| |
EDUCATIONAL TECHNOLOGY ADVISORY
COMMITTEE
1/16/2008, 12:30-2:00 pm
ATTENDEES: David
Gillett, Duncan Graham, Beth Grobman, Jeanine Hawk, Scott Heffner, Kent
McGee, Sherri Mines, Judy Mowrey, Fred Sherman, Alex Swanner, Tim Woods
GUESTS: Sharon Luciw, Chien
Shih, Pam Wilkes
Convened: 12:35pm
1. APPROVAL OF THE MINUTES (Fred)
· Both
the October 17th, 2007 and November 21st, 2007 meeting
minutes will stand approved as posted
2. GENERAL NEWS (ALL)
3. SECURITY POLICY (Fred)
· Trying
to put in place a set of procedures for the District that will help us
have a higher level of confidence that we are keeping personal information
safe and secure with regard to people we are keeping information on
Students, Staff, faculty and certain other
stake holders
· Have
a fiduciary responsibility to ensure that the records that we keep are
kept secure so we don't compromise someone's identity or otherwise disclose
information
Need to treat information very carefully
Not only records that we keep in the admin
system but also records we keep on personal computers, in electronic form
as well as paper form in our paper files
Faculty keep grade rosters for several years
that have student identification numbers on them (SSN or current campus
wide ID#)
· There
are existing laws that we need to follow:
FERPA
– Family Educational Rights and Privacy Act
Senate Bill 1386
· Have
had two major incidents, one at each college, since Fred has come to the
District (10/2006)
· ETAC's
role is to take a look at new policies that have to do with technology
and provide feedback
· The
committee began a discussion on the security procedure draft – created
by using the US Berkley policy and significantly modifying it to fit our
organization, but first:
There was a question raised about sending
an attendance list around the class with only names of all the students
for check off, if it was a breach of confidentiality
The response was no, because it had to be
the students name along with some kind of specific personal information
Disclosing a students name and the fact that
they are present, doesn't violate any laws
If a sheet had a name and SSN or student
ID#, so others could see this information, it would be a breach
SSN'S are kept on students as well as faculty
and staff
Alternate ID#'s are also kept in the records
and therefore can be linked together
Student ID#'s replace the SSN
According to FERPA, a SID is confidential
and in combination with a name needs to be protected
· ETAC
is the committee that is reviewing this particular document, making suggestions
for modification and improvements, etc
ETAC has been chartered to do this type of
work
The best way to integrate the different groups
is to have the input from anybody or any group, which is welcome, brought
into ETAC for discussion so there is one group of people dealing with the
issues
Not good to have different groups out there
making modifications, which may not sink up with, or agree with each other
Jeanine is concerned about the DA Tech Tack
Force not being brought into the discussion as ETAC sets policy, so it
is not just the opinion of 12 people, but the opinion of a much more representative
group
The Security Procedure is currently on the
Tech Task Force agenda
The best way to integrate the DA Tech Task
Force and ETAC is to have the input from the Tech Task Force brought into
ETAC and discussed here, so there is one group dealing with the issue
Sharon feels that it is premature for the
Security Procedure, in its current state to be revieiwed by the DA Tech
Task Force
The document should be blessed by ETAC first
Fred is okay with other groups meeting and
discussing the current security procedures and bringing information back
into ETAC
A participative governance of an organization
is one where the representatives that come to the table are also bringing
it back and sharing it with the groups they represent
It would be good to clean up the current
document before sending it out
This group's responsibility is to take this
document out, once it is ready, and vet it with their particular groups
and bring information back to ETAC
ETAC should be the central point where these
issues come together and come to a conclusion on it
The committee began going through the draft
document line by line
DEFINITIONS
A. Personal Information
According to David, need to also look at
the laws as they apply to backed up medium
Scott ask for clarification on the second
bullet pertaining to directory information
Info you put into a student directory – the
wording came straight out of the law
Can rephrase or take the term out since it
doesn't exactly apply to us
Trying to address student's names in conjunction
with the long list of items under this bullet
This section is to identify that information
which should be considered protected
Will take out phrase "Not included as directory
information"
Fred will research FERPA to see if he can
get a definition of what exactly they mean by directory
A question was raised about the third bullet
pertaining to SSN or SID – can a faculty member create an arbitrary
and random eight-digit number that is assigned to a student, for the
purpose of tracking their progress, on a spreadsheet that has been posted
on line?
Fred felt that it was probably okay, but
that a lawyer should be consulted regarding this issue
FERPA has a very clear section about acceptable
use - might be able to be lift verbiage and put it in, which would clarify
the issue
Scott is confused about the inclusion of
the "gender" bullet – If something is posted without any other
identifier but the name, gender will be more than readily available in
terms of an identifier
According to the law, if you put down a name
alone with the gender, it is protected information
If you only use a name, you are okay
If you are using the name in the grade roaster
you are okay as long as you are not using it in conjunction with any of
the other items on the list
B. Security Breach
Basically a definition after procedures are
implemented
Any information found in this personal information
category will have to be encrypted
Currently ETS is not ready to roll out encryption
for everyone, it will have to get phased in
If you are keeping this type of information
on your computer, it should be encrypted just to protect it in case someone
breaches and gets access to it
We do not have a security breach if you have
encrypted the information on your computer and somebody breaks into it
We have a breach if it has not been encrypted
and someone breaks into your computer
For purposes of how the term "Security Breach"
is being used throughout the procedure document, is as a disclosure of
unencrypted information
In the larger sense, "Breach" has a larger
meaning to it
This quarter, ETS is evaluating encryption
tools for Dell and Apple to get a handle on how they work
Need to ensure that an administrative access
is created to the data and have a plan on who can have the administrative
password, because someone will forget their password at one time or another
If you forget your password, the data is
gone forever
Need to come up with a process that will
guarantee if someone forgets their password, their data can be recovered
Sharon's staff are focusing on personal computers
Chien's area will focus on the servers
Scott encrypted his computer and ran into
some problems in terms of functionality of his system
He deployed the software and then took it
off
Fred has encrypted his entire hard drive,
on his MAC, and it has worked flawlessly
C. Computing System
The type of information that you normally
collect on the network node does not fit into this category called personal
information
There are some instances where the data is
encrypted on a system, but travels across the network unencrypted, and
the possibility of a compromise of the network can happen if a devise is
used to capture unencrypted data in transit
D. Lead College Authority
No comments
E. Data Resources Manager
No comments
F. System Manager
No comments
G. Control Records
No comments
RESPONSIBILITIES
A. The Lead College Authority Has Oversight
Responsibility To
Why should this be someone other than Chien?
When referring to the administrative system
itself, there is certain data that will be in Chien's or Fred's area to
worry about
Outside of this, there is quite a bit of
data that is kept by the colleges that doesn't fit within the system that
ETS manages or whose system ETS may manage but the data may belong to a
different constituency
i.e. if you maintain a course curriculum
development system - there may be personal information that is kept within
that system that ETS doesn't directly manage or maintain
Need someone at the college that will be
accountable to make sure certain actions get done
Need one person at each campus that will
organize the things that need to happen instead of having to deal with
a variety of managers
Currently ETS does not know all the systems
that sit on every bodies desk (servers, etc. that store information on
the campuses)
ETS tries to collect that information and
record it when they find it, but there are probably servers that ETS doesn't
know about that are on the system
According to Jeanine, there isn't any one
person in a campus organization that would have authority over a multiplicity
of these types of systems
Not sure how this can be managed as a single
authority in a campus organization
Another issue related to this, is the data
kept in the administrative system, for example the student system and all
the student records, in the end it will not be ETS that should be granting
individuals access into this information
ETS will facilitate by electronic control,
but we are not going to be the ones to say who will have access into a
particular area of the administrative system
Someone on a particular campus will have
the authority to do this
According to Fred, one person is needed at
each campus that can organize the things that are going to happen instead
of having to deal with a variety of different managers
Will flag this issue and give some more thought
to it
B. The System Manager Has Responsibility
To
No comments
C. Data Resource Manager Has Responsibility
To
This person is campus based
Would probably report into the Lead College
Authority
Could be an ETS person, if all systems were
managed by ETS, but since there are many systems out there that ETS does
not manage, it won't work
Should probably be a systems manager
As per Chien, we should put this model into
a present and a future context –
what we currently do and what we are going to be doing
In the future, will probably head into a
more centralized identification management system so this role will be
a participatory management type of authority
One of the challenges of our current system
is that it takes a long time to actually get access to the admin system.
Might be something to look at for in the future, when we actually identify
points of access with a position, so when that position is filled, that
person automatically receives point of access
This may not be the right model for FHDA,
but it is a model we can work with
It would be nice to push the authority down
to the lowest common denominator. For example there are people on each
campus responsible for HR functions, why not push that down to the campuses,
give those people the authority to provide access for the information they
need for that campus.
This is a different way of thinking than
we currently have, but it might be useful to consider
The remainder of the procedures will be deferred
to the next ETAC meeting
4. HARDWARE/SOFTWARE STANDARDS (Sharon)
· Jeanine
ask when we will be moving over to the new office for the Mac
The new office is not backward compatible
unless you use special tools for it
Something that will have to be addressed
this year
· Scott ask if Leopard will be on the discussion also
There is noting more to discuss because the
new machines that Apple is shipping will only run on Leopard, so ETS is
frantically trying to catch up on creating the appropriate images and getting
them shipped to the factory for factory image processing and meeting the
challenges of Apple's new time machine back-up
Due to staff constraints, existing district
owned Mac computers will not be upgraded unless there is a business need
for it
People will get the new operating system
when they get a new computer
Will purposely upgrade the operating system
on computers mainly in labs
5. CAPTURE CARD/GO PRINT (CHIEN)
· In
the new year, had a meeting sponsored by Rose Myers and Robert Griffin
to discuss the status of Go Print primarily to solve the issue of the Capture
Card that expired December 31st, 2007
· The committee meeting decision is to extend the cards
expiration date to five years from now
ETS will have to implement this
· GoPrint/Capture
has experienced tremendous growth, to the tune of 5,000 cards, for this
quarter for both campuses
· Rose
Myers and Robert Griffin will hold another meeting with the Capture Card
vendor to find out what the new requirements are in terms of student services,
library service and also vending services
· According
to Jeanine both campuses also showed interest in interfaces for food services
and the bookstore
· To be included in future meetings, need to contact
Rose Myers or Robert Griffin, since they are the chairs of the committee
· Can
make the card expire based upon a student's enrollment
The decision of the committee was not to
expire their card based upon their enrollment status
· The
card has two components
1) General turn on and off
2) Can turn off based on different criteria – this
part has not been developed or specified by the campuses
· Students
need to understand what the financial impact might be
6. EIS UPDATE (Chien)
· The
EIS Steering committee has done a good job and has finished the selection
process
The committee has chosen Banner
In the process of trying to scale down their
offering price, have given them a price negotiation deadline of January
17th
On target to brief the board on February
4th, 2008 with the information from the selection process
After the board reviews the information,
will start to negotiate the contract and present the final contract for
board approval on March 3rd, 2008
7. GENERAL INFORMATION
· Procedures
for handling new policies or procedures the are being considered by ETAC:
1) Take out to groups for any general comments
regarding the direction it is taking
2) After messaging the document a bit, then
go out to groups with specific language and ask for specific comments that
are brought back and decide how it will be handled
3) Come out with a recommendation to forward
to Chancellor's Staff
8. FUTURE AGENDA ITEMS (ALL)
· Security
policy
· Duncan
Graham would like to discuss the tracking system in the tutorial center
and the PSME lab are dropping information, cutting students out and logging
them off when they haven't logged off
Appears to be rather sporadic
· An
update on the wireless project
9. ADJOURNMENT
· Adjourned:
2:00 pm
Next Meeting: February 20, 2008, 12:30 – 2:00, via video conferencing
|
|
