In attendance:
Bob Shea, Vice Chancellor for Finance and Administration and Chief Financial Officer
Tina McEntire, Vice Chancellor for Enrollment Management
Terri Shelton, Vice Chancellor for Research and Engagement
Donna Heath, Vice Chancellor for Information Technology Services and Chief Information Officer
Julia Jackson-Newsom, Associate Vice Chancellor for Strategy and Policy
Joe Ames, Director of Administrative Technologies and ITS Strategic Alignment Officer
Alan Boyette, Senior Vice Provost
Steve Honeycutt, Interim Associate Vice Chancellor of Finance
Lee Norris, Associate Vice Chancellor, Data Architecture, Reporting and Visualization
Todd Sutton, Associate Vice Chancellor, ITS Chief Customer Success Officer
Jeff Whitworth, Associate Vice Chancellor for Enterprise Technology Infrastructure and Chief Technology Officer
Topic: Banner 9 SSB and Jagger Invoicing Implementation Updates
Topic: IAM Student Account Lifecycle Change
Context: Prior to implementation of the new Identity Management system, student accounts were created by students manually taking action to activate their accounts – typically during SOAR. With the transition to the new identity management system, student accounts are automatically created when the student meets our defined eligibility criteria, which requires our eligibility criteria to be more granularly defined. This requested change will allow admitted students to gain access to email and other services that are important to the enrollment process earlier than they do today, bringing our business process in alignment with peers/best practices.
Decision: A change in student IT service entitlements so that “admitted students” receive an iSpartan Account and email was approved that will result in the following:
Accounts will be automatically created for admitted students; these accounts will be considered a new entitlement, “admitted students”
- ITS will create the “admitted students” IT service entitlement
- Admitted students will receive an iSpartan account and email
- Eligible students will receive an iSpartan account and email as well as all other IT services
- The ‘eligible student” flag will be used for all other IT service student entitlements
Topic: Secure Desktop for Banner Project
Context: The prior sitting ESC approved the project to create a secure desktop environment in MyCloud to be used for direct access to Banner. This project has been in-flight for some time and is now nearing readiness for implementation. It will result in significantly stronger data protections by securing high-risk data, limiting direct access to high-risk data to the highly managed Citrix environment, and significantly reducing the risk of data being stored on end user devices where it can be compromised.
Once completed, this implementation will require significant end user business process change. Going forward, Banner INB users will no longer be able to log directly into Banner from their computer workstations. They will access Banner INB forms by launching the MyCloud secure virtual desktop and then logging into Banner from that secure environment. This approach allows us to focus university resources on securing our high-risk institutional data by isolating the data rather than on the impossible task of securing every end user device that needs access.
Decision: ESC fully supports and approves the implementation of the Secure Desktop for Banner with the expectation that a full testing and remediation of issues plan be formally executed to resolution with each stakeholder workgroup, and that migrations will be scheduled to minimize operational disruption during peak times.
Topic: Developing a Standardized Approach to Technology Support at UNCG
Context: Historically, a full IT audit has been conducted by the Office of the State Auditors on UNC System campuses every decade, with mini IT Financial Audits conducted annually. The last full and complete OSA audit conducted at UNCG was in 2005. UNCG ITS was scheduled to complete a full audit in 2018. Very intensive audit work was conducted jointly between UNCG ITS and OSA between mid-August 2017 and October of 2018. The audit was fully completed up to the point of the findings letter being prepared for issuance to our Chancellor. OSA made the decision to abandon the audits that were in progress for all campuses because the UNC System had developed and implemented a brand new set of information security and governance policies and OSA felt that audit criteria needed to be adjusted to reflect the new system policies. The findings letter was never sent to our Chancellor. Full IT audits are expected to be conducted for all campuses in 2021. Unfortunately, UNCG will be starting over.
The critical takeaways are as follows: First, our audit letter would have included a strong focus on the lack of standards, visibility and monitoring for distributed technology. This was a new area of focus for OSA and peers across the system who were also engaged in the audit process confirmed that there was a strong concern around information security gaps created by distributed technology management on their campuses as well.
Second, the UNC System Office created a set of three policies around IT governance and information security in 2018 in response to deep concern across state legislature about the uptick in information security risks and several significant data breaches across the 17 system schools. For the first time, we have UNC System level policies that explicitly assign responsibility for the security of distributed and central technology to a designated senior officer and the Chancellor. At UNCG, the designated senior officer is the Vice Chancellor for ITS.
Third, the UNCCIO Council is in the process of drafting a comprehensive IT Governance Program, which for the first time, includes accountability for the system CIOs for the governance of distributed and central technology resources. As of this writing, the draft document has a motion for approval and is pending ratification.
Last, the UNCG Research Office (at all UNC System Schools) received notification in 2019 from major state funding agencies of extremely robust new information security compliance requirements for grants that if not met, could jeopardize significant funding at UNCG.
The bottom line is that we know this statewide focus on end-to-end information security risks is going to intensify over the next several years and we will have to formalize our technology support policies, standards and procedures. We won’t be able to continue to operate as a loose federation of independent tech silos without a common governance framework.
The focus of our discussion will be to begin a dialogue about how to best collectively approach development, monitoring and enforcement of university standards for distributed technology functions in alignment with central ITS to ensure UNCG’s compliance with emerging regulatory requirements for management of distributed technology functions.