InfraSec 08.12.15 Minutes

Attending:

Chris Hollenback, Jason Maslanka, Chris Barton, Sandeep Dath, Mat Willis, Dean Dang, Therese Molina, Cynthia Herrera Lindstrom, Mark Goedert, Marcin Hiolski, Ernesto Reyna, Lalo Camacho, Bala Ramaraju, Josh Naylor, Mike Kirda, Vinay Surpuriya, Phil Reiter, Ed Zawacki, Kevin Price, Kevin Shalla, Lisa Blake, Doug McCarthy, Andre Pavkovic, Johnathan Kupferer, Ian Huggins, Heather O’Leary, Julio Chavarria, Gene Fruit, Dan Pollack, Ron Fernandez

  • Digital Accessibility (Subcommittee Report)
    • Membership is being paired down
      •  Reviewing subcommittee
  • Risk Management (Subcommittee Report)
    • Audit Management Letter
      •  A letter was issued to deans in Health Science Colleges regarding need for further action on responding to risk findings
      • Consideration of where findings should be shared, involves more than HIPAA
    • Response to Request for Qualifications
      •  Response received from some vendors on RFQ process
      • Data inventory tools are being assessed for risk management
      • Focus afterwards will be on scope and requirements-gathering
    • RACI Chart
      • Discussion of RACI chart developed for risk management
      • Work will continue on visibility, what needs to be done next in units
      • Discussion on role of governance in chart, and determining/assigning tasks
  • Security Program (Subcommittee Report)
    • Work is continuing on updating program with suggestions from review
      • Role of HIPAA Security & Privacy Officer will be added
      • Discussion of subcommittee’s place in ITGC– suggestion it shouldn’t be ongoing
      • Discussion on consequences of not pursuing proposals
      • Standing Subcommittees
    • Regional Sites subcommittee still working to finalize a list of members
      • Discussion on role of subcommittee, finding representatives for regional sites
  • Business
    • IT Security Program Letter
      • Discussion of letter, edits, how to refer to the program
      • Approved Motion: Motion to approve letter with edits was passed
  • Discussion
    • Governance Structure Lunch Meeting Recap
      • Best method needs to be discerned for evaluating business needs and gaps
      • Suggestion for every unit to identify all of their provided services, and bring back to the committee to identify shared needs
      • Discussion on gaining more knowledge on COBIT, to help with implementation
    • College and Unit IT Service Catalogs & Priorities
      • Overview of ITGC process timeline
      • Three main subcommittees exist
      • Suggestion that proposals will probably come from Risk Management group
      • Suggestion to create process to identify priorities and create subcommittees to address them for the following year
    • Encryption Policy Expansion for Mobile Devices in the Covered Entity
      • Recent expansion of IT Security Program includes encrypting mobile devices
      • Mainly affects Health Science Colleges
      • Timeline and implementation will be set for Microsoft Bitlocker Administration & Monitoring
      • Discussion of resources, status of recommendations, requirements being met
      • Discussion of personal devices, accessing high risk data without downloading/storing
    • Web/Content Management System
      • With launch of new UIC website, recommendation that a governance committee exist to deal with web issues
      • Suggestion to create subcommittee to address issues: create a policy of standards, best practices, and templates for use by units
      • Discussion of related efforts: UIC website redesign, previous CMS subcommittee
      • Discussion of overlap with Pixo recommendations
      • Will investigate existing committee and work with Public Affairs on this effort
    • Cloud Storage Documentation
      • Discussion between IT directors about various cloud storages on campus: what is allowed to be stored on each, related policies, etc.
      • Suggestion to create a matrix of options, and what each can/should be used for
      • Update will be given next meeting
  • Announcements
    • Expect Bylaws Revision in September
    • InfraSec Representatives
      • Suggestion that InfraSec representatives communicate with REACH in their units
    • Cloud Services
      • Suggestions that there are efforts to get a cloud service under contract
    • Committee on Policies
      • Note that a committee to create policies on policies has been created
    • Personal Email
      • The option to ‘forward to personal email’ to be removed when O365 launches
    • Phone Charging in Classrooms
      • Concern of potential problems with students charging phones in many outlets
      • Suggestion to consider USB charging in classrooms, policies with stolen phones
      • Discussion of existing efforts