Advanced Search

• IT Governance Structure
  • ITGC
  • CIO Group
  • ASAC
  • AISB
• RFC Process

Recent Changes
RSS Feed

Information Security Committee Minutes - March 2009

March 12, 2009

Present:  C. Tianen, Chair; P. Berlin, J. Claudio, M. Day, A. Dobson, T. Ferris, B. Flynn, H. Kahn, H. Schmidt, L. Poirier, T. Poon, , E. Terrazas

Absent:  O. Bawa, R. Duca, J. Fritz, A. Saggio, R. Slaughter, D. Yano-Fong

Staff: J. Evind, T. Maxwell, S. Schluntz

The February, 2009 minutes were approved.

Poison Control has asked for a password exception. A few of their resource accounts have passwords that do not expire. The committee unanimously approved the exception.

The vpn@UCSF is online providing faster connection due to cacheing. Juniper hardware will replace site to site VPN.

The physical implementation of the perimeter firewall is dovetailing with NGMAN in April. This will be transparent to the campus; we will communicate with campus and the committee as we make adjustments to what is allowed through the border. Committee members inquired whether the rule set for the perimeter need to be tweaked (e.g. printers, Telnet). Telnet was approved to be blocked approximately five years ago but it is currently not blocked to Campus and it will have to be researched as to whether it was never blocked or if they block was removed.

Production hardware for PGP is in place – training materials and documentation are being written now. There will be a pilot in April and full production May 15. PGP does work on Macs.

The new Data Center is online in a non-production status. The network and firewalls are up and running. Exchange will be up and live on Tuesday night. The firewall cluster (Juniper ISG 2000) can host VPN right off the systems and provides disaster recovery for PeopleSoft. The Data Center move takes place March 26 – 29.

SATE is partnering with Public Affairs on a campus wide security communications plan. Beginning the third week of March, Public Affairs will put up posters and send out emails to departments and deans for them to distribute.

Additionally, there will be articles in UCSFToday, the SATE web pages will be updated and/or changed. The messages are that information security is everyone’s responsibility and leadership expectations.

Members recommended that communications include the cost of managing an incident in terms of the number of an equivalent number of jobs.

Upcoming SATE trainings will focus on training against downloading music and movies. Members recommended trainings for staff on how to send secure email.

As mentioned last month, EIS is the owner of six Management Corrective Actions (MCAs) associated with a Wireless audit. One of them is to update the Wireless Networking Standards by June 1, 2009. A folder will be set up on the ISC SharePoint site where members can help make changes to the standards.

Another MCA, host registration, will be available to the entire university to register any device – not just WPAs.

The PwC assessment had 246 observations in 11 areas. Fifty four percent of those have been completed (SOD, UAP, SON). Progress is tracked monthly and departments are making good progress. Institution-wide a governance process is forming slowly. A new software package for qualitative assessments has been acquired for the University. Product training will take place mid-April.

Members inquired whether there were a high level summary of the PwC report that could be published (e.g. the first third of the report). The assessment is protected under attorney-client privilege and must be treated as confidential. What this means is that it must not be distributed except on a needs-to-know basis and with the clear admonition that the report is subject to the privilege and is confidential.

Return to ISC home page.