Faculty Senate University Computer and Electronic Communications Committee Tuesday, Mar. 11, 12:00 - 13:30 Room 911-15, Campus Center DRAFT MINUTES Attendees: Rosio Alvarez (Director, OIT), George Avrunin (NSM Computer), Scott Lee Bradley (Engineering), Steve Brewer (Biology), Scott Conti (OIT / Network Support Services), Andrew Effrat (Provost's Office), Murray Eisenberg (Math and Statistics)), Marilyn Hanley Billings (Library, secretary), Tad Jackson (ITS), Joe Kunkel (Biology, chair), Bruce McCandless (V.C. For Research), Dave Powicki (OIT), Vanessa Rivera (Engineering), Howard D. Stidham (Chemistry), Michael VanKleef (Undergraduate, Management / Plant and Soil) I. Minutes A. Minutes of Feb. 11, 2003 approved posted at http://people.umass.edu/fsucecc/ II. Announcements. A. Chair Review of month's activities. Joe Kunkel and Marilyn Billings met with the Faculty Senate Rules Committee to discuss the pending recommendation to the Faculty Senate from this committee to establish an Academic Liaison Group to the PeopleSoft Student Information System implementation. B. OIT (Rosio Alvarez) Dark fiber network: Moving forward with the deployment of the dark fiber optical network which links the Five Colleges and then connects in Springfield. Rosio met with David Gray to discuss the other campuses, community colleges. Spam filtering deployment: Within the next month spam filters will be on the campus mail hubs. OIT is looking for an academic department to work with them on a pilot. Messages will move from the inbox to a spam box. Currently UMass receives between 200,000 and 300,000 messages per day. OIT will not be filtering messages that originate from on campus. IT Fee: The campus is moving forward with implementing a mandatory IT fee at the campus level. Each student would then have an @umass email account. Continuing Education students would have a proportionate amount rolled into the curriculum fee. Five Colleges students are covered under the Five Colleges agreement. III. Old business A. Review of OIT (Rosio Alvarez, The Associate Chancellor for Information Technologies and Planning) Personnel: Last year OIT lost 5 employees to retirement. After reorganizing, OIT has been able to retain some of these employees on a part-time post- retirement basis. OIT is hiring 2 new staff members: one in networking, whose main focus will be to work on the implementation of a directory for single sign- on; one in computer operations to work on backend OIT servers that support the entire campus. This person has substantial Windows expertise. LAN support has Windows expertise staff who can be hired by campus departments. As soon as funds become available, there are plans to hire 1 additional person in Academic Computing. IT security on campus: the University System has hired a consultant to do a system-wide security audit, will be trying to break in to various servers on campus. The relationship between the UMass System and the campus is business as usual. The consultant is not allowed to do exploits by penetrating weaknesses. OIT will be scanning for vulnerabilities and holes and correcting them. The consultant will be shutting off machines at night, doing ssh connections during the day, not telnet. If departments want to talk with the consultant, contact Scott Conti. Status of Mac support: They hired a help desk person who works with PC labs who has Mac expertise. There is also Mac expertise in Academic Computing. B. Security of the Network (Scott Conti, Network Operations Manager) Questions to be addressed include: 1) Internet Explorer security holes. Why is IE routinely used as a browser model for SIS database access? Why can PeopleSoft implementations not be made to work reliably with other browsers which do not have the security holes. 2) Does OIT have any intention of recommending against routine use of Outlook Express, which is virus prone, on administrative machines with sensitive data? The Development Office encourages Outlook use. 3) Administrative routine attachment of .DOC files. Should administrative units be asked to avoid this vulnerable file format and encourage text or RTF files? Some faculty routinely refuse to open DOC file attachments. Is this a bad habit? 4) What would be considered a severe enough embarassment to discourage widespread use of vulnerable software on campus? What is a worst case senario at present? 5) At what level is/should virus filtering be done? Scott Conti on various aspects of the security of the campus network. Residential halls: about 14,000 ports that are registered through the Netreg process, an online registration process. Then the students can use the network. Browsers on campus - 93% of the use is IE; using Outlook Express for email. There is consistent use of virus scanning software which is freely available. Over 70% of the students install virus scanning software. Network security: focus on incident response activities. They can locate down to the jack level within 10-15 seconds and shut off that jack. Fixing open jack problem in the classrooms to provide Internet service. NSS is dovetailing with the Netreg process to work on classroom logins. The registration is accomplished with the machine address, not the person. This procedure is being implemented building by building. Wireless networking: secure through a VPN; currently clients are required to download client software onto their machines. OIT is testing Bluesocket for gateway access. NSS works with University police when necessary. SANS (SysAdmin, Audit, Network, Security) Institute top 10 to 20 list of things to protect include piping and conduit, locked rooms for networked equipment. Best practices list: use virus scanner software on email hubs (2000-3000 infected files per day), do backups Suggested future agenda items related to security: How do we treat the information assets of this campus? The handling of sensitive documents? FERPA? If students are administering core / essential systems, that's a problem. Be very careful with their rights on administrative systems. SIS security. Liaisons Group: have networking representatives from the campus as members. Security enhancement: do registration process through Netreg in a CBT-type of interaction. Copyright infringements - educate through the Netreg process. However we can only get new students; not returning ones. Recommend best practices for administrative offices: personal firewalls Backups The university's environment of openness has inhibited the implementation of some best practices for security Future recommendation: Create a position for a 'security officer' type of person Security audit by the consultant: Hired March 10 for 8 weeks We should do okay with practices; but poorly with procedures and documentation and security awareness. This committee needs to work on a security, disaster recovery, backups special report over the summer to present to the Faculty Senate in the fall. Anything on University property needs to be kept for 7 years. Check with David Gray on the data retention policy. Personal firewall recommendation: ZoneAlarm Central firewall management: Black Ice C. An SIS Liaison Group (Faculty Senate agenda item) Will come before the Faculty Senate as Sen.Doc.No 03-021 on Mar 13. D. Remaining Agenda Items for consideration in order this year 1. April 8 UMass Online (Jack Wilson, CEO of UMOL) a. MOU UMASS Amherst with UMOL. b. Questions for Jack Wilson. 2. May 6 Beyond Simple Classroom Connectivity (Late Spring) a. Teaching Development Center (Mary Deane Sorcinelli, Assoc Provost for Teaching & Faculty Development) b. Academic Computing (Patricia Kochin, OIT) c. Pew Grant Research (Steve Brewer) 3. Email Lists (Senate Request) as ready a. Recent Jan 28 broadcast to all-faculty list