CSG-Winter-2008 – Oren Sreebny

[CSG Winter 08] Information Management Policy

Rodney Hill, Educause Professor Chun Wei Choo at Toronto – has a good definition of info management. The systematic, imaginative, and responsible management of information so that: * the creation and use of information contributes strategically to the organization’s goals * groups and individuals have efficient access to and make effective use of the information … Continue reading “[CSG Winter 08] Information Management Policy”

Rodney Hill, Educause

Professor Chun Wei Choo at Toronto – has a good definition of info management.

The systematic, imaginative, and responsible management of information so that:

* the creation and use of information contributes strategically to the organization’s goals

* groups and individuals have efficient access to and make effective use of the information they need to do their work and to develop themselves.

How many CSG schools have info management policies? Not many.

What is Information Management – informal survey of policies from the working group of the eudcause security task force:

Data retention; records retention schedules; e-discovery; data classification; tools for encryption.

Paul Hill, MIT

from a security consultant: most organizations don’t know all the locations where data resides – the problem seems to be getting worse in many cases. they concentrate on asking people about data they have that they shouldn’t have.

The Institute archivist – wants to preserve context along with content. Need to ensure appropriate destruction of non-permanent records in a timely manner.

Sponsored programs – want to get rid of excess data. Concerned about data that’s distributed on campus.

Researchers – need to preserve data for long term – example is the Framingham Heart Study that started in 1948 and is now in its third generation of participants. Data gets repurposed – eg. in 2003 went into that data to mine the social network graphs. There’s all sorts of metadata and workflow context that needs to preserved along with the data.

Enterprise architect – every project should be asked “why are you collecting this data?” and “what is the necessary lifetime of this data?”

Informal survey – we’re all over the map.

Length of preservation of DHCP logs? never, 2 weeks, all the way to multiple years.

Length of authentication logs? from 48 hrs up to seven years.

Nobody seems to have URLs for policies related to log file retention.

Educause is going to have a half-day workshop on developing electronic records policies in early May in Arlington.

[CSG Winter 08] Minimizing Use, Misuse, and Risk of Inadvertent Disclosure of SSN and Other Sensitive Data at Institutions of Higher Education

The last morning of CSG kicks off with a policy discussion on minimizing use of SSN and other sensitive data. Steve Shuster, Cornell Started data security policy work two years ago. Has had a long-standing data stewardship program on campus, aligned to Vice President offices. There were gaps – VPs don’t think about security as … Continue reading “[CSG Winter 08] Minimizing Use, Misuse, and Risk of Inadvertent Disclosure of SSN and Other Sensitive Data at Institutions of Higher Education”

The last morning of CSG kicks off with a policy discussion on minimizing use of SSN and other sensitive data.

Steve Shuster, Cornell

Started data security policy work two years ago. Has had a long-standing data stewardship program on campus, aligned to Vice President offices. There were gaps – VPs don’t think about security as rules change. Policies and practices haven’t always been consistent. Started Data Incident Response Team (DIRT) – determines need to notify, how much analysis is enough, etc. VP of IT, Policy Office, Audit, Counsel, etc. Were taking about one incident per month to that group where sensitive data were involved.

Stepped back to think about data exposure – three categories: public, restricted, confidential. “restricted” is the default – allows the stewards to just worry about the extremities. Defined specific security requirements for the three classifications. IT security council – lead security person from each of the units, meets monthly. Established strong exception process – first thing you hear when talking about requirements is why people can’t conform. Have mechanism to update requirements continuously.

Policy has highlighted some things: Missing some data stewards, pieces of data that run across the data stewards, eg SSN. Looking at having a PII Officer that would be responsible for that kind of data. Finding the data is hard. Created a Cornell Spider application that can crawl a computer to look for confidential data. 50-60% of computers on campus have some confidential data on them.

Randy Marchany, Virginia Tech

Their needs: Stay out of the press; stay out fo the courts; preserve data integrity; respect the privacy of students and employees.

privacyrights.org has a good chronology of data breaches.

Steps for managing sensitive data:

#1 – Do what you can do when you can do it.

Pre 2003 –

Building Blocks – a one page acceptable use policy; Data classification

Tools – SSL

Education – awareness seminars

Compliance – HR disciplinary action

#2 Create a framework for doing it – an IT Security Task Force – has lots of committees across the entire scope of the central IT division.

#4 (what happened to 3?) – Don’t think you’re done.

Built tools (including use of Cornell’s spider), encryption

Education – awareness sessions, faculty institute

Compliance – IT security reviews of departments, Audit

A complete solution is not needed to get something done.

Everyone has a role

Pulling all the pieces together is the challenge, and making sure it works

Cam Beasley, Texas

Formed compliance group with admin units in 2002.

Had a significant SSN incident in 2003, so got really serious.

2006 had another incident – turned out that they hadn’t involved very many academic representatives in their work.

Since that have implemented formal policies, how systems are to be managed and how apps are to be developed. The two major incidents were insecure apps.

Have developed data stewardship program.

By 2005-2006 had shut off admin sensitive info flows. But still had problems out in the units. Developed a point ‘n’ click sensitive number finder – built in Java, uses bit-mask pattern matching (faster than regexp). Applied it in client and also for open shares over SMB or NFS. Also worked with Sourcefire (their IDS vendor) to build this algorithm in as a preprocessor (also works with Snort).

Developed another tool (issora?) – federated risk assessment tool. Applied data classification tool to it, were able to classify data on almost 48k machines. Now have faculty members who speak the same language (eg. know what category 1 data means).

Klara Jelinkova, Duke

A lot of what they’re trying to do is about balance – divided problem: Duke Medicine security handles HIPAA data and policy; University handles FERPA and DMCA. That’s been very effective. As the two groups move closer together (joint ID mgmt, networking, etc), there’s more need for a higher-level policy group, which they’re exploring. As a technologist she’s been skeptical of policy and whether it works.

Longstanding policy – unique ID should be substituted for SSN. Talman Trask (exec VP) sent letter to all the deans – storage of SSN requires his approval. Had a breach in a departmentl web server – found out it had an app for brochure requests that asked for SSN to do later correlation. Who has the responsibility policies aren’t followed? Is it the CIO?

Lots of discussion – one question that came up is what’s the sensitivity of passport numbers? Wasn’t in any of the policies.

[CSG Winter 08] CIO Panel

Ron Johnson – Washington quote from Ron: “all of us have worked on our junior lawyer merit badges over the past ten years”. UW senior leadership has been working hard on the issues of preserving electronic records – we don’t do particularly well when it’s not a big case. We’re threatened with suits almost every … Continue reading “[CSG Winter 08] CIO Panel”

Ron Johnson – Washington

quote from Ron: “all of us have worked on our junior lawyer merit badges over the past ten years”. UW senior leadership has been working hard on the issues of preserving electronic records – we don’t do particularly well when it’s not a big case. We’re threatened with suits almost every day for something. Learned a lot about new rules for civil procedures – spoliation is a new concept about failure to preserve evidence. There’s a presumption that you’re hiding something and that can lead to penalties.

Ron cites some cases where when evidence can’t be produced the judges instruct to presume that the missing records would have been harmful to the defendant’s case. Think about the world where opposing counsel uses these tactics regularly against universities. It’s a challenge just to know where to look for evidence – and judges won’t accept not knowing.

Ron urges universities to adopt common practices for these kinds of cases. We need reasonable structures for electronic records retention.

Dave Lambert – Georgetown

Georgetown has a unique risk profile, being private and Jesuit, and existing in the DC political environment. How does this play out in the safety and facilities space and the IT organization’s support for that?

Has roots in the response to Y2K. That was the first business continuity planning they’d done. By 9/11 that had turned out to be very useful. By early 2002 had created a new cabinet position – VP for University Safety. As they paid more attention to safety systems they became aware of what bad shape they were in. The infrastructure had migrated from analog to a digital base, but the units didn’t always have the IT resources to manage that well. Responsibility for those systems got assigned to central IT. They created an application team and developed a physical safety and facilities support team. They’re a little less than two years into that process. Brought expertise into the institution who had background in safety and complex enterprise systems. Used a head hunter to recruit, but they could only identify two people in the country with the right skills. Hired one of them from Johns Hopkins. Current projects include command center infrastructure, notifications center, executive communications support (including requiring senior executives to carry satellite phones), repairing emergency phone system, upgrading and expanding door control system, expanding and updating an on-campus camera system, a PA system deployment plan, survivable web planning (including reengineering of DNS to support it), review of fire alarm management system, campus card system, smart perimeter control, and more.

Staffing has been a challenge – finding people with the right skills. There is not a professional community who have been working in this area that can handle the level of demand. New partnerships and constituencies with new cultures and sensitivities.

Joel Smith – Carnegie Mellon

Structuring communications in emergencies. Things came up from faculty in social sciences (including Baruch Fischhoff) – don’t focus so much on how to get message to everyone, but more on making sure the message has the desired effect. People will react to messages in ways you don’t expect. Important to do testing. Need not only subject experts, but decision analysts, and social scientists. There’s a relevant article here. Public relations vs. public safety. Public relations role is to assure people ahead of time that they’ll get good information. Public health or safety folks get out the messages about what to do. What happened in Katrina was those roles got confused.

Erv Blythe – VA Tech

Summing up lessons learned.

400 professional staff and faculty in IT organization. Every person and function was touched and stressed in ways unanticipated. e.g. Who was in that building (not who was scheduled to be)? Could they mine telephone and network logs? Can you find the social networks that connected people in that building? What information can IT provide to aid in biometric identification of victims? Kinds of info not kept in typical enterprise systems.

Now asking with every project – are there ways to leverage this project to improve safety and response? Can we see ways in which this project can aid in mitigation and recovery? But need to remind ourselves not to consider everything in the context of this particular event.

Physical safety and security is one of the things that CIOs need to be responsible for.

These were brutal and horrible events. Every VT IT person will go to every length to share whatever information they have learned from these lessons.

[CSG Winter 08] Technology issues and implications around the VT shootings – Panel: IT Infrastructure relating to th

William Dougherty – Systems Support Richard Hach – Network Admin Carl Harris – Network Engineering Mary Beth Nash – Legal Counsel Jeff Crowder – Program Director They did a review of the communications infrastructure and IT supporting response and recovery. Themes/Conclusions – Systems owned and controlled by the university generally adapted to crisis conditions. Provider-owned … Continue reading “[CSG Winter 08] Technology issues and implications around the VT shootings – Panel: IT Infrastructure relating to th”

William Dougherty – Systems Support

Richard Hach – Network Admin

Carl Harris – Network Engineering

Mary Beth Nash – Legal Counsel

Jeff Crowder – Program Director

They did a review of the communications infrastructure and IT supporting response and recovery.

Themes/Conclusions

– Systems owned and controlled by the university generally adapted to crisis conditions. Provider-owned systems could not.

– Current IT infrastructure supports response and recovery, but does little for mitigation and preparedness.

Richard Hach –

Stress factors – web site had as much in the single day as they had previously seen in their busiest month; 300% increase in calls in the campus phone system; Blacksburg central office had capacity issues. The PSTN is configured for average peak loads – not peak usage in a crisis. Cell networks became congested and blocked calls.

Cellular providers dispatched technicians to add capacity to their networks. By 4/17 Sprint, US Cellular, and Verizon each had “cell on light truck” systems operating on campus and had provided emergency-use phones and accessories.

Carl Harris –

Technical staff know what the institutional assets are and how to adapt them to a crisis. They had to: Install phone and data comm for 9 geographically dispersed command centers and media workrooms and counseling centers.

Brought on an additional gigabit of Internet connectivity in 10 minutes thanks to Nat’l Lambda Rail connection

The web hosting infrastructure was stressed – database calls, rss feeds, etc. The web design folks aren’t always aware of what’s efficient. Extra servers came from surplus pile of stuff that had recently come out of service.

Radio communicatons – responders from several jurisdictions all with different radios. Radio transmission was less than ideal in some locations. Deficiencies in interoperability and coverage of police, fire, and rescue radios are decades-old problems in the US.

Notifications systems: used: Broadcast email to all @vt.edu addresses (with listserv); broadcast voicemail to campus phones; recorded message on the weather hotline; vt.edu web site and news web site; university switchboard; public media (tv, radio, newspapers); siren systems. A short list of vendors for cell phone alerts was identified prior to event, but they expedited after. selected 3n – does text messages, phone calls, email. Elected to hide vendor’s implementation and limit amount of selection choices. What vendors say about ability of systems to scale isn’t necessarily true – run stress tests. Students have phones off when in class, or don’t get signals in buildings, etc. Not a panacea. How to notify visitors on campus?

William Dougherty –

Data collection and preservation

April 16 meeting with central IT support staff (SS, Web hosting, DBMS) – knew they were going to be asked to preserve information. Started holding backup media.

Over next week spent time with law enforcement – fed, state, and campus. Brought warrants and subpoenas. Tried to draw relationships between victims and shooter. Reviewed email and web content.

April 23 – first preservation memo issued by legal counsel asking people to preserve any information that might pertain to event.

May 9 met with consultant hired by counsel (Servient)

May 10, meeting with departmental IT representatives

Took images of individual hard drives and other media of “persons of interest”. Finished last image Jan 8. Names on list changed regularly. Now determining how to restore data and make it searchable for discovery requests.

Stats: 27 departments interviewed, 149 individual data custodians (over 200 total images); 5 Tb of storage for these images; 10,000+ tapes stored from backup systems – over 900 TB stored. 5 TB of log files, including email, courseware, student systems, etc. Estimate 1400 person-hours spent on imaging process alone (and counting) – always had two people on site. All machines implemented were owned by the University. They requested that people who did work during the crisis on personal machines get them relevant information. The preservation memo put people on notice to preserve any information that they have.

GPG encryption was used for storage, with keys passed to legal counsel in sealed envelopes.

Out of 27 departments, only 4 had their own fileshare or backup systems – the rest use the central systems.

Information and Communications Infrastructure Group report (pdf)

[CSG Winter 08] Technology issues and implications around the VT shootings

Larry Hincker – Crisis communication VA Tech was an all-military school until 1964. 49 people shot, 32 dead. About 1500 first responders the first day, 27 ambulances from 14 agencies and give hospitals. Everybody who was take to the hospitals alive survived. Lots of police on campus – it wasn’t until about 24 hours into … Continue reading “[CSG Winter 08] Technology issues and implications around the VT shootings”

Larry Hincker – Crisis communication

VA Tech was an all-military school until 1964.

49 people shot, 32 dead.

About 1500 first responders the first day, 27 ambulances from 14 agencies and give hospitals. Everybody who was take to the hospitals alive survived.

Lots of police on campus – it wasn’t until about 24 hours into the event until the police we convinced it was a single shooter.

36,000 people from around the world posted condolences to a web site, 28,382 unique stories logged in first two weeks.

Dealing with the White House was not easy.

The media city – about 1,000 journalists and crew – 125 satellite trucks, 60 international agencies.

Crisis Communications –

– Have a plan – he was struck by how closely they hewed to the plan, even though they didn’t pull it off the shelf during the event.

– Have your CEO visible.

– Have a designated spokesperson

– Have a communications command center.

– Communicate as much as possible … as often as possible. Stay on message. Use other experts where necessary. ID target audiences and flood them with information.

Shooting over at 10 am. Posted statements to the web simultaneously. First news conference at noon, two more on first day. 11 news conferences across 8 days.

Running the press conference … walking the tightrope. Issuing a statement alone won’t work. Manage info needs day to day – topics moved from the murder, to gun control, to handling troubled students. Let the air out of the balloon – let people talk.

CEO out front – President at all press conferences on Monday, and on national news shows, etc.

Staying on message – what is the message when you feel like this? The message – we will not be defined by this tragedy, focus on the families, focus on helping the campus heal.

Setting up the media city – how to manage the media arriving in huge numbers? Where to put them, how to manage the phone calls (350 interview requests on Monday). Immediately added telecom capacity and prioirity, added mobile towers. Shfited calls to Joint Information Center by Tuesday afternoon.

Joint Information Center – it was extremely helpful that the state declared an emergency and helped support. Location afforded access to bathrooms, place to file stories, space to set up program sets. IT lifted the network security and enabled open access. They provided meals from local restaurants.

The role of the Web – a powerful tool in a crisis. Mike Dame – Director of Web Communications

Benefited from work on redesigning web site which built relationships between IT and Media Relations. The Web is the nexus of the University’s communication plan.

The had a plan for what to do on the web when a crisis arose. Learned a lot from a previous event (when an escaped convict was seen near campus).

First blast email sent at 9:26 with subject line “Shooting on campus”

9:31 – alert posted to home page

9:44 web staff overhears chatter on police scanner about gunshots – alerted IT staff to expect a huge spike – they started adding servers.

Went to a light version of the home page – just text and a the logo.

Goals for day of tragedy – communicate essential info, home page about brevity and clarity. Navigation reduced to pertinent sections – About VT, Administration, Campus Maps, Campus Buildings. Expand server load balancing. Establish communications workflows with the administration.

Launched lite version of home page at 10:17.

at 10:33 shut down news database to reduce load and go to an alert “details page”

new servers came on line in early afternoon.

Details page was presented in a very blog-like fashion – anything they knew they put on there. All multimedia files were kept on a separate server.

Next day talked and agreed on coming up with a new design for the home page – simple and austere that reflects a grieving university. Decided to think web 2.0 – engaging people in various ways and allow them to participate. Put students and families first in all decisions. Choose words carefully to aid healing. Created the condolences web site. Set up live video streaming for Convocation, partnering with Athletics.

Went to the new In Memoriam page at 1:57 right before the convocation started.

Used blog software they already had for the condolences site. 35,000 entries in 72 hours.

University began releasing victim names on 4/19. Those were displayed prominently on the home page. Worked with families to get photos and biographies for the victims.

Used In Memoriam page to target messages to specific communities, including students and the media. When classes resumed on 4/23 they made classroom buildings off limits to the media.

Went from an average of 10k hits per hour to over 150k hits per hour. 432 GB of data transferred on April 16 – a normal day is about 15 GB.

Transition to “normalcy” – tragedy still an open wound on campus. Transitioned to a blend of normal look with the remembering page. Reintroduced school colors, enlarged logo to make the “Invent the future” message stand out more. Still devoted the main content area to information and news about the events. Back to normal home page on May 15 – day after semester ended, but left the black ribbon on the top right which linked to the In Memoriam page.

(back to Larry) –

Surrogate Spokespersons

Coping with the media circus – on Wednesday got the reporters out and onto campus. The students presented themselves very well. Got a petition from student government asking whether they could ban the media from campus. Sent a letter to the entire campus community saying they couldn’t ban the media, but that they didn’t have to talk to the media if they didn’t want to. Put 152 signs on campus asking the media to respect and asking them not to go into buildings. Did media training for selected students.

When is the crisis over? When you say it is. Ran out of information.

Stabilizing a wounded community – continuing the web story. Had 400 reporters back on campus for commencement, which was hard.

Hard to convey the frantic nature of things.

After the healing concert they shut down and started concentrating on returning to normal.

Long Term Challenges –

Not to be defined; wearing the mantle without owning the issues; when is it right to move on?; Focus on core brand messages – “Invent the Future”; Focus on core mission – learning, discovery, engagement.

It may take a generation to get the image of VT back to what it was before – think U Texas with the tower shootings, or Kent State.

[CSG Winter 08] Campus Counsel Panel on copyright and file sharing

Steve McDonald, general counsel from the Rhode Island School of Design, is talking about general copyright law and some of the issues. around it. Steve’s presentation slides are here. Beth Cate, Associate General Counsel from Indiana University, is talking about the Early Settlement Offer process. She has polled some schools and done a bunch of … Continue reading “[CSG Winter 08] Campus Counsel Panel on copyright and file sharing”

Steve McDonald, general counsel from the Rhode Island School of Design, is talking about general copyright law and some of the issues. around it. Steve’s presentation slides are here.

Beth Cate, Associate General Counsel from Indiana University, is talking about the Early Settlement Offer process. She has polled some schools and done a bunch of talking with colleagues. The attorneys have told her that they wait till they have a batch of incidents to send them to a given school. In some cases they’ve seen pre-settlement letters a month or so after they’ve gotten takedown notices. She’s been told that these are two totally separate programs that are completely uncoordinated by the industry. They have seen some of these that are not students but employees. In response to a question of what happens if a user just ignores all communication, she says that it will eventually go to a default judgement, and Steve notes that there are dozens and dozens of these out there now.

She asked three recording industry attorneys whether schools have a legal duty to preserve data pending subpoena and got one yes, one no, one maybe. Under FRCP there’s no obligation to preserve before a subpoena. Some states have a cause of action for intentional or negligent third partiy spoliation of evidence. Not clear whether state or federal rules would apply. Most common response to RIAA seems to be “our policy is to retain logs for this period of time – if you get us a subpoena in that time frame then we’ll have the data.”

Lee Smith (U Texas) – many of these activities regarding privacy have to do with the legal background on search and seizure. This goes back to colonial law on “writs of assistance” which enabled warrants in enforcing commercial law. That’s the background of the principles in the Fourth Ammendment requiring probable cause.

Oregon- awaiting federal district judge to respond to their motion to quash. They’ve made a motion on oral argument – not anticipating any more briefing. They looked at RIAA’s strategy and the what the university’s role ought to be with regards to it. The industry strategy is to hire Media Sentry, who trolls the Internet for evidence of music file transfers. What they do is not entirely clear – in Oregon a 40 year old disabled woman, Tanya Anderson, and her seven year old daughter were sued by RIAA. The case was dismissed, but then the woman sued the RIAA. That case is pending in Oregon.

The early settlement letter directs people to a web site owned by the RIAA, where you can settle the case with a credit card – from the university’s perspective this looks like a shakedown. They simply decline to be enlisted by the RIAA in this endeavor, but they are preserving the data relevant to the complaints, and told the RIAA that. Then the RIAA filed a John Doe suit. The RIAA’s afadavit contended that the data was in danger of being destroyed and that’s why they needed an ex partae subpoena – Oregon finds that problematic. Oregon wonders whether they ask for ex partae judgements to avoid having to deal with parties with some resources to get the data – namely the University or the State. heav