Addressing IT Services at Lamar University
1 like520 views
The document summarizes LU ITS' response to identified risks and concerns from a TSUS IT auditor. LU ITS acknowledges risks involving data center constraints and outlines steps taken to address them, such as moving some systems to offsite hosting. The response also provides clarification on delays in areas like retiring legacy systems, reducing operating environments, and establishing security policies and programs. It indicates that work is ongoing to comply with standards and remediate issues.
![Audit Documents Referenced
(ITS Transformations: April – November 2008)
¨ TSUS Management Advisory Letter dated April 14,
2008
¨ TSUS Management Advisory Letter dated July 18,
2008
¨ The July 2008 letter to Lamar State College-Port Arthur
outlining a breach of Lamar University’s system
¨ Report to Management on Audit of Research Time and
Effort Reporting – Lamar University (August 2008)
¨ Texas Project Delivery Framework Monitoring Report
[LEAP System Upgrade for ERP] (November 17, 2008)](https://image.slidesharecdn.com/addressingitservices-130412115910-phpapp02/85/Addressing-IT-Services-at-Lamar-University-52-320.jpg)
Addressing IT Services at Lamar University
- 1. DRAFT ADDRESSING IT SERVICES RISKS AND RISK SYMPTOMS LU ITS Response to TSUS IT Auditor (March 2009)
- 2. LU ITS Response to TSUS IT Auditor ¨ IDENTIFIED RISKS AND RISK SYMPTOMS ¨ Risk Symptoms Raising Security Concerns ¨ Risk to University Reputation
- 3. IDENTIFIED RISKS AND RISK SYMPTOMS “Data Center resource constraints and critical path requirements prevent effective management of internal IT operations and risk management of other defined University priorities and initiatives (such as the Banner implementation, online curriculum, and fund-raising efforts)* as evidenced by the following risk symptoms” - TSUS Office of Audits and Analysis (Required Communication with Lamar University) *Emphasis Added
- 4. ITS Clarifications on Data Center Constraints and Online Curriculum ¨ Data Center Constraints at LU are have not been a constraint for Online Curriculum for an entire academic year. ¤ Blackboard has been hosted offsite by Blackboard since Summer ‘08. ¤ GoCourse is hosted in Dallas by HEH and has always been.
- 5. ITS Clarifications on Data Center Constraints and Advancement ¨ Data Center Constraints at LU will soon no longer be a constraint for University Advancement. ¤ LU has signed a contract to host both Millennium and MIP Accounting offsite with the software maker Sage Software.
- 8. ITS Clarifications on Data Center Constraints and Banner ¨ To Ensure Banner Success, Data Center Consolidation and Operating Environment Standardization Must Continue …
- 10. Delays In: Retiring legacy systems? ITS Response: ¨ IBM Systems Deprecated (3 Racks of Hardware) ¨ Legacy Cisco Firewalls Deprecated and Replaced with State-of the-Art Fortinet Firewalls ¨ End-of-Life Hardware Removed and Systems Virtualized (MSS Help Desk and Three Legacy Evisions MAPS Servers) ¨ All Remaining Legacy Systems are Slated for Virutalization With Deprecation to Follow ¨ Virtual Readiness Assessment (VRA) in Process to Identify Other Systems for Virtualization ¨ Luminis Portal, Recruitment Plus, Millienium, MIP Accounting All Moving to Off Site Hosting (Provided by Software Manufacturers) ¨ Plus System Deprecation Scheduled EoY 2009 (Currently a Production System for Student Records) ¨ Director, EAI Has Mapped All Application Relationships and Systems Dependencies to Reduce Risk Related to Plus-Banner Migration
- 11. Enterprise Applications and Integration First Overview of Project Inter-Relationships
- 12. Delays In: Engineering/reducing the number of operating environments? ITS Response: ¨ 2 Standard Operating Environments Selected: Red Hat Enterprise Linux (RHEL) and MS Windows ¨ Deprecated ¤ AIX (Legacy Banner Plaform) ¤ SUSE Linux (DNS) ¨ By EoY 2009 ¤ Will Deprecate VMS (Plus System) ¤ Will Virtualize Sun Systems for SACS ¤ Migrate File Services from Single Mac Server ¨ CONTINUED RISK: Number of Systems Not Managed By ITS ¤ Distance Education ¤ Library ¤ Departmental Servers
- 13. Delays In: Engineering a multi-tiered Enterprise IT architecture? ITS Response: ¨ Banner ERP: Oracle Database Clustering RAC has been successfully implemented, along with redundant load balancers (F5) for the application tier ¨ New Firewalls are Redundant (Active-Active) ¨ Virtualization Accomplished via High Availability Architecture ¨ All New Initiatives Following Zachman Architectural Framework (Staff Training Included)
- 14. COMPLETED: Architecture SGHE Unified Digital Campus (UDC - Production)
- 15. COMPLETED: Architecture SGHE Unified Digital Campus (UDC - Test)
- 17. Delays In: Engineering an IT Security architecture accommodating the re- engineered architecture mentioned above (Firewalls, DMZ, DNS, DHCP, Active Directory, WSUS, etc.)? ITS Response: ¨ New Firewalls (Active-Active) Established Allowing Full Network Segmentation (DMZ + LAN Segmentation) ¨ DNS Migrated From Single Point of Failure on Non-Standard IBM SuSE Linux to Fully Redundant Standard RHEL Servers ¨ DHCP Consolidation Underway ¨ New Active Directory Established Following MS Best Practices (College of Business Migration to New Domain Architecture Underway) ¨ WSUS Server Established. ¨ Microsoft Premier Support Contract Established.
- 19. Delays In: Establishing a security policy and functioning security program? ITS Response: ¨ ITS Participation in Bi-Weekly President’s Security Meeting to Brief Campus Leadership on Current Security Issues ¨ Organizing IT Security Analysts into Best Practices-Driven Security Operations Center (SOC) ¨ Staff currently updating security policy based on SANS Institute Guidelines and verifying compliance with TAC 202 ¨ End User Licensing Agreement for Wireless Networking ¨ Revised AUP under development
- 20. Delays In: Updating system documentation including policy/procedure ITS Response: ¨ Need Further Clarification, As Systems Documentation Exists on ITS Departmental Fileshares ¨ Numerous Procedures Exist for Various IT Processes. Need Further Clarification as to Deficiencies.
- 22. Delays In: Re-designing comprehensive Disaster Recovery IT procedures ITS Response: ¨ Disaster Recovery Plans are Interative in Nature, Requiring Constant Refining as They are Exercised ¨ Disaster Recovery Plan Coordinator Appointed (John Genuardi) ¨ DRP Coordinator Currently Documenting Procedures in Anticipation of Next Hurricane Season ¨ Duplicate of Critical Systems (Servers, Networking and Firewalls) in Place in San Marcos Data Center to Support ERP and Reporting Environment ¨ ITS to Present Proposal for Automation of Systems Replication in Early April 2009 (Significant Cost Item: Approximately $500,000)
- 23. Delays In: Designing comprehensive Business Continuity (non-IT) procedures ITS Response: ¨ Beyond Scope of ITS
- 24. Delays In: TAC 202 compliance ITS Response: ¨ Need Further Clarification. TAC 202 is Large.
- 25. Delays In: Resolving staffing concerns and competencies ITS Response: ¨ ITS is Realigning Resources to Address Staff Competency Issues, Though Additional Clarity on Auditor’s Concerns Could Be Helpful ¨ Additional Resources From SGHE Retained to Augment Critical Areas With Major Deficiencies, Espcially in Banner Area
- 26. Next Steps in Enterprise Applications (Organizational Changes)
- 27. Power consumption not being monitored to assist in critical mass bottleneck decision-making processes ITS Response: ¨ In the Process of Collecting Bids for Complete Data Center Re-Engineering Project (Significant Expenditure Anticipated: $500,000) ¨ End-to-End Power Generation and Provision System Tested on a Quarterly Basis ¨ Fail-Over Simulation During Winter Break: Yielded Confirmation of Successful Outcome ¨ Substantial Decrease in Load on Data Center Power As a Result of Current Deprecation, Virtualization, and Off Site Hosting Efforts
- 28. Self-identified (QAT) and reported concerns that: Network bandwidth may not be sufficient to support Banner resource requirements ITS Response: ¨ LEARN Connectivity Project (Network, Firewalls and Packet Shapers) Addresses Connectivity Issues
- 29. Self-identified (QAT) and reported concerns that: Data base capacity may not be sufficient for student conversion ITS Response: ¨ Student Conversion Underway With No Data Base Capacity Issues ¨ Additional Capacity to Be Added to SAN to Address Future Growth – to Include HEH Programs and Centralized Enterprise-wide Scanning via Banner XTender (Moderate Cost Item: $200,000)
- 30. Self-identified (QAT) and reported concerns that: Engineered reporting infrastructure does not meet LU’s needs ITS Response: ¨ SGHE working with LU to Implement Operational Data Store (ODS) in 2009.
- 31. Necessity to allow and rely on non-centralized custodianship and administration of distributed satellite data centers and servers across campus ITS Response: ¨ Three racks have been removed and a fourth is in the process of removal. ¨ Further consolidation of data centers is now subject to political and not a physical constraints. ¨ Progress to date includes work with College of Business in which critical systems have been relocated to the Data Center (only systems remaining in CoB are there for performance reasons – need for physical proximity)
- 32. Unsecured satellite network closet doubling as general storage room ITS Response: ¨ Need further clarification as to location of this network closet ¨ Continued Risk: Some Data Closets are outside the control of ITS, and administered by various Information Technology Specialists (unclear as to the scope of their functions)
- 33. Risk Symptoms Raising Security Concerns “Current operational transition activities and lack of unified approach will continue to prevent Lamar University from addressing long-standing and immediate security concerns as evidenced by the following risk symptoms”
- 34. Disrupted, dismantled, or otherwise inadequate internal control framework (which must be addressed before any outsourcing strategy can be successful) ITS Response: ¨ Initial Change Management Procedures in Place for the First Time in IT Services ¨ Estabished Regular Maintenance Window ¨ Established Enterprise Maintenance Calendar, Coordinated With Academic and Administrative Calendars ¨ Established Enterprise Service Desk ¨ Beginning to Adopt ITIL Model ¨ Security Staff Has Been Introduced to COBIT ¨ ITS to Recommend New Service Desk Software ($35K)
- 35. Unreliability and instability of “My.Lamar” portal, in addition to significant modifications (known and unknown) regarding security and access authentication processes ITS Response: ¨ Moving to Hosted Solution for Portal ¨ LDAP Implementation in 2009 to Address Authentication
- 36. No standardized change control process or methodology ITS Response: ¨ Initial Change Management Procedures in Place for the First Time in IT Services ¨ Estabished Regular Maintenance Window ¨ Established Enterprise Maintenance Calendar, Coordinated With Academic and Administrative Calendars ¨ Established Enterprise Service Desk ¨ Beginning to Adopt ITIL Model ¨ ITS to Recommend New Service Desk Software
- 37. No security policy or established security program ITS Response: ¨ Inaccurate, as there is a fledgling IT security program anchored in the President’s Bi-Weekly Security Meeting
- 38. No security awareness training for campus constituents ITS Response: ¨ Further Clarification Needed
- 39. Lack of standardized computer “image” and specifications for desktop/server purchases and deployments ITS Response: ¨ Currently Being Address Through Vendor Premier Desktop Program ¨ Computer Lifecycle to Be Determined by Executive Leadership ¨ Exploring “Thin Client” Technology (Citrix?)
- 40. ITS Believes TSUS IT Auditor’s Calls for the Following Violate Academic Freedom ¨ “Approved Software” Policy ¨ “Audit” of software residing on users’ computers ¨ “Audit” of administrative privileges on users’ computers ¨ “File-Sharing” Software Policy
- 41. Lack of “approved software” policy ITS Response: ¨ Considerations of Academic Freedom Prohibit This
- 42. Inability to “audit” software residing on users’ computers ITS Response: ¨ Considerations of Academic Freedom Prohibit This
- 43. Inability to “audit” administrative privileges on users’ computers ITS Response: ¨ Considerations of Academic Freedom Prohibit This
- 44. Lack of “file-sharing” software policy ITS Response: ¨ Considerations of Academic Freedom Prohibit This
- 45. Recent EDI server compromise during Admissions implementation ITS Response: ¨ IT Services for this functional area have been moved to a secure hosted solution ¨ Existing staff member transitioning to role more appropriate to IT skill level
- 46. The lack of itemized detailed costs related to the Banner implementation Excerpt from QAT report submitted to state as of August 31, 2008 Project Item Report to Date Initial $4,105,900.00 Estimated Project Cost Last Reported $4,105,900.00 Estimated Project Cost Current $4,805,900.00 Estimated Project Cost Notes: Includes all funding sources Includes optional consulting fees to be used as needed Explanation of Variance • Contract for additional SunGard resources: Student Lead and remote between Last Reported and programming support Current Project Cost • Creation of Business Analyst Positions Cost Expenditures to Date $1,394,186.00 (Fiscal Year) (Project-To-Date: $2,840,361.00) Description of Expenditures will be posted to the SunGard Banner Finance system used by Lamar Cost Tracking Mechanism University. These expenditures will be extracted and monitored using MS Excel. Expenditures will be verified against vendor invoices and project estimates.
- 47. Expenditures, Encumbrances, and Budget Adjustments (Since August 2008) ¨ Expenditures Sept1, 2008 – Mar 17, 2009: $1,277,578.30 ¨ Outstanding Encumbrances: $ 374,797.04 ¨ Budget Adjustments after September 1, 2008: ¤ BossCars Software $ 92,074.00 (included in ots enc) ¤ Oracle License True-Up (increase in headcount) $ 188,551.00 (included in expend.)
- 48. Incomplete or inadequate Disaster Recovery (IT) and Business Continuity (non-IT) documentation and processes during/after the transition period ITS Response: ¨ Staff members responsible for this item no longer work for University ¨ New staff member has this as Priority Issue ¨ ITS addressing disaster recovery for computing services within context of university business continuity planning
- 49. Risk to University Reputation “In the event of another security breach or incident, the risk of public criticism and potential liability for Lamar University will significantly increase because there is a 4-year public record of identified, documented, and unresolved consultant and audit findings to date:”
- 50. IT Response: Bottom Line Up Front 18 Months of Consistent Progress Bottom Line: We Are Implementing Best Practices for Infrastructure and Security. These Practices Include, But Are Not Limited to: ¨ Standardized, Redundant and High Availibilty Systems ¨ Multi-Tiered Security Architecture ¨ New Firewalls – Dorms, Datacenter, Perimeter (Allowing Network Segmentation and Demilitarized Zone) ¨ Antivirus – Clients and Servers (Identifying Unprotected Systems) ¨ Data Center Improvements Within Fiscal Limitations ¨ Integrated End-To-End Power System Fail-Over Testing ¨ Virtualizing Operating Environments ¨ Adoption of Software as a Service (SaaS) Model Where Appropriate To Improve Service and Reduce Risk
- 51. Audit Documents Referenced (Welcoming a New CIO: July 2005 – September 2007) ¨ Information Technology Consultant’s Report (July 2005) ¨ Report to Management on Review of Information Technology – Lamar University (August 2007) ¨ Network Security Controlled Penetration Test Report (August 2007) ¨ Internal Correspondence: Office of the Director of Network Services and IT Strategic Planning; subject: Findings from DIR Penetration Test (September 2007)
- 52. Audit Documents Referenced (ITS Transformations: April – November 2008) ¨ TSUS Management Advisory Letter dated April 14, 2008 ¨ TSUS Management Advisory Letter dated July 18, 2008 ¨ The July 2008 letter to Lamar State College-Port Arthur outlining a breach of Lamar University’s system ¨ Report to Management on Audit of Research Time and Effort Reporting – Lamar University (August 2008) ¨ Texas Project Delivery Framework Monitoring Report [LEAP System Upgrade for ERP] (November 17, 2008)
- 53. Audit Documents Referenced (Today’s Challenge: Banner Student Jeopardy 2009) ¨ Email dated January 12, 2009 citing the failure to process Fall 2009 admissions applications in Banner and 10 MONTH DELAY in implementation ¨ SunGard Higher Education Draft Executive Summary: Lamar University – Programming Team and Banner Technical Support Assessment (January 21, 2009)