DRAFT

Marshall University

Information Technology Council Meeting

September 18, 2009

Present: Jan Fox, Deanna Mader, John Cummings, Arnold Miller, Jon Cutler, Allen Taylor, Kathy Saville, Tom Hankins, Jody Perry, Layton Cottrill, Lisa Heaton, Anita Lockridge, Garnet McKinley for Selah Wilson, Mary Ellen Heuton representing Selah Wilson, Gayle Ormiston, Dunnie Onasanya

Jan: Introduction to Information Technology Council. This year the meetings will be shortened to one hour to better accommodate schedules and there will be no IT updates

Review of corrected minutes: Approved as amended

Password Policy:

Jan: We did well on the Deloitte and Touche IT audit with the exception of password policies. When we implement this it will upset people when we start requiring updates to passwords.

Jon: There is already a 90 day password policy, but we don’t have that policy in writing. There is another component in the Banner system group in Active Directory that needs to hold their account to a higher standard. We recognize that it is hard to apply to student accounts, but we need to protect administrative systems, especially on the financial side. This is a proposed interim policy and the next part will be a more comprehensive policy that will take several meetings to work through.

Jan: Suggest that we need to change where it says Banner/Sungard to “Administrative Systems”.

Allen: Suggest that we not get rid of the word Banner because some Administrative systems do not give us control of the password. It will not cover R25 or Blackboard because they aren’t a financial system.

Jon: We will have a follow-up meeting for technical specifics. We already have the IT administrative staff that is required to hold to higher standards.

Arnold: This will be an interim policy with basic information. Power users are confined to small number of users with stronger standard of use. Auditor says we are doing right thing, we just need a written policy.

Layton: Suggest that we call this an Administrative Procedure.

Limited Administrative procedure only applies to Banner. We would add a higher standard for super users, such as Linux. Changes voted and approved.

There is a typo on page 2

Jan: We will come back next time after you have taken this back to your groups and we will take a second reading and vote next time.

Information Security Policy

Jan: We are required to mirror the state policy but it did not match issues of higher education so we have had to draft our own policy. As it is, it is very comprehensive. Do we need something more abbreviated? This one has to be a full policy

Jon: We are dealing with threats and issues that address mobile devices and personal computers on the campus network. It is easy for information to flow back and forth, but not easy to protect information. Four to five information releases in past year have been on the University web server. We need guidelines for confidential and appropriate information in certain areas. We hope to define groups and address what systems need to be included. It will take change and education for user awareness. What do we train users on? Guidelines need to be clear to individuals. We hope to get a consensus: Do we continue with a comprehensive route or shorten the document?

Jan: This policy will take many meetings. Please take this back to your areas. We need to take this seriously and be proactive to protect the institution. Please give us input the next time on how we want to deal with this policy.

Jon has made an inquiry to the HEPC to see if there are certain requirements we have to meet for them. If there are other areas we need to include, please bring them to the next meeting.

We may make this a short policy to the Board of Governors that references a more comprehensive document in the back end that we can tweak when necessary. Universities have to have a balance and not be as locked down as the federal government.

Email/E-Discovery Discussion

Jan: If we get a FOIA request, any email can be handed over. State government has strict rules on what is on the central servers. We have now have requirements for e-Discovery that you want to have available.

Layton: I will prepare a handout at the next meeting that outlines issues with e-Discovery.

Email never goes away. Anytime you put something in email it is subject to court subpoena and under FOIA it is discoverable. We need to determine any exception if possible. Court rules are structured so that everything is open. We want to maintain as little as possible, but the basic framework is that you have to have a policy that follows institutional procedures and Civil Procedures. If we don’t comply, we are subject to civil procedure violation.

Allen: The problem is that people use email as a document repository. IM is also discoverable if available. This also applies as we move into other tools such as blog discussions. What we maintain in courses such as shared chats can also be deemed as discoverable.

We need to have a procedure for maintaining Banner Extender information also.

All information we possess on University equipment in any form is public information. The only person with any protection on this campus is Layton as university council.

Jan: There needs to be some procedure for document repository in the event a user leaves.

Jon: User education is needed to convey that personal users need to use common sense.

Allen: Call record details and voice mail are also discoverable

Jan: The next time we will deal with the issue of emergency guidelines and privacy issues with third party vendors for the emergency system.

Any policies or issues that need to be brought forth at a meeting , need to come to Jan one week before the meetings to be included in the Agenda.

Garnet: We recently made policy for Banner and allowed Bob Doroda to put people into the system on weekends and after hours. BOC agreed and will bring this administrative procedure up to the ITC.

Adjourned