EDUCAUSE | Data Administration and Management

Podcast: The Big Brother Dilemma

gbayne — Wed, 11 Jun 2008 17:52:18 -0500

This podcast features a 50 minute keynote address from the EDUCAUSE 2008 Enterprise Conference. The speech, "The Big Brother Dilemma," is by Gregory A. Jackson, Vice President & CIO, University of Chicago.

We want cameras watching for problems, but we worry that they will observe or disclose things we'd like to keep private. We want network administrators to track harassing e-mail to its source, but we don't want anyone monitoring our e-mail. We want our buildings to admit occupants and keep strangers out, but we don't want anyone keeping track of when we arrive and leave. In other words, we want big brothers to watch out for us, but we don't want Big Brother to watch us. And IT is caught in the middle.

note: commercial material from television and movies was used in this speech and has been cut out of the recording with as little effect on the speech as possible.

Academic Analytics: New Resource Document, EDUCAUSE Presentation

jpcampbe — Fri, 19 Oct 2007 08:05:01 -0500

New Document: Academic Analytics:

The importance of student success (commonly measured as degree completion) continues to rise, as does the demand for institutional accountability. Academic analytics can help institutions address student success and accountability while better fulfilling their academic missions. Academic systems generate a wide array of data that can predict retention and graduation. Academic analytics marries that data with statistical techniques and predictive modeling to help faculty and advisors determine which students may face academic difficulty, allowing interventions to help them succeed. This paper highlights what IT and institutional leaders need to understand about academic analytics, including changes it may require in data standards, systems, processes, policies, and institutional culture. http://www.educause.edu/ir/library/pdf/PUB6101.pdf

EDUCAUSE Presentation:

Interested in academic analytics? Please join my session at EDUCAUSE on Thursday, October 25, 2007 from 2:20 p.m. - 3:10 p.m. in Metropolitan B, 3rd Floor (Sheraton Hotel). This session will discuss ongoing work at Purdue University in utilizing academic analytics to improve student success.

Additional Resources:

EDUCAUSE Review: Academic Analytics: A New Tool for a New Era

http://www.educause.edu/apps/er/erm07/erm0742.asp

ELI Webinar: Academic Analytics: A New Tool for a New Era http://www.educause.edu/ELIWEB0710

Managing IT: A Thousand Mile Front

tsimpson — Fri, 15 Jun 2007 18:20:55 -0500

I should have knocked on wood yesterday. Toward the end of the day I sighed and thought about what we had accomplished this year in MICA's technology department. This was a big mistake.

The penalty for this arrived first thing this morning with a 108 degree server room.

We are fighting the fight along a thousand mile front, seemingly. We have spent much of the last year getting support for a set of upgrades and a shift in how we approach technology at MICA (see MICA Connected). We have also developed the best staff we have ever had -- I mean a really, really great staff. We have worked hard to develop internal decision making and communication processes. We have collaborated with peer institutions. We have worked creatively with vendors. It seemed like there was nothing that could stand in our way.

to be continued . . .

EDUCAUSE Security Conference: Who Owns the Data, Anyway?

llarsen — Tue, 17 Apr 2007 18:45:04 -0500

Summary:

Who Owns the Data, Anyway? Defining Data Stewardship

Cathy Hubbs, Director, IT Security, George Mason University

Robert Nakles, Executive Director, ITU Security and Project Office, George Mason University

EDUCAUSE Security Professionals Conference

Wednesday, April 11, 2007

Denver, CO

Notes:

Cathy Hubbs and Bob Nackles began their talk with some background information about their environment at George Mason University.

Mainframes to Enterprise Resource Planning

In the mainframe era of what now seems the distant past, just a few chosen people were involved with data at any given college or university. It was easier to be guardians of the data and the access points were limited. While many had access to the data, few had the ability to write to it. Few policies were needed.

Now everyone is involved with data starting with ERPs. We use a single database to store data across the institution and the ownership and responsibilities have become entangled. Today many people create data and even more people have access to read it. Today more policies are needed, the review process is much more stringent, and the policies have a greater impact on process.

ERPs bring a new complexity to the question of data ownership. With the client/server relationship and distributed ownership, it is difficult to secure the end points.

Data Security

Hubb and Nakles ask “what does it take to move a university to become more secure?”

and their answer is that you must have a supportive administration!

They quoted Alan Merten, George Mason President, from the 2005

<a href="http://www.educause.edu/LibraryDetailPage/666?ID=CSD4121”>"Cyber Security on Campus" Executive Awareness Video </a>

“Education and Attention. If every time the President, Deans, and Vice Presidents are getting together and they see that cyber security is on the agenda, we move it from being an IT problem to being my [the University’s] problem. Then we are making progress.” [Alan Merton}

and Tom Hennessey, Chief of Staff to President Merten on the necessary collaboration between IT security and university leadership.

“Collaboration between the IT Security Office and the leadership of the University is critical.

We cannot accomplish our mission to protect the systems that the University relies on to support the faculty, staff, and students without an integrated approach to the security issues we face in this day and age and the ones we face in the future.” [Tom Hennessey]

The channels of collaboration used at George Mason are

Privacy and Security Compliance Team (PSCT) (appointed by the university president)
- This group looks at compliance and business process issues and makes recommendations to the President. They also review departmental data policies and procedures.
Security liaisons (appointed by the CIO)

o This group provides the distributed points of contact for recommendations coming form PSCT and disseminate information. They are also the point of contacts for security incidents real or suspected and report through the Computer Security Incident Response Team (CSIRT). In addition they advise on training gaps and review proposed security policies.

Staff senate (elected body)
- This group fosters communication on data security issues to the greater community and acts as a liaison with the other groups.

Hubbs and Nakles stressed the need for data stakeholders to own their own information.

They believe a strong security program is built on conscientious users who fully participate in the process and that establishing ownership and defining the sensitivity of the data helps users understand their role and responsibilities. Two key questions they ask are:

Do users fully understand which data are sensitive and which need special handling?
Who determines if the data they access in their work needs protection?

Establishing the Data Transmission Policy

The CIO at George Mason introduced the data transmission policy idea which was conceived to spell out data responsibilities and the IT security office researched and compared data stewardship policies as they shaped the document. They also looked at NIST computer security publications. Afterwards, the PSCT refocused the original policy, enlarging its scope and bolstering its strength and thus the data stewardship policy was born.

Data Stewards

The new policy defines both the data stewards for George Mason.

The Chief Data Stewards are the CFO & Provost as they have ultimate responsibility for data the two sectors of data at the university.
Data Stewards are Deans, Vice-Presidents, Supervisors, Directors, Managers, or others specifically identified for a subset of the university data.
Data Administrators are responsible for documenting and enabling user access to a specific domain of university data.
Data Processors are those actually modifying the data.
Data users are any employee, contractor, affiliate etc who has access to the data but do not modify it.
Customers are any individuals from whom sensitive data is collected and stored in the system.

Data Classification

There are three levels of data classification noted in the policy.

Public use data that is available to anyone.
Internal use data which treads a fuzzy mid-ground set but is not generally available outside the institution. An example of “fuzzy” is a student’s grades which may be “privacy flagged”
Highly sensitive data includes financial records, credit card information, SSNs, and data falling under federal regulations.

Hubbs and Nakles polled the session attendees and somewhere between 30-40% said their institutions have a data stewardship policy.

Data Responsibilities

Both organizations and individuals responsible for access to and storage of highly sensitive data require a formal written request to the appropriate data administrator for access and each unit must have documented procedures that preserve and protect sensitive data.

Communication and Awareness Training

Five key communication channels exist in order to get the word out to the 7K employees at George Mason about their own responsibilities in data stewardship and security.

PSCT and the Security Liaisons have combined meetings (invited legal, financial, etc) Note that data stewardship and security is not considered an IT problem at George Mason, it’s a university problem.
Desktop Computer Security website has been established with prescriptive steps to keep desktops “locked down.” It was noted that for highly sensitive data the resident Security Liaison provided consultation.

· Staff Senate formed the Security Privacy and Compliance Work Group (SPCWG) that was comprised of real workers that translated to a real voice in the university. Staff will be the main implementers of the policy.

· The IT Security Office provides consultations and presentations (awareness training)

· A memo was sent to all university staff and faculty from the Chief Data Stewards on first anniversary of the policy implementation. It basically confirms that no one should handle any sensitive data unless they have been properly trained and authorized.

In addition, the CIO sent note saying “we know of only ten people who should be working with (highly sensitive data) and if you are not one of those ten then you must not be handling it.”

Hubbs and Nakles showed a video clip of Tom Hennessey supporting the policy.

Closing comments

The reason we should care about these issues:

All universities handle sensitive data
We all establish policies and use them to support the institutional mission
We need the support and participation from the administration as well as the staff to make sure the policies work.

Therefore we, as the greater IT community should:

Share the process of getting data policy on the table
Gain administrative support and participation
Be sure the policy is at the university-wide level
Keep in mind this is only one piece of a security program

Q&A

There is sometimes a need to differentiate between the “data of record” when there may be other sets of information which are virtually the same but have appropriate other uses.
The focus is primarily on data in ERP systems.
There is a focus on both data integrity and data security.
There are related data retention policy & process issues.
Both electronic and paper are of a concern.

The presentation slides for “Who Owns the Data Anyway?” are available via the conference website at http://www.educause.edu/SEC07/Program/11616?Product_Code=SEC07/SESS14.

EDUCAUSE2006 Podcast: Consolidating Data Management

Carie417 — Fri, 02 Mar 2007 18:16:27 -0600

In this 40-minute recording from the 2006 EDUCAUSE Annual Conference, we'll hear from Hubert Daugherty and Barry Ribbeck in a session entitled Consolidating Data Management with Enterprise Storage and Backups. They will outline how Rice University attacked scaling for exponential data growth rate with some new and innovative technologies.

E2005 Podcast: Converting Data into Decisions: A Data-Fueled Architecture

podcaster — Wed, 01 Feb 2006 18:34:59 -0600

This 39 minute recording provides coverage of the 2005 EDUCAUSE Annual Conference Session entitled Converting Data into Decisions: A Data-Fueled Architecture.

E2005 Podcast: The Data Deluge Hits Campus

podcaster — Fri, 27 Jan 2006 18:26:11 -0600

This 53 minute presentation by Cliff Lynch provides coverage of the 2005 EDUCAUSE Annual Conference Session entitled The Data Deluge Hits Campus.