Risk management involves two discrete process areas: 1) Risk analysis, and 2) Risk monitoring and control. The identification of risks and their quantification (risk analysis), and the identification of countermeasures to reduce or eliminate threats (risk monitoring and control) play an important role in achieving service continuity and reaching desired service levels to the DSAES audience.
Risk Management at the Division of Student Affairs & Enrollment Services
The list of risks are outlined in Appendix C and are only associated with critical services with either high impact or high probability of failure. Additionally, the Security Risk Assessment for Enrollment Services, which was completed early in 2016 is available in Appendix D of the IRM Plan.
IT Service Continuity Management at the Division of Student Affairs & Enrollment Services
The DSAES IT Services Continuity Management Plan is modeled after the University of Houston Information Technology service continuity plan that covers University-at-large IT assets and services. The DSAES plan is focused on the continuity of IT assets controlled by the DSAES and not those managed or owned by other divisions or the University itself. The current DSAES IT Services Business Continuity Plan is available in Appendix E of the IRM Plan.
All software purchases are centralized and go through the DSAES IT Services. Software is purchased in accordance with University MAPP purchasing procedures through business services. Software is reviewed regularly by DSAES IT Services to ensure it is current and meeting the goals of the division. The DSAES IT Services personnel (technology manager and information security officer) have p-card authority to purchase IT equipment and software. Most transactions are done with p-card and only if the amount is over $5,000 is handled through a purchase order.
- Purchases of software that require an annual renewal of subscription or are cloud based will be the sole responsibility of the requesting department. (i.e. the Adobe Creative Suites)
Software Maintenance (License Management)
The DSAES IT Services department maintains software licenses and is responsible for property management of the software. DSAES IT Services installs and verifies proper installation and operation. DSAES staff primarily use software installed under the University site license. Individual software licenses (specialized) are also maintained by the DSAES IT Services and renewed as needed.
Software Inventory (MAPP 03.03.03)
DSAES IT Services maintains the inventory of licenses in a local spreadsheet accessed only by DSAES IT Services. All software purchases are centralized and are requested through the DSAES IT Services department. Software inventory is kept up-to-date by DSAES IT Services in a spreadsheet maintained by both the DSAES IT Services manager and the ISO. An annual practice of software inventory will be implemented by the Division in the near future. In addition, the division is implementing the Microsoft client management solution System Center Configuration Manager in collaboration with UIT, which will produce a software inventory of all the machines in the Division.
Software Disposal (MAPP 03.03.05)
Most software is downloaded from vendors’ sites or through the UIT software site. Software is copied to digital media and shared drives when is used for installation purposes. If the software is outdated or no longer needed, the folder in the shared drive is deleted. If the media (CD/DVD) exists and the software is outdated or no longer needed, the CDs or DVDs are shredded or disposed. If the software can still be used, it is occasionally given away to staff, licensee agreement permitting, and is removed from the software inventory.
All hardware purchases are centralized and go through the DSAES IT SERVICES Department. Purchases are made in accordance with University MAPP guidelines. New staff is provided with standardized technology used by the division, which is based on their job requirements. Most desktop hardware is Dell; these are purchased through the University purchasing site and DIR vendors when possible.
All DSAES employees are assigned one computer to serve as their primary work station. The computer options include either a traditional desktop or a laptop with a docking station.
- Unless approved by the departments appropriate Assistant Vice President, all DSAES employees will only be assigned one computer.
- Laptops or other computer equipment may be reserved for use through DSAES IT as needed for temporary use
Digital Tablet Acquisition
All digital tablet purchases must be approved by the DSAES IT SERVICES department and each department’s appropriate Assistant Vice President. The use of this equipment is restricted to specific department use only. All tablet purchases are funded solely by the requesting department. All maintenance, including required software updates, are managed by the individual department.
Per UIT recommendations, personal desktop printers are generally prohibited. However, employees whose positions require the printing of confidential information are allowed to have these printers with approval from their respective department head under the following conditions:
- The purchase and maintenance (i.e. ink and toner purchase and replacement) of desktop printers are the sole responsibility of the individual department
- DSAES IT Services will be available to support network or connection issues related to all printers
Hardware Replacement Cycle
DSAES has a 4-year replacement lifecycle. Budget is allocated accordingly, and equipment is replaced following a cascading replacement plan.
DSAES IT SERVICES conducts a yearly inventory of all UH tagged hardware. This inventory is performed in accordance with University Property Management directives and protocol. All desktops come pre-tagged from Dell. Portable equipment (laptops and handhelds), even when below the university price threshold, are tagged by DSAES IT SERVICES. There are several property custodians of IT assets in the Division. Each DSAES department is assigned a property custodian who is responsible with managing all department specific inventory.
Disposing of Hardware
DSAES department’s disposal of inventoried equipment should follow MAPP and University Property Management policies. DSAES IT SERVICES directs staff to comply with MAPP 10.05.03 to ensure all sensitive data is stored and protected appropriately. When disposing desktops and laptops, hard drives are subject to industry-grade data wiping software prior to being sent to UH property management, following UIT Support Center recommendations. Non-inventoried/non-tagged hardware and furniture are disposed of using University Property Management or recycled.
DSAES IT Services requests that staff and student organizations consult with DSAES IT Services prior to connecting any device to the UH network either through a wired, wireless, or tunneled (i.e. VPN) connection. DSAES IT SERVICES recommends staff and student organizations use the UHSecure wireless network rather than UHWireless when connecting to the UH wireless network.
MAPP policy 10.03.04 is enforced by the DSAES ISO. Any device connected to the University network is subject to a hardware/software audit by the College Information Security Officer to safeguard against viruses, malware, sniffers, and other network threats. The DSAES ISO may ask UIT to disconnect and block any device deemed to be adversely affecting the College network or data integrity
DSAES IT SERVICES encourages staff to store data that needs to be backed up in the shared drives physically located at the UH Computing Center. Server backups of shared drives are done by UIT following centralized practices. Desktops/laptops are backed up using TSM services, but only the ones belonging to directors and executives are backed up with TSM.
DSAES IT SERVICES provides technology training to staff, as needed. The DSAES IT SERVICES staff maintains technology knowledge and skill through attendance to UIT sponsored training sessions, technology partner program workshops, attendance to local, regional and/or IT Professional conferences.
Access to DSAES information is controlled primarily through DSAES file shares.
The DSAES also uses SharePoint. For data stored on faculty and staff workstations, that faculty or staff member also assumes the data custodian role for that data and is responsible for taking care ensuring its security and backups. All faculty and staff are advised to run Identity Finder on their respective machines to ensure that no sensitive data is being stored on it. DSAES IT Services completed running Identity Finder in all DSAES machines in Fall 2013; an annual follow up process will be conducted in collaboration with UIT Security.
All DSAES servers are managed by the UIT personnel, and are located in the UH Data Center. Data backups of DSAES servers located at the UH Data Center are UIT’s responsibility, and covered by a service level agreement (SLA).
All day to day IT operations are currently managed by Lawrence Daniel, Director of DSAES IT Services and Sam Nguyen, Manager of Division Info Services.
Security incidents are reported by faculty/staff to the DSAES ISO. All security incidents, whether actual or potential, are reported by the DSAES ISO to the DSAES IRM and the DSAES UIT Security group. The DSAES ISO works closely with UIT Security to conduct an incident investigation. The DSAES ISO follows all guidelines and recommendations provided in the MAPP 10.05.02 when reporting security incidents