IT Services Transition Weekly Program Management Working Session February 28, 2011 | Monday | 1:00 – 3:00pm
Agenda IT Security: –Overview of List of "Services" identified to date –Discussion around Next Steps and Impacts on Other WGs / IT Service Areas (Jay Carter, Liz Egan, Christian Hamer) IT Service Delivery WGs: Checkpoint on 2 key templates –R1 Customer Input Summary; and –Enhanced IT Service Definition Template Foundational WGs: Round-robin status updates –Communications –HR –Finance 2
3 IT Security WG Debrief
IT Services Catalog - Security Agenda –Review approach to crossover services – RACI - Jay –Review KC Advisor feedback and proposed principles - Liz/ Jay/ Christian –Battle of the Catalogs: Multi-services vs. Bundled services - Jay/ Christian –University Obligations – Liz –Next steps
RACI Role Distinction Responsible The entity that actually performs the work to achieve the task. There is typically one entity designated as Responsible, although others can be delegated to assist in the work required. Ongoing management and support. Accountable The entity ultimately accountable for the correct and thorough completion of the deliverable or task, and the one to whom the Responsible entity is accountable. In other words, an Accountable entity must sign off (Approve) on work that the Responsible entity provides. There must be only one Accountable entity specified for each task or deliverable. Product management. Assure compliance and Approver sign-off. Consulted Those whose opinions are sought and potentially influence outcomes; and with whom there is two-way communication. Assure compliance and Approver sign-off. Informed Those who are kept up-to-date on progress, often only on completion of the task or deliverable; and with whom there is just one-way communication.
IT Services Catalog - Security Service Secure code analysis Description Provide a toolset for system owners and administrators to analyze static and dynamic code and deployed web applications against common security vulnerabilities. RACIResponsibleAccountableConsultedInformed IT SecurityAdministrative ITNon-admin IT developers Key Metrics
IT Services Catalog - Security Service Patch Management Description Provide administrators a mechanism to inventory managed endpoint devices for software patches installed and identify patches not installed. Validation includes verification of installation of applicable system patches against an established baseline. RACIResponsibleAccountableConsultedInformed Infrastructure Client Services Administrative IT Infrastructure Client Services Administrative IT IT SecurityCustomers Key Metrics
Information Security Services – Advisor Feedback Only list what I can order Describe the service I will receive, e.g., what will you do for me? Flatten services to combine complimentary services View through the eyes on the customer not IT
Information Security Services Before Feedback: Policy and Compliance Protection Services Response Services Monitoring, Detection and Testing Services Security Compliance Consulting Remediation Guidance Security Education After Feedback: Vulnerability Assessment, Penetration Testing and Code Analysis Digital Certificate Management Computer Security Incident Response and Digital Forensic Investigation Security Operations Center Security Consulting Security Education
Information Security Service Catalog – 1 st DRAFT ID# Service Name (core business svc bolded ; supporting svc ital ) Service Description Service Area Provided To Est. Timeframe (existing/new) Further Definition Req'd? ('grey areas') Comments Univ-wideCA/FAS Other Schools S1Policy and Compliance Services Security and Privacy Policy development and management as needed to meet legal and regulatory requirements and the evolving needs of the University. The Service includes Communication to all Harvard communities, and management of related Compliance program(s). IT Security Yes ExistingNo S1.1 Security Policy ProgramSecurity Policy is a set of requirements for the protection of Harvard confidential information, including High Risk Confidential and other information whose protection is required by law or regulation. The Program includes maintenance and evolution of the existing Harvard security policies (HEISP and HRDSP) and development of new policies as required by changes in regulations, University requirements, and experience with existing policies. IT SecurityYes ExistingNo S1.2 Privacy Policy ProgramPrivacy Policy is a set of requirements for what information can be collected, shared, and used in various situations. The Program includes the maintenance and evolution of Privacy policy and development of new policies as required by changes in regulations, University requirements, and experience with existing policies. IT SecurityYes New - by June 2012 No S1.3 Security and Privacy Policy Communication Outreach to ensure that individuals (faculty, staff, students) and service providers in the University community understand their responsibilities under University security and privacy policies. IT SecurityYes ExistingNo S1.4 Compliance ProgramA program for ensuring that all Schools and Central units annually assess and report their compliance with University security and privacy policies as well as regulatory requirements. IT SecurityYes ExistingNo S2Security Protection ServicesProtection services include guidance and standards on authentication, identity management, and endpoint protection. Advise and recommend tools/technologies such as firewalls, encryption, and patch management help secure endpoint devices (from mobile devices to servers) and applications. IT Security NoYes ExistingNo
Information Security Service Catalog – 2 nd DRAFT Service Name Service Description - Business Definition Service Area Provided To Est. Timeframe (existing/new) Further Definition Req'd? ('grey areas') With whom? For Data Validation Lists *DO NOT ALTER* ID# Univ- wide CA/FAS Other Schools Vulnerability Assessment, Penetration Testing and Code Review Scan IT hardware, Operating Systems, third-party software and web applications for security vulnerabilities, either on request or via a schedule. Present findings to resource owner and recommend remediation. Re-test to verify remediation effectiveness. IT SecurityNoYes ExistingNoAcad IT Digital Certificate Management Manage Root Certificates assigned to Harvard University by an accredited external Certificate Authority, for example, VeriSign, GeoTrust, Thwate, etc. Manage the University's Certificate issuance service to issue/revoke a digital certificate for authorized hardware, applications, etc. IT SecurityYes ExistingYes Computer Security Incident Response Digital Forensic Investigation Provide response services to a computer security event, for example, computer infected with malicious software, machine compromise, data breach, etc. Manage Incident Response effort. Investigate a computer security event to identify root cause, scope and escalation requirement. Provide reports and recommend mitigation and/or remediation where appropriate. IT SecurityYes ExistingYes Security Operations Center Aggregate security log data from infrastructure resources in real-time to monitor infrastructure resources and detect behavior consistant with a cyber attack, compromised machine, data breach, etc. Notify resource owner, and coordinate incident response. IT SecurityNoYes New - by June 2012 No Consulting Provide subject matter expertise across the Information Security discipline, including; Policy, firewall rule analysis, secure architecture and engineering, risk assessments, Regulatory/Policy compliance and vendor compliance review. IT SecurityYes ExistingYes Security Education Maintain Security Awareness Education materials for faculty, students, staff and researchers, including printed materials, online learning modules, presentations and security product education. IT SecurityYes ExistingYes
University Obligations Security and Privacy Policy University Compliance Management –Security, Privacy, HIPAA, FERPA, others? DMCA Management Law Enforcement Interaction
Security Services Catalog – Next Steps Define and refine consultative and core services Address varieties of consulting Define core platform Finalize required and bundled services High level review across all Service areas; address all required services
IT Service Delivery WGs Checkpoint on 2 Templates 14
15 IT Service Delivery WGs 1.R1 Customer Input Summary (see separate.doc template) Confirm purpose Confirm target due date: 3/7, COB 2.Enhanced IT Service Definition Template (see separate.doc template) Still under development Will end of day today Next steps: back feedback / high priority additional changes; clarification questions, too
Foundational WGs Round-robin Status Updates 16
17 Program-wide Status Snapshot: Key Updates Only Working Group Notes on Updates High-level StatusKey Issues / Open Items Finance (Laurie Gamble) Continued piloting a scenario service suggested by Eric D’Souza Met with Gartner SMEs on Friday to understand related leading practices None reported HR (Kelly Imberman / Kim Castelda) Obtained approval from EVP Katie Lapp on new org structure + FY12 Funding Approach CISO Search: posted CISO position last Friday; CTO Search: continuing to receive and screen resumes, and preparing for Wave 1 interviews Continuing to work with Steering Committee to develop shared leadership competencies, specialized competencies, and related job descriptions – Client Services Service Area Leader next big priority, closely followed by Academic IT Service Area Leader Search and S&P Sr PMs (2 backfills) Standing issue: Immediate hiring needs occurring in tandem with org design impacting speed with which jobs can be posted; major staffing challenges on WG Communications (Vaughn Waters) Standing-up comms infrastructure ~70% complete Launched new iSite area for All-Staff Communications! Published FAQs! WG hiring update New org naming contest Major staffing challenges on WG 3-4 weeks behind on new org name contest (from original workplan and all-staff communications) Steering Committee (Cathy Cho Yoo) ~35% complete with detailed org planningNone reported