we revisit the question again in January 2015 as Jim indicated.

III. New Business

Vice President for Planning/CIO

Fr. Quinn announced in December 2013 that Jerry DeSanto would be stepping down as Vice President for Planning/CIO. Associate Vice President Robyn Dickinson will serve as Interim. While the search for a new Provost is taking priority, Dave and Kristen noted that they planned to volunteer TAG’s input (either formal or informal) in any upcoming search for the CIO position.

TAG Leadership for 2014-2015

Kristen will be rotating off as TAG co-chair at the end of Spring 2014. Dave will continue as co-chair for 2014-2015, but will be on sabbatical in Spring 2015.  They asked for one or two volunteers (preferably but not necessarily including a Senator) to serve a two-year term as co-chair. Andrew volunteered to serve in Spring 2015 while Dave is away. We are still in need of another volunteer to serve the full year.

IV. Demonstrations

Adam Edwards and Scott Finlon from Information Security came to the second half of the TAG meeting for two demonstrations.

Firstly, they demonstrated the administrative side of Identity Finder. TAG members have been piloting automated Identity Finder scans, which are running each Friday at noon. Identify Finder scans the user’s computer for any personally identifiable information (PII) in unprotected files. The Information Security Office receives reports that indicate the level of risk for that machine. Anticipating concerns about privacy and confidentiality, Adam and Scott showed a sample report. The report shows the number of hits and the location of each file with hits, but the actual information is obscured. Based off of these reports, Adam then works one-on-one with users to either delete the files or move them to a more secure location. Adam said that he is working with staff with the most risk first (e.g., people with 1,000 hits or more).

Secondly, Adam and Scott demonstrated using TrueCrypt (free open-source disk encryption software) to encrypt files or folders that contain confidential information (such as human subject research data). They have already shown this tool (along with another encryption tool in Identity Finder) to the IRB and would like to make it a recommended standard for campus use. [Update 2014-07-02: Support for TrueCrypt has been discontinued, so Information Security now recommends using 7Zip for encrypting sensitive or confidential data.] TAG members did not bring up any concerns, so we will move forward on this. Adam will share brief written instructions, and we will share them with the faculty as a recommended practice for confidential data.

Adam and Scott would like to start automated Identity Finder scans on faculty computers beginning with departments that would *not* have any confidential subject data stored no faculty desktops. We were not sure that such a distinction could be easily made, but TAG will try to work with department chairs to determine which departments might be willing to begin scans. Scott will send Kristen a list of departments as they appear in Identity Finder (based on Active Directory groups) as a starting point.

Adjournment

The meeting adjourned at 1:10pm. TAG’s next meeting will be Wednesday, March 12 from 12pm-1pm in WML305.


Comments : Leave a Comment »
Tags: , , , , , , , , , , , , , , ,
Categories : Angel and Desire2Learn, Announcements, Minutes, Mobile, Security, TAG Administrative, Website Proposal

Identity Finder and confidential data

14 04 2013

At our last TAG meeting, IT Services Director Jim Franceschelli and Information Security Director Adam Edwards invited faculty feedback on their Identity Finder Proposal on Automated Scans. For those just joining us, Identity Finder software scans your (Windows) computer for sensitive, unsecured Personally Identifiable Information (PII). The Information Security Office and IT Client Services are jointly proposing implementation of weekly, automated, required Identity Finder scans (see the proposal for details). During the meeting, TAG members shared some concerns about scheduling and performance effects. After the meeting, we received additional concerns from Bryan Burnham (Psychology), a member of the Institutional Review Board, that Identity Finder scans of machines storing human research subject data or client files (from a counseling practice, for example) would breach subject confidentiality. Concerns are paraphrased here:

There are privacy issues related to data collected on human research subjects that must be considered before automated Identity Finder scans of machines can occur. Specifically, we (IRBs, DRBs, PIs – primary investigators) ensure complete and total privacy of our human research subjects’ data, especially sensitive information (names, emails, Royal IDs, social security numbers), some of which is undoubtedly stored on computer hard drives. [The same is true for client files maintained by counselors or clinicians.]

“Subject confidentiality” means that knowledge of a person’s participation in a research study is between the human subject and only the PI. That is, a subject is guaranteed by the PI that knowledge of their participation as well as their personal and sensitive data will not be open or available to any third party – meaning anyone not associated with the research project. The automated Identity Finder scans would, in effect, view confidential human research subject data and client information that, by definition, cannot be viewed by others.

It should be noted that the Identity Finder reports that the Information Security office receives are redacted, showing a masked version of a potentially problematic file and the location where it was found, and are only accessible to the Information Security Director (Adam) and the Information Security Engineer (Scott Finlon). However, Bryan noted that the scan itself is the issue: third parties (including other University divisions/employees and University-owned software) are not allowed to access or see confidential subject information.

Bryan, Jeremy, Kristen, Adam, and Scott got together on Friday to get a better understanding of this issue and what options there might be for general campus implementation of automated Identity Finder scans without violating subject confidentiality.

We discussed a few options that IR and TAG  could consider for Identity Finder, each with varying advantages/disadvantages. A significant complication, however, is that at this point we don’t know how many researchers on campus have this kind of data, where it’s stored (faculty, staff, student, and/or lab machines? cloud storage?), and whether it’s encrypted or otherwise protected against security breaches (malicious or inadvertent). Bryan stressed that researchers are responsible for their own data and for ensuring subject confidentiality, and neither the IRB nor the University can impose or require specific data management practices, at least under current IRB policies.

Scott noted that the Identity Finder question is only the top layer of broader issues of privacy, security, and digital records management on campus, and that research data stored on a researcher’s hard drive or in cloud storage could be vulnerable to external attack. Both Adam and Scott mentioned that Identity Finder, used appropriately, could help researchers protect subject confidentiality by locating vulnerable information and prompting the researcher to take further steps towards securing it. We agreed, though, that educating researchers about data security and encouraging more secure data management practices (encryption, password protection, etc) will be a longer, more involved, and more inclusive conversation – but a conversation that needs to happen nonetheless.

Next steps: Bryan will bring this discussion to the IRB at their April 16th meeting for additional input and will share any relevant guidelines from grant agencies (e.g., Department of Health & Human Services), and his and others’ own digital data management practices. Adam and Scott will reach out to Identity Finder and other university security offices re: how others have handled this issue. They are willing to continue discussing accommodations for researchers storing sensitive data, if we can find all of them or somehow get them to self-identify. TAG might be able to help survey the faculty on this question (yes/no/unsure) – multiple outlets should be used to try to catch everyone’s attention. The IRB, ORSP, and TAG may want to coordinate a faculty forum on this topic.

We’re still early on in this discussion, so please contact TAG if you have any insight, concerns, or questions that we might not have considered yet.

 


Comments : Leave a Comment »
Tags: , , , , ,
Categories : Announcements, Network and Infrastructure, Security