2019 CISOA Brain Dump

What Every California Community College CISOA/CIO/CTO Should Know

I participated in a year-long California Community College Chief Information Officer’s Certification Training in Sacramento in 2016–2017. The program was developed to train IT professionals in the art of leading and managing technology organizations in the California Community Colleges. It was an incredible opportunity to work with a cohort of Community College technology leadership and to be mentored by CIO/CTO’s across the state. The series of intensive weekends covered the expectations and skills required to become a Chief Information Systems Officers (CISO).

I compiled my notes and added additional information from the recent CISOA 2019 conference as well as relevant Educause articles to make a comprehensive reference for myself and other CISOA participants. The following is a list of responsibilities expected of a California Community College CIO/CTO/CISO. The list is daunting, and in colleges with limited financial resources, you may be wearing multiple hats. If you have a larger team, you may be overseeing the work of staff responsible for these areas. Regardless of your resources, in order to be effective in your position, you will need familiarization with everything listed below.

Accreditation

  • Standard IIIC — Every California Community College goes through an extensive accreditation processed. You will be involved in assisting them with Standard IIIC. Ensure you familiarize yourself with that standard and that your IT department has all the processes in place to ensure you are meeting those expectations requested by the Accrediting teams.
  • Technology Strategic Plan — You should always have a current plan spanning 3–5 years about the technology strategy and how it aligns with the college strategic plans.

Administrative Systems (ERP)

The ERP system stores all student, employee and financial data. It typically runs on one of the four most popular systems. A portion of your IT team will be supporting Administrative Systems which includes your ERP and everything that integrates, reports or needs access to the data.

  • Ellucian Banner
  • Ellucian Colleague
  • PeopleSoft
  • Workday

Backups

  • Server Backups
  • Backup & Recovery Process
  • Physical Location & Security of Backups
  • Backup Retention Policy
  • Quality Control with Backup (dealing with corruption)
  • Employee Backups
  • Encryption
  • Cloud or External Drives?
  • Ensuring you have all Employee data & backups when they leave

Board of Trustees

  • You should always read the board packet & minutes
  • Always know what the board priorities and keep track of new contracts and initiatives. Almost everything indirectly impacts ITS because technology has become central to most business practices.
  • Check the Board Agenda to ensure nothing is being discussed that requires IT involvement
  • Items being added to the Board Packet typically need to be on the agenda almost two weeks prior
  • Familiarize yourself with the Brown Act

Budget

  • Familiarize yourself with your college annual budget report
  • IT Budget
  • Understand the different types of funds, one-time monies, bond, innovation, etc…
  • If you are overseeing a District, understand how shared software and technology are budgeted

Business Continuity & Disaster Recovery

Business continuity is ensuring essentials systems are running regardless of catastrophic technology issues.

  • Perform a risk assessment to identify weaknesses
  • Hardware & Network Redundancy
  • DR failover strategy, plans, workflow, drill, post-mortem and plan revisions
  • Who should be involved in ensuring business continuity and in what role?
  • Who needs to be informed when we experience issues and what is the best way to communicate with them?
  • Considerations
  • Physical locations on or off campus.
  • Virtual locations (address security and privacy concerns)
  • Cloud resources (address security and privacy concerns)
  • Availability for sufficient communications excellent/redundant/multi-vendor cell capacity, landlines, internet bandwidth from more than one vendor and physical supply (not all coming through the same conduit, following the same path), and satellite access.
  • Availability for alternative power sources — generators with adequate fuel supply and delivery. (Natural gas is ideal, if available, as long as the location is not prone to flooding, hurricanes, tornadoes, or earthquakes. It minimizes delivery issues.) Multiple suppliers should be contracted for other types of fuel supply. Remember that generators need routine maintenance and testing.
  • Sufficient physical access during emergency situations (not located along a major evacuation route, yet highly accessible).
  • Proximity to locations that contain hazardous material, or are near river banks/flood plains, avalanche zones, mudslide zones, frequent forest fires, or earthquake-prone locations.

CISOA and attend 3CBG/CISOA Conference

  • Get on the email distribution lists
  • Familiarize yourself with what is offered by the State Chancellor’s Office and how it impacts us

Colleges

  • Familiarize yourself with colleges strategic goals and ensure your technology strategic plans are in alignment.
  • Understanding all the services and support that the IT department provides the colleges
  • Participating in College Committees
  • Find out the expectations of ITS from the Colleges
  • Importance of understanding and supporting college initiatives but allowing items to be properly vetted through the college administration.
  • Familiarize yourself with College business processes for purchasing technology
  • In a College district, the importance of trying to get consensus from multiple colleges to avoid redundant work
  • Understanding the big picture and college dependencies (example: knowing that if A&R makes a change it will break something in Financial Aid )
  • Consistently managing college technology expectations, negotiate priorities based on existing project lists and do not make uninformed promises.
  • Respecting the hierarchy, never overstep your administration. Offer suggestions or solutions and provide consultations.
  • Respecting the faculty, staff, and students. You are part of an ecosystem reliant on each other for the success of the organization
  • Familiarize yourself with Title V & Ed Code to ensure compliance when implementing technology solutions.

Compliance

  • Have an awareness of relevant regulations/laws.
  • Awareness of relevant policies, review the board policies and procedures, take note of the items that apply to technology or information.

Citation: Compliance Management | EDUCAUSE. https://www.educause.edu/focus-areas-and-initiatives/policy-and-security/cybersecurity-program/resources/information-security-guide/compliance-management

  • Awareness of relevant contractual agreements. (Do you know what agreements your institution has made that impose conditions on the use of data?)
  • Knowledge of relevant standards or best practices. (Do you know what standards or best practices your institution chooses to follow with respect to information use?)
  • Data Retention Policies and management of institutional records (Do you know what you need to keep and for how long?)
  • Awareness of how records are managed by your institution.
  • Approach to complying with each item. (Do you know what your organization is doing to follow the law?)
  • Awareness of internal and/or external audit activities. (Do you know what internal/external audits exist and what is required to meet or pass these reviews?)
  • Awareness of Federal Laws on Data Security
  • Family Educational Rights and Privacy Act (FERPA)
  • Payment Card Industry Data Security Standards (PCI DSS)
  • Financial Services Modernization Act of 1999 (Gramm-Leach-Bliley Act; GLB Act; GLBA) Safeguards Rule
  • Fair and Accurate Credit Transactions Act of 2003 (FACT Act; FACTA) which amended the Fair Credit Reporting Act (FCRA), and amendments thereof, including Red Flags Rule (Identity Theft Prevention Program)
  • Standard Confidentiality Agreement or Statement
  • Higher Education Opportunities Act of 2008 (HEOA) Technology Mandates (Including illegal peer-to-peer file sharing, emergency notification, and distance education student verification.)
  • International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR) (e.g., Baylor University’s Export Compliance Policy and Purdue University’s Export Control Regulations)
  • Digital Millennium Copyright Act (DMCA)
  • Awareness of Federal Laws on Privacy

Citation: Privacy | EDUCAUSE. https://www.educause.edu/focus-areas-and-initiatives/policy-and-security/cybersecurity-program/resources/information-security-guide/privacy

  • The Family Educational Rights and Privacy Act of 1974 (FERPA): Designed to protect students and their families by ensuring the privacy of student educational records.
  • Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules.
  • The Gramm Leach Bliley Act of 1999 (GLBA): Imposes privacy and information security provisions on financial institutions; designed to protect consumer financial data.
  • Federal Policy for the Protection of Human Subjects (“Common Rule”): Published in 1991 and codified in separate regulations by 15 federal departments and agencies, outlines the basic ethical principles (including privacy and confidentiality) in research involving human subjects.
  • The Children’s Online Privacy Protection Act (COPPA): Governs the online collection of personal information from children under the age of 13.
  • The Fair and Accurate Credit Transaction Act of 2003 (FACTA, or “Red Flags Rule”): Requires entities engaged in certain kinds of consumer financial transactions (predominantly credit transactions) to be aware of the warning signs of identity theft and to take steps to respond to suspected incidents of identity theft.
  • The Privacy Act of 1974: Specifies the rules that a federal agency must follow to collect, use, transfer, and disclose an individual’s personally identifiable information (PII).

Curriculum

  • Curriculum Workflow
  • Catalog Rights
  • Counseling
  • Degree Audit

Citation: Asset and Data Management | EDUCAUSE. https://www.educause.edu/focus-areas-and-initiatives/policy-and-security/cybersecurity-program/resources/information-security-guide/asset-and-data-management

Data Management

  • Sensitivity Level — An institution should be classifying data as to sensitivity to assure that proper security protection is in place appropriate with the given data set. EDUCAUSE has excellent materials, including the Data Classification Toolkit.
  • Retention Period — Consistent with records management practices, an institution needs to be aware of the period in which data is to be retained, to ensure that data’s availability and integrity for that retention period.
  • Data Utilization — In every part of an institution that controls a given data set, appropriate procedures for how that data is utilized must be established. This includes access restrictions, proper handling, logging, and auditing.
  • Data Backup — How an institution creates backup copies of data and software is a critical element. Procedures need be in place that memorializes and verify the implementation and inventory of back-up copies.
  • Management of Storage Media — Processes to ensure proper control of storage media, including restrictions of types of media, audit trails for movement of media, secure disposal of media no longer in use, and redundant storage.
  • Electronic Data Transfers
  • Disposal of Media
  • Ferpa — Are we compliant? Who has access to what? Why do they have access? What is the workflow to remove access?
  • Databases — Oracle, Microsoft SQL Service, MySQL, etc…

Disaster Preparedness

  • Ensure you have a radio linked to Public Safet
  • Find out evacuation procedures, drills and how to ensure the safety of your staff
  • Location of First Aid, AED, Fire Extinguisher
  • Nims/Sims/ICS training for Disaster Preparedness
  • Emergency Alert & Emergency Response System
  • Digital Signage
  • Panic Buttons

Educause

  • College .edu domains provided by Educause
  • An excellent resource for Listservs, Conferences and User Groups

Evidence Discovery

  • Understand approvals & workflow for evidence collection
  • Working with your County Council (legal counsel) on all evidence requests
  • Validating Subpoenas
  • Forensics
  • You may be called to testify in the trial on how the data was collected. From the moment the request is made you need to follow a formalized process and assume every move you make may be scrutinized.

Funding

  • Understand the college funding formulas
  • Understand State Apportionment vs. Basic Aid and where your college stands
  • Grants
  • Bond Measures

Helpcenter & Support Services

  • Helpdesk Ticketing System
  • Helpdesk Inventory
  • Helpdesk Knowledgebase
  • Equipment Replacement Schedule
  • Technology Standards
  • Technology Planning in Construction Projects
  • Technology Advisory Committees
  • Computers, Laptop & Tablets
  • Media Services
  • Phones
  • Digital Signage
  • Smart Classrooms
  • Printers
  • Projectors
  • All Electronics (tvs, external hard drives, microphones, mice, keyboard, headsets, etc..)

Identity Management

  • Account Provisioning Processes
  • LDAP/Active Directory
  • Syncing Directories with your ERP system
  • Single-sign-on (SSO)
  • State Chancellor’s Office SSO Proxy
  • 2-Factor Authentication
  • Practices for disabling accounts

Incident Management and Response

  • Monitoring your systems
  • System outage notifications
  • Response workflows
  • Proactive notifications
  • Notification fatigue, reducing false positives

Management (General)

  • Personnel Action Forms (PAFs)
  • Time-entry approval
  • Leave Requests
  • Overtime & Comp-time process
  • Mileage
  • Conference Expenses
  • Staff Development
  • Staff Evaluations
  • Discipline Procedures
  • ADA/Worker’s Comp
  • Liability
  • CSEA Contract — Need to understand the union rules and ensure you stay in alignment with their contract to avoid grievances.
  • Hiring Orientation, ensure IT is included in new hire orientations
  • Understand AB 806 and the 50% Law — and how it impacts college hiring
  • New Employee IT Requests (workflow for setting up accounts, email, phone, etc..)
  • Exit Process (ensuring you get college-owned property, disable access and change passwords)

Network

  • Cenic provides internet — https://cenic.org/
  • Hubs, Switches, Routers
  • Segmenting Networks
  • Wireless
  • Firewall
  • Network Security — External, Internal & Lateral

Policy & Processes

  • Rules & Regulations
  • Understand your college purchasing procedures
  • Procard Policies
  • RFP
  • When do you need to get approval from the Board of Trustees
  • Acceptable Use Policy — AP 3720 (these are existing standards you can use that automatically update for you)
  • Creating policies in a shared governance environment. The proper channels and approvals.
  • Familiarize yourself with AB 1725

10+1 — Faculty must have involvement in these 11 areas

  • Curriculum, including establishing prerequisites and placing courses within disciplines
  • Degree and certificate requirements
  • Grading policies
  • Educational program development
  • Standards or policies regarding student preparation and success
  • District and college governance structures, as related to faculty roles
  • Faculty roles and involvement in accreditation processes, including self-study and annual reports
  • policies for faculty professional development activities
  • Processes for program review
  • Processes for institutional planning and budget development
  • Other academic and professional matters as are mutually agreed upon between the governing board and the academic senate
  • Understand the difference between a policy, standard, procedure, and guideline.

Citation: Security Policies | EDUCAUSE. https://www.educause.edu/focus-areas-and-initiatives/policy-and-security/cybersecurity-program/resources/information-security-guide/security-policies

  • Policies: The highest level of a governance document. Policies typically have general applicability and they rarely change (or are hard to change). They are leadership’s high-level statement of information security goals and expectations.
  • Standards: Standards state the actions needed to meet policy goals. They are more specific than policies and easier to update in response to changing circumstances. Often standards set the minimum level of action needed to comply with a policy.
  • Procedures: Procedures are often step-by-step checklists that are particular to a task, technology, or department. They are easily updated in response to changing technology or business influences.
  • Guidelines: Guidelines are documents that specify recommended actions and advice. Institutional employees may not be required to follow guidelines as part of their jobs, but the guidelines are shared in order to promote good information security hygiene practices. Guidelines are flexible and easily updated.

Program Review

  • Accreditation requirement
  • Each college does it differently
  • Colleges need to have self-assessment
  • Needed for budget and planning
  • Research & Institutional Effectiveness
  • Colleges need quality data to make informed decisions
  • Chancellor’s Office has a Data Mart of all MIS submitted data
  • Familiarize yourself with the tools your college use to run reports (Hyperion, Tableau)

Security & Risk Management

Citation:

Chief Information Security Officer (CISO) — InfoSec Resources. https://resources.infosecinstitute.com/job-titles/chief-information-security-officer-ciso/

  • Direct and approve the design of security systems
  • Ensure that disaster recovery and business continuity plans are in place and tested
  • Review and approve security policies, controls, and cyber incident response planning
  • Approve identity and access policies
  • Review investigations after breaches or incidents, including impact analysis and recommendations for avoiding similar vulnerabilities
  • Maintain a current understanding of the IT threat landscape for the industry
  • Ensure compliance with the changing laws and applicable regulations
  • Schedule periodic security audits
  • Oversee identity and access management
  • Make sure that cybersecurity policies and procedures are communicated to all personnel and that compliance is enforced
  • Brief the executive team on status and risks, including taking the role of champion for the overall strategy and necessary budget
  • Communicate best practices and risks to all parts of the colleges. The State Chancellor’s Office offer training — Securing the human
  • Application Vulnerabilities
  • Web Application Scanners (static and dynamic), Web Application Firewalls
  • Network Layer Vulnerabilities — Network Vulnerability Scanners, Port Scanners, Traffic Profilers
  • Host/System Layer Vulnerabilities — Authenticated Vulnerability Scans, Asset and Patch Management Tools, Host Assessment and Scoring Tools
  • Virus & Malware Protection
  • Handling Data Breaches
  • Data Breach Insurance Policy
  • Senate Bill 1386 (Breach notification law)
  • Regular Firewall policy review (every two years)

Server Room

  • Security/Access Control
  • Generator/UPS
  • Fire Suppression
  • Cooling/Humidity

State Chancellor’s Office Tech Center

The California Community Colleges Chancellor’s Office (CCCCO) and the California Community Colleges Technology Center (CCCTC) have teamed up to provide California Community Colleges (CCC) with a suite of no-cost software solutions geared toward improving student outcomes, increasing college efficiency, and strengthening the CCC as a whole. Your college is assigned a College Relationship Manager (CRM) to help you be successful in all the services below.

  • Accessibility Center: Technical assistance, training, and resources specific to assistive technology, alternate media, and web accessibility topics to help colleges identify and improve access for individuals with disabilities .
  • Career Coach: Provides students with career, salary, and employment data, and recommends college programs for careers. Requires: SSO Proxy, CCC MyPath
  • CCCApply Standard Application: Application for non-international students to apply for California Community Colleges. Requires: SSO Proxy, OpenCCC
  • CCCApply California College Promise Grant: Digital version of the California College Promise Grant (formerly BOG Fee Waiver). Includes assistance for the purchase of books and supplies. Requires: CCCApply
  • CCCApply International Application: Application for international students to apply for California Community Colleges using CCCApply. Requires: CCCApply
  • CCC MyPath: Customizable Guided Pathways onboarding system which provides dynamic onboarding and guidance experience based on student-provided information. Provides various student services, such as Financial Aid and Online Orientation, and access to placement data, and will become the launching pad for most CCCTC products. Requires: SSO Proxy
  • eTranscript California: Supports the requesting and delivery of electronic transcripts across all of California’s postsecondary systems. Visit https://cccedplan.org/etranscripts/edexchange. Requires: EdExchange(pesc.org), SuperGlue
  • InCommon Federation: Provides a trust fabric for higher education, their vendors, and partners to facilitate single sign-on from local campus accounts. Chancellor’s Office and the CCCTC have facilitated InCommon memberships for all California community colleges to be paid centrally. Requires: SSO Proxy
  • Library Services Platform: Working with the Council of Chief Librarians, California Community Colleges (CCL), this is a new cloud-based library management system for use by all CCC libraries, and replaces existing college/district stand-alone systems.
  • Multiple Measures Placement Service (MMPS): Facilitates collection of high school transcript data and delivery of AB 705 compliant placement recommendation (self reported data from CCCApply, verified data from CCGI or CALPASS). Requires: SuperGlue, College Adapter, CCCApply, CCCMyPath
  • OpenCCC: Student account system which provides administrative access for OpenCCC student applications, and streamlines the admissions process. Requires: SSO Proxy
  • Information Security Center: The Information Security Center proactively assesses the information security needs of the community colleges , and offers services to CCC campuses designed to maintain the integrity of information systems, including vulnerability assessment scanning, server monitoring and security awareness training.
  • SSO Proxy “Authentication”: California Community Colleges Single Sign-on Federation (SSO) “Authentication” is the process of verifying a student or staff member at a college using the SSO Proxy. Provides users single sign-on convenience and privacy protection. Configuring SSO Proxy with Canvas and SuperGlue further expand efficiency and user experience. Requires: District level IdP for staff and student accounts
  • Starfish Enterprise Success Platform — by Hobsons: Hobsons Starfish combines Degree Planner and Early Alert retention tools . Degree Planner builds a multi-year plan based on college/district information; Early Alert/Connect allows faculty and staff to track students, engage students, and assists with appointment scheduling and wait-room kiosk. Requires: CCCID, SSO Proxy
  • SuperGlue (formerly “Project Glue”): Provides a secure, robust framework for data exchange between Chancellor’s office products and colleges. The College Adapter is installed locally behind a college’s firewall to facilitate data exchange between CCCTC products and college’s Student Information Systems (SIS). SuperGlue enables disparate SISs to communicate in a standardized way through a cloud service, and provides a single point of reference for which systems are considered “systems of record” for specified data elements and data exchange interactions. Keeps college data synced with CCCTC centralized applications like CCCApply, and OpenCCC, etc. Required: SSO Proxy supplied CCCID as required by product
  • Unlimited SSL Certificates: Secure Socket Layer Certificates. Available for no charge as part of InCommon Membership.Requires: InCommon Federation

State Reporting

  • 320 Reports — CCFS-320 Attendance Report Program is used to create attendance reports, and the data is used to determine state categorical funding. https://misweb.cccco.edu/cccfs320/login.aspx
  • Management Information Systems (MIS) — is the system used by the State Chancellor’s Office to collect data about the community colleges. This data is used to determine funding as well as provide a data mart to help us better understand the populations of students we are serving.
  • Integrated Postsecondary Education Data System (IPEDS) — It is a system of interrelated surveys conducted annually by the U.S. Department of Education’s National Center for Education Statistics (NCES). IPEDS gathers information from every college, university, and technical and vocational institution that participates in Title IV federal student financial aid programs.

State Chancellor’s Office Resources & Initiatives

https://ca.college.technology/

  • Accessibility: A listing of state-provided accessibility tools & sites
  • .EDU Email Perks: A listing of discounts available to students, faculty & staff with .edu email addresses
  • Instructional Technology: A listing of technology resources focused on teaching and learning.
  • State-Created Services: The State Chancellor’s Office is sometimes faced with initiatives or unique challenges that require the development of new and innovative solutions to be developed from scratch.
  • State Discounted Tools: Listing of solutions vetted by the State Chancellor’s Office who provide discounts to California Community Colleges based on state negotiated pricing.
  • State License Software: Software purchased by the state and made available to you for free or subsidized.
  • Support Resources: Documentation, Training, and Communities for Higher Education Solutions.
  • News: Parsed feeds of TechEdge and Chancellor’s Office Newsletters
  • College Technology Plans: A listing of all 114 California Community Colleges and their technology plans (for the ones that I could find). Each plan is indexed using Natural Language Processing APIs, that allow you to automatically and intelligently parse chunks of text into groups. It can extract names, organizations, products, etc… into individual “entities” and then you can link the “entities” to Google’s knowledge graph to quickly pull description data and even trends. At a glance, you can quickly see which colleges tech plans are updated, what the overlapping themes are and find out which technologies each college is using.

Vendor, Contractor & 3rd Party Management

  • Contracts, District Terms, Purchasing Guidelines
  • Insurance requirements for on-site
  • Approved Vendors
  • Taxes
  • Sole Source Provider
  • Access to Data
  • Access to Network (VPN)

Virtualization

  • Servers
  • Backup
  • Data Recovery
  • Student Labs
  • Workstations
  • Imaging

Web & Mobile Services

  • Everything related to online applications for students and staff
  • Accessibility and meeting WCAG 2.0 and 508 Compliance
  • Analytics
  • College Websites
  • Content Management System
  • CRM — constituent/customer relationship management
  • Digital Signatures
  • Email (Typically cloud hosted by google apps of Microsoft 0365)
  • Faculty Websites
  • Learning Management System (Canvas is funded by the State Chancellor’s Office)
  • Online Employee Evaluations
  • Online Forms & Surveys
  • Online Portals
  • Online Orientation
  • Responsive Web Design (Mobile Friendly)
  • Self-Service
  • SSO
  • SSL & Encryption