OCIO and Enterprise Security Teams are busy working toward our Top Goals and are making tremendous progress. To follow is an update to our top priority projects.
OCIO TOP FIVE
Data Center Move
As we continue the work of moving our current data center to the State of Ohio Computing Center (SOCC), we have already moved about 6% of the racks, allowing us to retire those racks at Kinnear Road Center (KRC).
- In late October and early November we moved production email, call center services, Lync Instant Messaging and Lync Presence, and Lync Voice Mail Services from KRC to the SOCC.
- We moved the HR Data Warehouse (Netezza) during the first week of December.
- We’re prepping systems and finalizing migration plans to ensure moves in early 2015 go smoothly, so we had a light schedule of moves for November and December.
- January will be especially busy; we have moved several systems already and plan to move 18 by month end. If there’s downtime, we will remind users about specific dates as changes occur.
- We’re excited to report that we have received and configured 40 MediaTrix servers, which will help facilitate the replacement of the existing phone switch currently housed at KRC.
- The first wave of material has been ordered to start the relocation of our fiber and copper distribution currently housed at KRC.
- The project executive steering committee had the opportunity to tour the SOCC for the first time in December to see our new data center suite as well as tour the mechanical areas of the SOCC.
- 30 racks have been installed in the colocation area. Colocation customers began their moves at the end of December.
Document Management & eSignature
This project focuses on developing a university-wide electronic signature service offering using a product called DocuSign. It will also consolidate two existing document management systems (DocFinity DMS and Oracle DCM) onto a single system called Hyland OnBase. The new document management service is being designed not only to store existing documents but also to securely contain restricted data.
- The team has completed work on the eSignature service offering, and it is in the approval process.
- We continued updating university policy to allow electronic signatures to be used for business functions.
- eSignature product demonstrations were completed for the Office of Human Resources, the College of Education & Human Ecology, and the Schoenbaum Family Center.
- We signed vendor contract and began the discovery process to kick-off Electronic Document Management (EDM).
- The EDM Development environment has been created and configuration has started.
- We hosted System Administrator training for Hyland OnBase.
- In January we are building out the EDM Quality Assurance and Production environments and provide Hyland OnBase Workflow training.
- EDM discovery is underway with DocFinity and DCM users.
- We started testing eSignature and began IDM integration work.
- EMD is working with the Access and IDM Teams to provide LDAP groups for Authorization
- We expect to complete the eSignature service offering in December. The IDM integration is due in February.
- eSignature policy changes should be complete in February
Information security is the number one risk at Ohio State. In FY14, the university introduced a new Information Security Standard to which all units must comply within three years. OCIO will protect university data by ensuring core systems comply with these security standards.
- In late October we completed the 2015 Risk Assessment, which measured our current risk and compliance levels in the 30 control areas as outlined by Enterprise Security in the Risk Framework.
- We submitted our Risk Management Strategy in mid-December, which predicts our forecasted risk and compliance levels for the next three years based on activities identified by security liaisons across the OCIO
- This month we began putting together the detail project plan to execute the activities identified to decrease our organizational risk and increase our compliance levels.
- We’ll also be working on those new activities planned for FY15 and continue working on the activities already in progress.
- Security liaisons will work on rolling out an OCIO risk register to help track all risk being actively mitigated and to prioritize new risks as they are identified through internal audit, vulnerability scans, self-assessments, etc.
- Our 2014 Risk Assessment scores reflect a 30% overall increase from our assessment in 2013. We increased our scores in 17 of the 30 control areas!
Flexible Access Identity Synchronization
At Ohio State, we have 100+ sign-on and access systems. These technical silos make it very difficult for us to partner on even basic IT systems and support. Partnering has numerous benefits:
- Reduces costs,
- Facilitates cross-disciplinary work, and
- Positions the university to be more flexible and nimble in addressing specialized research and teaching IT needs.
Identity synchronization will reduce the number of log-in IDs and passwords that users must maintain and keep identity information up to date with authoritative sources.
OCIO and department IT staff are working together to remove technical silos and clear the path for unit-to-unit partnerships that deliver shared IT services with bottom-line results. To date we have completed synced with Student Life, University Advancement and Office of Research.
The next partners in line to work with us on syncing logins are the College of Veterinary Medicine, the College of Optometry, the College of Pharmacy, Newark Campus and the President’s Office.
We have enabled Identity Synchronization for approximately 74.6% of university appointments!
One final note…
Our Data Warehouse Modernization project has been placed on hold. The projects aims to update our data warehouse to improve accuracy and comparability of university data, which will provide consistent and reliable data to facilitate strategic, tactical, and operational decision-making. An update on this project will be provided when it becomes available.
SECURITY TOP 4
Flexible Access Active Directory
Similar to the goals of identity synchronization, the flexible access active directory project will break down silos. The team will consolidate the existing access systems (aka Active Directory) across OCIO’s desktop support customers. This project will reduce “IT friction” to promote interdisciplinary collaborations, facilitate co-investments in IT, and position the university to better secure its information resources without substantially increasing costs.
So far, the team has built a new active directory, completed service design, performed a security risk assessment gap analysis and connected to the identity management system for automated account provisioning. This process was piloted with OCIO and consolidation efforts are well underway.
Next steps are to consolidate relevant systems within OCIO and at Ohio State Mansfield by the end of January. Migrations will be initiated for the Office of Human Resources, Wexner Center for the Arts, Business & Finance, Administration & Planning and the Office of Distance Education and eLearning.
The Active Directory and Security teams partnered with the Networking team to provide new wireless functionality. Now, after being migrated to the Active Directory, users can go anywhere on campus and automatically connect to resources that allow them to file documents and print on wireless without a VPN.
Endpoint Data Defense
Simple anti-virus solutions are not sufficient protection for workstations, laptops, and other devices. The Endpoint Data Defense project will design and implementing the Client Protection – Endpoint Defense service and deploy the Symantec Endpoint Protection (SEP) solution to university units. SEP will protect university devices from multiple threats, with a management structure that allows participating units flexibility and cost efficiencies.
- Service design is complete.
- We finished a Risk Assessment as a pilot for the Risk Assessment Team’s new service delivery method.
- We completed our pilot with OCIO, then kicked off deployment in OCIO and the following university units: select departments in the College of Arts & Sciences and the College of Food, Agriculture and Environmental Sciences, Ohio State Marion Campus and Ohio State Mansfield Campus.
- OCIO migrations for Windows machines will be completed in January and Macs are scheduled to be completed in early February.
- Deployment work continues for the select departments in the College of Arts & Sciences and the College of Food, Agriculture and Environmental Sciences, Ohio State Marion Campus and Ohio State Mansfield Campus.
- Deployment will begin in late January through March for the following units: Department of Athletics, Office of Human Resources, Business & Finance, Administration & Planning and the Wexner Medical Center (including the College of Medicine).
- This type of defense is important because the biggest “secret” to why computers keep getting infected is that people don't follow basic best practices.
- The vast majority of people know that they should not click on strange attachments or links in email. The vast majority of people have also been told to eat right and exercise, but don't always follow those guidelines either. Scanning with SEP has shown that many people click on virus more than once.
Frontline Data Defense
Encrypting data on desktops and laptops is a foundational protection required by most regulations, and is the first line of protection from data tampering and theft. The Endpoint Data Defense project will design and implement the Client Protection/Endpoint Encryption service and deploy the Dell Data Protection Encryption (DDPE) solution to university units. This solution will replace and update functionality of existing encryption options for participating units, eliminating the need for units to self-fund this requirement.
- We have completed service design.
- We have completed a Risk Assessment as a pilot for the Risk Assessment Team’s new service delivery method.
- We completed our pilot with OCIO and began deployment.
- In January, we will continue to deploy the DDPE solution to OCIO, select departments in the College of Food, Agriculture and Environmental Sciences, Wexner Medical Center (including the College of Medicine) and the Department of Athletics.
- Deployment will begin in mid-January through March for the College of Pharmacy, the College of Optometry and Ohio State Mansfield.
Scanning with our new tool has revealed some machines and systems that were not protected as well as we expected; all of these systems are now securely encrypted.
While university groups know that Information Security is important – a top risk at the University –many do not know where to focus time and effort. The Information Security Framework provides Ohio State with the tools to organize, measure, and manage information risk. This year, in Phase 2 of the project, the focus will be on further development of tools in the three risk management stages.
- We published the Information Security Standard and Information Security Control Requirements and established a process to update these documents.
- Kicking off the development of job aids, the team completed updates and revisions to the Information Risk Survey & Risk Management Strategy with the assistance of drafting committee comprised of representatives from 11 university organizations. This involvement helped provide buy-in and much needed feedback to the project team.
- We completed our 2nd annual Information Risk Survey with 100% participation from 60 university organizations. Our team developed and hosted training and results workshops for university organizations. The results show an improvement in the university’s overall risk score.
- The project team developed the Automated Reporting Tool (ART) to automate the Information Risk Survey & Risk Management Strategy 'score card' results. The ART tool allowed for results to be generated more quickly so they could be passed on to university organizations much sooner.
- In December, we completed our 2nd annual Risk Management Strategy with 100% participation from 60 university organizations.
- We built Testability Requirements for Top 8 Risk Areas with Internal Audit.
- We completed two regulation mappings to ISCR (HIPAA & 48 CFR 252) with OSUWMC Security Team & Compliance and Integrity.
- Development of the Information Security Self-Assessment (ISSA) will be completed in January. We will pilot the ISSA with two university organizations starting in March 2015.
- The Automated Reporting Tool (ART) will be further developed to automatically create “heat map” showing areas of greatest IT risk.
- The team will complete 50% of Priority 1 (P1) job aids – 16 in total – in the second half of the year.
- We expect to complete requirements and planning for the Framework Dashboard by June.
Within a year of the Framework program’s establishment, we have achieved 100% of university-wide participation.