TIPS

Team to Improve Productivity at Stanford

November 19, 2008

Information Security: Data Classifications; Review of Draft TIPS Charter

Location: Hartley Conference Room, Mitchell Earth Sciences Building

Meeting Schedule

8:00 - 8:30 am
Informal networking over refreshments.
8:30 - 8:40
Welcome, Announcements
Elizabeth Lasensky, TIPS Chair
8:40 - 9:20
Draft Data Classifications
Tina Darmohray, Chief Information Security Officer
9:20 - 10:00
Review of Draft Revised TIPS Charter
TIPS Re-Charter Working Group

Meeting Notes

Welcome, Introductions, and Announcements

TIPS Chair, Elizabeth Lasensky welcomed everyone and had everyone introduce themselves noting the organizations in which they work.

Elizabeth then described the purpose of the red tablecloths and fancy breakfast. The special arrangement was in honor of Jane Marcus's last official TIPS meeting and thanked her for her contributions to TIPS. A plaque was presented to Jane which reads:

"In appreciation for years of loyal service, for giving of yourself, for always going that extra mile, for the fun, the laughter, and the support you gave us. We'll never forget you. - Team for Improving Productivity at Stanford 2008"

Elizabeth then acknowledged Elma Buni for her hard work in arranging meeting locations and food orders. Thank you Elma.

Announcement: Lisa Forgatsch is the Grants.gov coordinator for the University, which means she updates everyone on new information about federal grant submission via the electronic Grants.gov system. Lisa announced that starting in January 2009, the NIH is requiring all applicants to use Adobe Reader 8.1.3 or 9.0, or their application won't go through. National Institute of Health is transitioning to Adobe forms in January and is requiring this new version. There was some concern about later versions of Adobe Reader or Professional not working with Oracle and the ongoing printing issues. Lisa will look into that situation.

Update (11/25/08): If folks have a problem downloading or printing ReportMart3 reports, they should be directed to the Stanford ESS web site (http://ess.stanford.edu) and download the latest version of Adobe Acrobat Reader, which is 8.1.3. This latest version should be safe. Also, on the same lines with the printing issues, CRC has reported that most issues are a result of the printer driver. If the drivers are upgraded, the problem is usually resolved. Folks should seek their IT support for help with either the reporting or printer issues.

For more information on the grants.gov forms, review the Grants.gov Computer Setup Information document online at: http://ora.stanford.edu/supporting_files/Grantsgov_Computer_Setup.pdf .

Draft Data Classifications

Tina Darmohray, Chief Information Security Officer started the presentation by speaking to the security issues regarding data on our personal computers. The Classification of Data is under development. The existing classifications can be reviewed at http://www.stanford.edu/group/security/securecomputing/dataclass_chart.html. To see classifications of and more specific examples of Restricted Data, visit the above site.

The University environment is one of the toughest places to be when it comes to security of information. A string of incidents happened over the summer of 2008. A laptop was stolen that contained sensitive data. The incident cost the University over two million dollars. Two weeks later, another laptop was removed from a cubicle. Fortunately, for Stanford the second laptop was recovered. The suspect did not wipe the hard drive clean and the laptop had BigFix on it that means that the next time BigFix called back to the Stanford network, the IP address was tracked and the location of the laptop was discovered. Senior management is very supportive of the effort to prevent sensitive data getting in the wrong hands.

The University, in partnership with ITS, is looking into an encryption service. The goal is to not have prohibited data on personal machines. If you get permission to have prohibited data on your computer, it must be encrypted. There's more information about this on the securecomputing.standford.edu web site.

As for employee records and student records, the Information Security Office is working with Stanford's General Counsel to get the guidelines for retaining that stored data in the "Restricted" column of the guidelines. And in regards to University Business, there have been discussions to use non-Stanford email, however there are security and privacy concerns with that, as well.

As a user community, we can use secure encrypted email but that can be very cumbersome. In order to use un-encrypted email back and forth to each other on campus, everybody's got to be on board that mail needs to remain on the Stanford network.

Tina responded to a number of questions and statements:

  • Q. What about the work from anywhere initiative? Users may not necessarily be using a Stanford laptop or network.
  • A. Users really need to have their data encrypted. They should work with their IT professionals to help with the encryption of the data if it is restricted data.
  • Q. What about smaller units to set up a secure server?
  • A. You can get help from your local IT support. Your IT support can follow the PCI-DSS guidelines to configure your server and that will be safe and compliant to store Restricted data.
  • Statement: We log into a server on campus so nothing remains on our local machines.
  • Tina responded that that is a great way to do it.

Dept of Public Safety hosts a Security Education Program. She also pointed out that Public Safety has identified that laptops are stolen more often. A discussion about email started. Administrators have received complaints from faculty and students that although our email is secure, there's not enough space on Stanford email servers. Faculty and students want to use such email services as Gmail or Yahoo that offers unlimited space. But those email programs are not secure to University standards and it's actually a violation to use them especially if transmitting what could be sensitive data.

Elizabeth stated that TIPS could come up with suggestions about how to work differently to ensure that restricted data is not living on local machines and asked, "Is there any reason we can't keep everything on a local server?" The answer was No. What about paper and the data that is on it from downloads or printouts? Printouts are not as much of a concern because you have to be physically on campus to have access to it, as opposed to acquiring data via the network; it should be treated like sensitive electronic data. Folks should be careful not to print to a networked printer on-campus while they are working from anywhere.

Also, be aware that the Security office has a program that scans your hard disk for restricted type data. For information about this program, contact Tina or the security office.

Tina then asked the group to think about this topic and if they want her group to come out and talk to individual groups about advice on secure desktops, they could send Tina email at: security@stanford.edu or tmd@stanford.edu.

Review of the Draft Revised TIPS Charter (TIPS Re-Charter Working Group Update)

Elizabeth led the discussion of the TIPS re-chartering effort. She reminded everyone that TIPS aims to re-charter through the UMG every five years therefore since we are at the five year point, we have been reviewing the existing charter and how the charter needs revision. In addition, the relationship between TIPS and the University Management Group has changed and we are focused on re-establishing that relationship by way of the new charter.

Elizabeth then acknowledged the working group members who have been meeting on a bi-weekly basis to work through the existing charter. She thanked the group for their efforts.

A handout of the charter with its intended revisions was distributed and the group reviewed it.

  • Items in yellow=significant changes to original charter
  • Items in turquoise=ways staff can be involved
  • Red=to do items

Since TIPS has changed its focus, we are looking at how we view the business processes. We also see TIPS as an avenue to promoting leadership development.

Working groups

Jo-Ann described the concept of the TIPS Working Groups and how the participation in a working group gives the member an opportunity to have their voice heard. It's a great way to be a part of significant University-wide decisions that may make an impact on how we do business at Stanford.

Mission Statement

There are two new items in our mission statement that reflect the fact that we are not so systems focused as before. The new items are to focus on business processes rather than systems and that TIPS should provide leadership opportunities to Stanford staff.

Objectives

Partner with other University groups. The implication is to partner with groups like Admin Systems. They have little advisory groups for applications like PeopleSoft. TIPS used to do be involved. UMG wants TIPS to be more involved in those Advisory groups.

Operating Guidelines

We want to promote the attendance of these TIPS meetings "from anywhere" by way of WebEx or other means that will work best. A statement was made that the Stanford Professional Development group already has some rooms equipped to do this and we could take advantage of using those rooms for broadcasting our meetings. We would like to have Hartley equipped for web broadcasting going forward.

Participation

Jane commented that the lowest and broadest level of participation is to come to meetings. The next way people can be involved is by participating in working groups. And then the Core Reps, who are appointed by their Administrative Deans are the highest level of participation and will be treated a bit differently as they will actually have core rep job descriptions.

General Discussion

The TIPS Core Representative is appointed for one term of 2 years then someone else is to be appointed. That might be a problem with smaller units. Even though we have larger departments within a school, only the Finance dept has taken on the role of TIPS representation. So could it be possible to continue one person for several terms or insist that a different member of an area be appointed?

One member stated that other organizations rotate terms. They have a core rep for one term, then someone else for the next term, then back to the original core rep(s).

Then the question was raised, "Can we have an "at large" core rep?" And the answer from the Chair stated, "Depending on how the unit functions."

Things Left To Do

The working group still needs to develop a job description for Core Reps. The working group is also updating Working Group guidelines and hopes to finalize the mission and charter in the next months. With the holidays coming up, our hopes are to have the Mission and Charter completed in the Winter Quarter.

Elizabeth thanked everyone for coming and reminded the group that there is no TIPS meeting in December. Have a great holiday and see you in January of 2009! The meeting was adjourned.

Attendees

  • Marjorie Alfs, Center for Integrated Systems, School of Engineering
  • Laura Bridge, Engneering
  • Elma Buni, IT Services
  • Chris Crismon, Mechanical Engineering
  • Jo-Ann Cuevas-Pagliaro, IT Services, Campus Readiness
  • Sherann Ellsworth, School of Engineering, Aero/Astro
  • Priscilla Fiden, Psychology
  • Christine Fiksdal, Computer Science
  • Stacy Fredericksen, School of Humanities and Sciences, Kozmetsky Global Collaboratory
  • Carla Hanawalt, OOD
  • Justin Higinbotham, Introduction to the Humanities Administrator
  • Ammy Hill, IT Services
  • Caroll Johnson, School of Education
  • Cindy Kogura, OOD
  • Rayna Krohn, Controller's Office, Business Operations
  • Elizabeth Lasensky, Dean of Research
  • Phoenix Liu, School of Education
  • Jane Marcus, IT Services
  • Robbi Mees, Controller's Office
  • Lisa O'Brien, GSB, Facilities
  • Dana Parga, School of Engineering
  • Susan Phillips-Moskowitz, Geophysics
  • Najwa Salame, Stanford Humanities Center
  • Jennifer Sexton, Athletics
  • Manju Smith, Administrative Systems
  • Lisa Teresi-Forgatsch - Research Administration - ORA
  • Rosenna Yau - Physics