IT Services TransitionWeekly Program Management Working Session

February 28, 2011 | Monday | 1:00 – 3:00pm

Agenda

• IT Security: – Overview of List of "Services" identified to date

– Discussion around Next Steps and Impacts on Other WGs / IT Service Areas (Jay Carter, Liz Egan, Christian Hamer)

• IT Service Delivery WGs: Checkpoint on 2 key templates– R1 Customer Input Summary; and

– Enhanced IT Service Definition Template

• Foundational WGs: Round-robin status updates– Communications

– HR

– Finance

2

3

IT Security WG Debrief

IT Services Catalog - Security

• Agenda

– Review approach to crossover services – RACI - Jay

– Review KC Advisor feedback and proposed principles - Liz/ Jay/ Christian

– Battle of the Catalogs: Multi-services vs. Bundled services - Jay/ Christian

– University Obligations – Liz

– Next steps

RACI Role Distinction

• Responsible

The entity that actually performs the work to achieve the task. There is typically one entity designated as Responsible, although others can be delegated to assist in the work required. Ongoing management and support.

• Accountable

The entity ultimately accountable for the correct and thorough completion of the deliverable or task, and the one to whom the Responsible entity is accountable. In other words, an Accountable entity must sign off (Approve) on work that the Responsible entity provides. There must be only one Accountable entity specified for each task or deliverable. Product management. Assure compliance and Approver sign-off.

• Consulted

Those whose opinions are sought and potentially influence outcomes; and with whom there is two-way communication. Assure compliance and Approver sign-off.

• Informed

Those who are kept up-to-date on progress, often only on completion of the task or deliverable; and with whom there is just one-way communication.

IT Services Catalog - Security

Service Secure code analysis

Description Provide a toolset for system owners and administrators to analyze static and dynamic code and deployed web applications against common security vulnerabilities.

RACI Responsible Accountable Consulted Informed

IT Security Administrative IT Non-admin IT developers

Key Metrics

IT Services Catalog - Security

Service Patch Management

Description Provide administrators a mechanism to inventory managed endpoint devices for software patches installed and identify patches not installed. Validation includes verification of installation of applicable system patches against an established baseline.

RACI Responsible Accountable Consulted Informed

InfrastructureClient ServicesAdministrative IT

InfrastructureClient ServicesAdministrative IT

IT Security Customers

Key Metrics

Information Security Services – Advisor Feedback

• Only list what I can order

• Describe the service I will receive,

e.g., what will you do for me?

• Flatten services to combine

complimentary services

• View through the eyes on the

customer not IT

Information Security Services

Before Feedback:• Policy and Compliance

• Protection Services

• Response Services

• Monitoring, Detection and Testing Services

• Security Compliance Consulting

• Remediation Guidance

• Security Education

After Feedback:• Vulnerability Assessment,

Penetration Testing and Code Analysis

• Digital Certificate Management

• Computer Security Incident Response and Digital Forensic Investigation

• Security Operations Center

• Security Consulting

• Security Education

Information Security Service Catalog – 1st DRAFT

 ID#

Service Name(core business svc bolded; 

supporting svc ital)Service Description

Service Area

Provided To

Est. Timeframe(existing/new)

Further Definition

Req'd?('grey areas')

CommentsUniv-wide CA/FAS Other 

Schools

S1 Policy and Compliance Services

Security and Privacy Policy development and management as needed to meet legal and regulatory requirements and the evolving needs of the University. The Service includes Communication to all Harvard communities, and management of related Compliance program(s).

IT Security Yes Yes Yes Existing No  

S1.1 Security Policy Program Security Policy is a set of requirements for the protection of Harvard confidential information, including High Risk Confidential and other information whose protection is required by law or regulation. The Program includes maintenance and evolution of the existing Harvard security policies (HEISP and HRDSP) and development of new policies as required by changes in regulations, University requirements, and experience with existing policies.

IT Security Yes Yes Yes Existing No  

S1.2 Privacy Policy Program Privacy Policy is a set of requirements for what information can be collected, shared, and used in various situations. The Program includes the maintenance and evolution of Privacy policy and development of new policies as required by changes in regulations, University requirements, and experience with existing policies.

IT Security Yes Yes Yes New - by June 2012

No  

S1.3 Security and Privacy Policy Communication

Outreach to ensure that individuals (faculty, staff, students) and service providers in the University community understand their responsibilities under University security and privacy policies.

IT Security Yes Yes Yes Existing No  

S1.4 Compliance Program A program for ensuring that all Schools and Central units annually assess and report their compliance with University security and privacy policies as well as regulatory requirements.

IT Security Yes Yes Yes Existing No  

S2 Security Protection Services Protection services include guidance and standards on authentication, identity management, and endpoint protection. Advise and recommend tools/technologies such as firewalls, encryption, and patch management help secure endpoint devices (from mobile devices to servers) and applications.

IT Security No Yes Yes Existing No  

Information Security Service Catalog – 2nd DRAFT

  

Service NameService Description - Business Definition Service Area

Provided To

Est. Timeframe(existing/new)

Further Definition

Req'd?('grey areas')

With whom?

For Data Validation Lists

*DO NOT ALTER*

ID# Univ-wide CA/FAS Other 

Schools

  Vulnerability Assessment, Penetration Testing and Code Review

Scan IT hardware, Operating Systems, third-party software and web applications for security vulnerabilities, either on request or via a schedule. Present findings to resource owner and recommend remediation. Re-test to verify remediation effectiveness.

IT Security No Yes Yes Existing No Acad IT

  Digital Certificate Management Manage Root Certificates assigned to Harvard University by an accredited external Certificate Authority, for example, VeriSign, GeoTrust, Thwate, etc. Manage the University's Certificate issuance service to issue/revoke a digital certificate for authorized hardware, applications, etc.

IT Security Yes     Existing Yes

  Computer Security Incident Response Digital Forensic Investigation

Provide response services to a computer security event, for example, computer infected with malicious software, machine compromise, data breach, etc. Manage Incident Response effort. Investigate a computer security event to identify root cause, scope and escalation requirement. Provide reports and recommend mitigation and/or remediation where appropriate.

IT Security Yes     Existing Yes

  Security Operations Center Aggregate security log data from infrastructure resources in real-time to monitor infrastructure resources and detect behavior consistant with a cyber attack, compromised machine, data breach, etc. Notify resource owner, and coordinate incident response.

IT Security No Yes Yes New - by June 2012

No

  Consulting Provide subject matter expertise across the Information Security discipline, including; Policy, firewall rule analysis, secure architecture and engineering, risk assessments, Regulatory/Policy compliance and vendor compliance review.

IT Security Yes     Existing Yes

  Security Education Maintain Security Awareness Education materials for faculty, students, staff and researchers, including printed materials, online learning modules, presentations and security product education.

IT Security Yes     Existing Yes

University Obligations

• Security and Privacy Policy

• University Compliance

Management

– Security, Privacy, HIPAA, FERPA,

others?

• DMCA Management

• Law Enforcement Interaction

Security Services Catalog – Next Steps

Define and refine consultative and core services

Address varieties of consulting

Define core platform

Finalize required and bundled services

High level review across all Service areas; address all required services

IT Service Delivery WGsCheckpoint on 2 Templates

14

15

IT Service Delivery WGs

1. R1 Customer Input Summary (see separate .doc template)

• Confirm purpose

• Confirm target due date: 3/7, Monday @ COB

2. Enhanced IT Service Definition Template (see separate .doc template)

• Still under development

• Will email out @ end of day today

• Next steps: email back feedback / high priority additional changes; email clarification questions, too

Foundational WGsRound-robin Status Updates

16

17

Program-wide Status Snapshot: Key Updates Only

Working GroupNotes on Updates

High-level Status Key Issues / Open Items

Finance(Laurie Gamble)

• Continued piloting a scenario service suggested by Eric D’Souza

• Met with Gartner SMEs on Friday to understand related leading practices

• None reported

HR(Kelly Imberman / Kim Castelda)

• Obtained approval from EVP Katie Lapp on new org structure + FY12 Funding Approach

• CISO Search: posted CISO position last Friday; CTO Search: continuing to receive and screen resumes, and preparing for Wave 1 interviews

• Continuing to work with Steering Committee to develop shared leadership competencies, specialized competencies, and related job descriptions – Client Services Service Area Leader next big priority, closely followed by Academic IT Service Area Leader Search and S&P Sr PMs (2 backfills)

• Standing issue: Immediate hiring needs occurring in tandem with org design impacting speed with which jobs can be posted; major staffing challenges on WG

Communications(Vaughn Waters)

• Standing-up comms infrastructure ~70% complete

• Launched new iSite area for All-Staff Communications!

• Published FAQs!

• WG hiring update

• New org naming contest

• Major staffing challenges on WG

• 3-4 weeks behind on new org name contest (from original workplan and all-staff communications)

Steering Committee(Cathy Cho Yoo)

• ~35% complete with detailed org planning • None reported