To: Kathy Krendl, Provost
From: William Sams, Chief Information Officer
July 25, 2006
As you know, over the last several weeks the Information Technology staff and I have been working intensely to strengthen our data security. With the assistance of external experts, we've made very good progress.
We have closed the five security gaps discovered in April and May. We have carefully reviewed all 90 of the machines in the central server room and found no further problems. We are continuing our efforts to improve data security, and additional protective measures will be deployed in the weeks and months to come.
Now that the immediate response is behind us, I am turning my attention to laying the groundwork for strengthening the overall information technology function at Ohio University.
With the assistance of external experts, I have assessed our current situation and developed a 20-point action plan which I am calling the Blueprint for Building a World-Class IT Function at Ohio University.
This plan focuses on much more than just data security. It will align our IT people, technology, processes and plans with the needs of faculty, staff, students, alumni and other stakeholders. The Blueprint will enable the university to make the best possible use of information technology resources in order to enhance our academic mission of teaching, research, and service.
Over the next nine to 12 months, we will accomplish 20 key initiatives in three areas: Technology; Strategy and Process; and Organization and Governance. I estimate that these initiatives will require approximately $5.5 to $8 million, of which $2.5 million will be ongoing and $3 to $5.5 million will be one-time costs. Sources for these funds can include the $4 million allocated by the Board, as well as the existing IT budget.
Specifically, the Blueprint calls for the following:
- Implementing a perimeter firewall to protect computers outside of the central cluster.
- Monitoring network activity to identify attempted intrusions.
- Conducting an IT risk assessment to identify additional areas of exposure.
- Classifying data by the level of security required
- Completing the installation of Active Directory, which will allow for a more complete windows management system that will include a central authentication.
- Developing an enterprise-wide security architecture which allows us to have multi-tiered defenses.
Strategy and Process
- Developing policies and procedures for enterprise-wide IT to assure consistency, and that best-practices approaches are followed.
- Implementing practices designed to prevent security problems, including network segmentation, virus and spyware detection.
- Reducing the use of Social Security numbers and encrypting those that are required.
- Implementing processes to monitor security and assure compliance.
- Developing a strategic plan for Information Technology.
- Assuring "business continuity" for network and systems operations.
- Creating a security administration framework which will assign clear roles and responsibilities for data security across the institution.
- Inventorying IT applications and information assets across the University.
Organization and Governance
- Restructuring the central IT organization in order to: establish clear roles and responsibilities, focus on meeting user needs and facilitate teamwork.
- Hiring additional security staff: adding two or three more full-time positions to complement the existing staff of two.
- Conduct an IT skills assessment to identify IT training and development needs throughout the institution.
- Establishing a project management team within the central IT office to insure that the above efforts are completed on schedule.
- Improving communications with stakeholders.
- Restructure the IT Leadership Council to expand stakeholder representation and increase its involvement in the approval of projects and the establishment of priorities.
[ 30 ]
Media Contact: Media Relations Coordinator Jessica Stark, (740) 597-2938, (513) 309-5843 or firstname.lastname@example.org