Skip to body

Enterprise Information System Committee

Non-Academic Sub-Council Meeting Minutes

September 26, 2013 (Thursday)
3:00pm – 4:00pm. Barge 412

Present: Connie Williams, Jillana Hernandez, Tina Short, Barry Caruthers, Chris Huss, Sue Noce, John Swiney, Lindsey Ulrich, Andreas Bohman.
Absent: Bill Yarwood, Lucinda Lunstrum, Lindsey Brown, Tim McGuire
Agenda Items:
Approve September 12th minutes.  John Swiney motioned to approve minute, Chris Huss seconded.
Business Cases:
Oracle Security Software (Andrea Bohman):
In our current environment, PeopleSoft data is unencrypted on our servers. Also, our data is in clear text, not masked, in a non-production environment. This creates a risk of possible unauthorized disclosure of sensitive and confidential data.
With the ongoing re-structuring portal access, this opens up additional data access that is unencrypted. While infrastructure and application security mechanisms can protect sensitive data as users and administrators interact with the application, data stored unencrypted on the storage media is vulnerable to exploitation outside of the application framework
Connie Williams asked if universities were a major target for external attackers?
Andreas responded, that no, they are not a major target but we do house a vast array of confidential student and staff information. If our systems were compromised it would affect not only the data, but also our university reputation.
The encryption process is relatively simple. The data will be extracted; the current tablespaces will be removed and replaced with encrypted tablespaces. The data will be pumped back into the tablespaces using an Oracle import. The process takes about 3-4 hours and does not affect the amount of storage space needed.
The data masking process takes longer, and requires training and testing. However it will be beneficial to manipulate data in non-production systems so it is no longer recognizable as valid personal/sensitive data. CWU would not need to be concerned about unauthorized access or extraction of sensitive data from non-production systems, which are generally available to a much wider development/testing audience.
The proposed timeline is October to April, and would hopefully run in conjunction with the iCat project. There is currently no funding for this project and it would cost about $500,000. Oracle would assist in implementation; CedarCrestone has the pricing information and the feasibility study.

Tina Short asked with the timeline, would the data in PeopleSoft 9.0 and 9.2 be affected? Andreas responded that he would only like to manipulate data in PeopleSoft 9.2.
Connie and Tina were concerned about the current staff workload with other various iCat projects, perhaps staff would not take on another project. Andreas said he would not need that many people to implement. Also he had spoken to a few employees and they suggested the timeline and work-load would be do-able.
Connie Williams motioned to move forward. John Swiney seconded the motion.
Business Continuity Plan (Andrea Bohman):
Currently CWU has an Emergency Operations Plan for human safety, and a Disaster Response and Recovery Plan for getting IT operations up and running. However, CWU does not have a Business Continuity Plan (BCP).  A BCP would create a process for ensuring the continued availability of our critical business processes. In the event of a major disaster, we could rely on a BCP to return the university to full normal operations as soon as possible.
In order to implement a BCP we would need to bring in an outside vendor who can assess each university department.  This would include interviews, walkthroughs, identifying vital records, and operational dependencies. An outside vendor would be appropriate for the initial steps due to the amount of time/work it will take to assess each department on campus.
Since we currently do not have a plan, funding would initially go to the outside vendor to establish a plan.  The average costs for the vendors who gave an estimate are $100,000. The timeline for the project is not immediate and could possibly start March 2014 after iCat completion.
Connie Williams motioned to move forward. Chris Huss seconded the motion.