NUIT Annual Report 2006 - Northwestern University Information ...

The TechnologyEnabling InfrastructureEnterprise Support for Current OperationsFacilitating the business of the University, the implementationand enhancement of new enterprise systems also supposesnew processing requirements, growth of data storage needs,and redundancies for critical systems. NUIT continues to workwith the University Budget Office to anticipate these needs,forecasting the expenses of functionality demands, systemupgrades, and reliability requirements.Security and ComplianceNUIT is committed to securing the technology thatsupports administrative, academic, and research atNorthwestern. Creating an environment that supports afree exchange of information relies on highly effectivesecurity business practices and ongoing awareness withinthe campus community.Disaster Recovery / Business ContinuityNUIT continues to advocate the implementation of accesscontrols that match the value of the University’s informationassets. NUIT assumes a key role on the NorthwesternUniversity Emergency Response Task Force to plan forthe protection of central systems and contribute to bothemergency operations and business continuity planning.In the first full year of service, the University-wide DisasterRecovery Unit Coordinators met quarterly for awarenesstraining and education. The NUIT Disaster Recovery/Business Continuity Plan was updated with newly developedtemplates, and three tabletop exercises were successfullyexecuted in November 2006. A disaster recovery plan for theChicago Datacenter calls for testing that is scheduled for theHuman Resources Information System (HRIS), the StudentEnterprise System (SES), and the Alumni/DevelopmentSystem (AIMS).Risk Assessment ProgramAn information security vulnerability assessment program wasimplemented in June 2007, utilizing internal risk evaluationsto identify critical security issues in schools and departments.Plans for a Web application security assessment will beimplemented in fiscal year 2008.Two-factor AuthenticationDeployment of two-factor authentication was approved duringfiscal year 2007 as part of the Web Access Management (WebSingle Sign-On). This requires a second, higher level ofauthentication to validate a user’s identity before accessingsystems that contain personally identifiable or sensitive data,such as in HRIS, SES, and the College and University FinancialSystem (CUFS). Roll out begins in fiscal year 2008.Central Active Directory ServicesThe utilization of Microsoft Active Directory (AD) is anessential component of the University directory servicesenvironment. In 2007, NUIT deployed a new central MicrosoftActive Directory service to support NetID-based services forMicrosoft applications. As a result, all school and divisionAD instances will be supported from the central identitymanagement system in fiscal year 2008.Enterprise EncryptionPersonally Identifiable Information (PII) is widely distributedacross departmental servers, workstations, laptops, andother devices such as Personal Digital Assistants (PDAs) and“thumb” drives. If the data is accessed by unauthorized partiesor portable equipment is stolen, unprotected PII is at riskfor unauthorized access or release. To better manage riskand reduce liability exposure, NUIT investigated scalable,cost-effective vendor solutions for encrypting single files.Investigation continues for a University-wide encryptionsolution that will provide automated, selective, and on-demanddata encryption.NUIT’s Information Systems and Security/ComplianceProgram continued to address computer and network securityin 2007 through a variety of activities and programs:• An intrusion detection and prevention system(TippingPoint) was installed in December 2006 at thecampus border to automatically block off-campusintrusion attempts.• The NetPass system, Northwestern’s computervulnerability inspection program, was deployed for publicports in the University Library to provide real-time networkprotection, blocking access from infected computers.NUIT also continued to review and assess new vendordevelopedhost registration systems.• NUIT continued to review vendors to provide a campusevent correlation system for faster recognition of securityincidents and events.NUIT Annual Report 200721