2009/09/10 IT Services Meeting Minutes
Location: Room HSW300, Parnassus Campus
Date/time: 2-3:30 PM, Thursday, September 10, 2009
Host: Rebecca Nguyen, OAAIS - Customer Support Services
- 1-Question Survey
- SOM ISU Encryption Project Update
- Wireless Network Security Policy
- Security Tools Update
- UCare Status
- UC-wide IT Agreements
- VMware
- Announcements
A big thank you to Mark Spitzer and Dell for this month's refreshments!
Meeting audio/video capture: http://clsqt1b.ucsf.edu/qtmedia/ITSM_091009.mp4 (requires QuickTime software)
1-Question Survey
What topics would you like discussed at the third annual State of IT Forum at October’s IT Services Meeting, and whom would you like to see present?
Topics:
- Impact of budget cuts to IT services at UCSF.
- Infrastructure update by ENS: Even when hubs/switches/routers will be updated. Move from static IP's to DHCP. Expansion of full networks/subnets. Update on recharge on ports proposal. Expansion of wireless on campus now that the updates are over.
- Campus-wide coordination of efforts around information security, identity and access management, and creating a common culture of service across all IT organizations.
- Why are IT groups that are not part of SOM ISU, OAAIS and UCSFMC being marginalized at UCSF?
- MyAccess progress.
- I would like to see acknowledgment of the various IT groups on campus who aren't part of a major faction.
- EMR in outpatient clinics
- What is UCSF doing to promote IT collaboration between our counterparts at other UC locations? (For example, it strikes me that the five med centers have more in common with each other than necessarily with their university counterparts from an IT perspective).
- Will there ever be one ring to rule them all?
- Services offered out of the Minnesota St. data center (server hosting, for example?).
- UCSF-wide collaboration tools.
- State of UCSF in terms of IT best practices.
- In what ways do the various IT help desks rule? In what ways are they insufferable?
- Does UCSF strike the right balance between a centralized help desk and a distributed model?
- What populations are under-served in terms of IT support?
- Aruba wireless: When will it be everywhere? What comes after that?
- UCSF and mobile devices.
- Impact of Furloughs on IT.
- Will MyAccess eventually start to function as a onestopshop web portal? A place where users can log in and click links to things like vpn etc.
Suggested Panelists:
- Jose Claudio
- Jeff Fritz
- Michael Kamerick
- Jane Wong
- Russ Cucina
- As for the panel, how about one/ two of the techs at the 44100 numbers; one OAAIS and one MedCtr? It's nice to hear from the higher ups, but they speak jargon and don't often give straight answers. Are there any PR IT ppl on campus?
- Larry Lotenero
- Supervisors like Brad and Dan.
- Opinder Bawa
- Julie Cox
- Heidi Schmidt
SOM ISU Encryption Project Update
presented by Rhona Snyman, SOM ISU - Project Management
The following materials were not presented, but are provided for reference:
- Encryption Project Presentation to SOM Department Managers (application/vnd.ms-powerpoint, 536.1 kB, info)
- Encryption Handout for SOM Faculty (application/octet-stream, 48.9 kB, info)
SOM is still in the process of hiring another project manager. Rhona will continue to work on this project, even after the new person comes on board. SOM ISU collaborating with OAAIS, Medical Center, and other groups in this project. OAAIS is hosting the Pointsec infrastructure for SOM and other departments. SOM ISU is writing standard operating procedures for installation, troubleshooting, and password recovery. These may be acquired by contacting Rhona. Urology will begin implementation on October 2. ISU is serving as a resource for independent departments.
During the actual implementation, SOM will be offering multiple laptop drop off / pick up locations for the users. Inventory analysis is the first step in implementing encryption in a department; this step will help determine which machines meet the minimum requirements for PointSec, which need RAM, and which need to be replaced.
The quality assurance process has been documented. The cost to departments is $94/hour for audit; SOM expects it should take 2-3 hours if things go smoothly.
OAAIS Enterprise Information Security (EIS) has scheduled monthly training. The Security Awareness, Training & Education (SATE) site has the dates: http://security.ucsf.edu/EIS/whats_new/1353-DSY.html. If a number of people require training at once, it may be possible to schedule on a different date. Contact EIS to arrange.
Q&A
- What is the status of department-specific installers? – OAAIS creates custom installers for departments and provides PointSec training for CSC’s. OAAIS will not release a custom build of PointSec until a department/unit’s support person has been formally trained. Sarah Mays of OAAIS EIS is creating the installers.
- What will SOM charge for encryption? – If SOM departments recharge their users, they would have to charge the same amount. SOM plans on charging $225 per device, more if over a weekend. This is based on the assumption of three hours of actual technician time. Encryption takes about 3-5 hours on average. $225 is a fixed cost regardless of how long the work takes.
- What are the licensing costs? – The dean is funding PointSec licenses and support for this fiscal year only. OAAIS will recharge $78 for the license, and $34 for one year of support. The license is transferrable. You will only be recharged for support in subsequent years. You must notify OAAIS when a license is transferred from one user to another.
- If ISU performs the encryption, what support will they provide? – ISU will retain a profile backup for two weeks. Support will be available for encryption-related problems from 6:00am to 10:00pm during these two weeks. The CSC provides level one support, SOM provides second level support, and OAAIS will serve as third level support. The PointSec boot screen should contain support contact information specific to each custom installer.
- Is SOM out outsourcing any of the field tech work? – SOM has hired one field tech whose primary responsibility is PointSec. They will not be hiring any more.
- What installation problems have you seen? – There are problems with Vista unless you’re using PointSec Release 71, the latest version. A version that works with Windows 7 is coming. Macs don’t write logs to server.
Wireless Network Security Policy
presented by Stephen Lau, OAAIS - Enterprise Information Security
Presentation: UCSF Wireless Network Policy and Standards (application/vnd.ms-powerpoint, 162.3 kB, info)
Wireless network security has been identified as high risk issue. A security policy is currently in the approval process, and will likely be approved very soon. It will be an addendum to policy 650-16, the existing policy. Wireless network security is the responsibility of unit that controls the physical space in which the network is available.
Beginning 10/1, an online application will allow you to register your wireless network with EIS. All wireless networks must have documented security plan.
See PowerPoint presentation for details of the policy.
Q&A
- Given that the policy allows up to 3 access points with the same SSID, what if a group creates a network with five access points and uses different SSID's for each? – EIS expects groups not to circumvent policy restrictions in this way; in this case, the group should configure the access points in accordance with the guidelines for networks with greater than three access points.
- If two networks have conflicting SSID’s, who wins? – The new registration system will warn you if an SSID exists already. The reserved SSID’s (UCSF, UCSFwpa, etc.) always win. Wireless channel overlap must be resolved by the owners of the networks. OAAIS will step in if there is a conflict with one of their access points.
- MAC-based authentication is going to be banned -- does that include GALEN? Yes. This will happen by 6/30/10.
- Will guest wireless in place by then? Yes, hopefully well before 6/30/10.
- Is there a process to buy Aruba access points? Yes -- submit a request to EIS. Whether or not you’ll be able to proceed depends on whether or not your location is ready (i.e. proper switch, POE available, etc.).
Security Tools Update
presented by Sean Schluntz, OAAIS - Enterprise Information Security
Presentation: Security Tools Update (application/vnd.ms-powerpoint, 336.4 kB, info)
PGP
PGP pilot will begin before end of this year. It will be in production by the end of January. Open a ticket if you would like to participate in the beta.
MyAccess/RADIUS
EIS will help departments configure access points to use RADIUS authentication. So far, Apple and Cisco access points have been tested successfully.
Tripwire
Tripwire is a piece of software that monitors for change in a file system or system configuration. Tripwire is centrally funded and licensed, and available for free to all UCSF users. Tripwire Enterprise is the current version. If you are currently using older versions, EIS encourages that you upgrade to Tripwire Enterprise. If you would like to start using it, submit a ticket to EIS. Provide as many details about your environment as possible.
The product is widely used at UCSF; there are ~150 server copies, 30-40 copies of Tripwire manager.
Symantec Endpoint Protection
OAAIS is adopting Symantec Endpoint Protection as UCSF’s client security suite. The current version is faster than the combo of the three older products – Sygate, Sophos, and Spysweeper. The current version of SEP is much faster than earlier versions; performance used to be a real issue with SEP.
The licensing is centrally funded by OAAIS. SEP will be available for all computers used for official UCSF business, including home computers. EIS will being a pilot by the end of the year. A standalone version will be made available to unsupported users / home users.
SEP supports web-based, decentralized administration. Some policies are set to meet UCSF standards, but others may be set at the discretion of the CSC.
SEP Q&A
- What is the age of oldest computer tested in performance testing? – Latitude D400 with 1gb and a slow hdd. The current version is much faster than last year's version.
- Is the update less intrusive than in earlier versions? – Yes, testing showed updates to be uninstrusive. SEP tries to update itself during idle time. Updates are automatic.
- Is there a Mac client? – No, the Mac version is cost-prohibitive -- $6.85 for SEP renewal vs. ~$1.80 for Sophos. OAAIS will continue to support Sophos for the Mac.
- Is there a Mac client? – No, the Mac version is cost-prohibitive -- $6.85 for SEP renewal vs. ~$1.80 for Sophos. OAAIS will continue to support Sophos for the Mac.
VPN
Vpn.ucsf.edu is about to get new look. It will make it more clear that you are to enter your MyAccess credentials.
Snow Leopard and Windows 7 are not currently supported. While they may actually work, there is no vendor or OAAIS support for them.
VPN will pass MyAccess credentials through to the MyAccess portal, so users won’t need to login twice. Single-sign on does not work with Network Connect.
UCare Status
presented by Larry Lotenero, Medical Center IT
The Medical center entered a joint development agreement with GE Systems 4 years ago to develop a new pharmacy system. The system went live at the beginning of this year, and they found that there were more bugs than GE was able to fix. There were so many unresolved issues with the module, that by the end of July, Medical Center had to call off the agreement. This is one of many problems they have had with GE Systems.
Medical Center IT has brought in consultants for strategic planning. They're currently interviewing staff to find out what type of clinical system we need, what's available in the market, etc. MCIT will release an RFP for a replacement system soon.
The GE development group is being downsized since project is off. No further development is taking place. Everything currently in production will stay in production for several years. MCIT is evaluating 25-30 other projects, to determine how much effort they require and how long they will be in use.
Q&A
- What is MCIT doing for EMR for outpatient clinics? – GE is very weak in this area. We were using inpatient for ambulatory clinics. Whatever new system is selected, ambulatory and inpatient modules will be considered to be of equal importance. In addition, the vendor will need to recognize that research is important at UCSF. Most vendors are weak on the research piece; MCIT plans on leveraging Michael Kamerick’s work in the area of clinical research.
- Will the same EMR be used at Parnassus and at the new Children's hospital? – Yes, absolutely.
UC-wide IT Agreements
presented by Liz Dittrich, OAAIS - Application Services
Presentation: UC-wide IT Agreements (application/vnd.ms-powerpoint, 155.6 kB, info)
VMware
presented by Brad Dispensa, Department of Anesthesia - Center for Cerebrovascular Research and Institute for Human Genetics
Presentation: http://clsqt1b.ucsf.edu/qtmedia/ITSM_091009_Dispensa_VMW.mp4 (requires QuickTime software)
We ran out of time for this presentation, but we are providing the presentation for reference.
Announcements
Join us next month for the 3rd Annual “State of IT at UCSF” panel discussion. Please email your suggestions for topics and panelists to itservicesmeeting@ucsf.edu.