COMPLIANCE ASSESSMENTS AND SECURITY IMPROVEMENTS | COVID-19 PANDEMIC MANAGEMENT |
HARDWARE STANDARDS | NETWORK INFRASTRUCTURE UPGRADES | VENDOR REVIEW FOR SECURITY AND ACCESSIBILITY |
COMPLIANCE ASSESSMENTS AND SECURITY IMPROVEMENTS
Several compliance programs call for annual assessments of security controls. Due to the global increase in security attacks, sponsoring agencies have made these more demanding. Because a solid security program relies on defense in depth, typically about a dozen sets of controls span all IT functional areas and the using department.
The most stringent of these assessments were completed in October in response to the Department of Defenses’ requirements for the protection of Controlled Unclassified Information. We measured US:IT’s secure enclave and all supporting systems against 110 controls using 340 criteria. Led by the Information Security Office, this evaluation spanned 5 other US:IT departments as well as the research unit.
We completed a similar, but slightly less comprehensive assessment in February for data received from the Center for Medicare and Medicaid Services (CMS). CMS required a review of more than 100 questions. These are based on similar controls to be used by UMS HIPAA-covered entities which we began reviewing in December following a survey by the Office of General Counsel.
In the spring we completed our annual risk assessment of Financial Aid offices that is required under the Gramm Leach Bliley Act (GLBA). Some of the evaluations of MaineStreet served as the foundation for evaluating the financial systems. Our external auditors, CLA reviewed these reports as part of the single audit.
These required assessments have formed a foundation for the review of other programs. We have migrated our policy framework to the widely used National Institute of Standards and Technology controls for non-federal agencies. Adoption of these standards as our own controls has raised familiarity and compatibility with external requirements and provided a wealth of external reference sources. Through the advent of a new Data Classification system (APL VI-I) we have been able to apply the classifications to our standards so non-formal assessments can be made for any data held in the UMS. These guidelines have been used with staff and researchers to review systems that process, store or transmit protected data.
Though compliance doesn’t always equate to security, UMS security has improved through these honest hard-looking evaluations. Not only is awareness of security measures reinforced, addressing deficiencies provides a basis for continual improvement. Plans of Actions and Milestones (POAMs) are created of each improvement finding and are being managed by the Information Security Office.
COVID-19 PANDEMIC MANAGEMENT
Throughout the COVID-19 Pandemic, the University of Maine System has leveraged science and data to inform the strategies implemented to help protect the entire community. To support this effort, the UMS:IT team developed, launched, and supported a variety of new tools, services, and data dashboards. Among these new tools were:
- UMS COVID-19 Portal. Based on the PointNClick Electronic Medical Records platform, the UMS COVID-19 Portal was initially launched to provide students, faculty, and staff with self-service test scheduling and test results management functionality. In July 2021, new functionality was introduced to enable community members to upload their COVID-19 vaccination information and confirm compliance with University requirements. Subsequent functionality was added to allow individuals to submit official vaccination exemption forms which are approved through the portal. In October 2021, an integrated compliance verification system was made available. This system enables users to present a color-coded compliance status “card” based on submitted vaccination information and/or recent test results. This feature has facilitated expedited status verification at venues such as athletics events and gymnasiums.
- Sara Alert Contact Tracing Platform. The Sara Alert platform is the environment chosen by the Maine Center for Disease Control to support state-wide contact tracing. To best align with the state’s efforts and to facilitate information sharing between the University of Maine System and the CDC, UMS:IT supported the adoption and initial deployment of the Sara Alert System for contact tracing of positive cases and close contacts across the University. This tool has provided a comprehensive suite of tools for effective contact tracing and case management for designated contact tracers. This includes the ability to automate the collection of daily health checks and provide timely status update notifications, including clearance of cases, to individuals. Sharing a common platform with the CDC has expedited and streamlined case reporting between the agencies and helped streamline case management and reporting.
With a wealth of COVID-19 related data newly available, providing secure, permission-based access to this data was a critical need across the University of Maine System. To address this, the UMS:IT team designed, developed, and delivered a series of reporting data marts designed to inform local campus teams of activities and trends at their campus. Secure, permission-based access to this information was managed through the Microsoft PowerBI platform. With PowerBI, a number of dashboards and reports are available, providing on-demand real-time access to data, including:
- UMS COVID-19 Testing Detail Report – daily test activity and lab results
- UMS COVID-19 Information by Campus – dashboard showing aggregate positive case information and available isolation and quarantine capacity
- UMS COVID-19 Asymptomatic Test Public Report – publicly available report showing the total number of tests and positive case counts over time; currently aggregated by month.
- ShieldT3 Test Aging Report – dashboard used to track COVID-19 saliva test turnaround time and rejection rates for the primary UMS testing partner, Shield T3.
- UMS COVID-19 Vaccination Detail Report – Vaccination status report available for campus Incident Command teams. Provides derived vaccination status based on information submitted through the UMS COVID-19 Portal.
- UMS Fall 2021 COVID-19 Compliance Report – With the formalization of UMS policies and requirements for COVID-19 vaccination and/or testing in place for students and employees, this dashboard report shows the current compliance status for students and employees at each campus.
HARDWARE STANDARDS
US:IT has been developing Standard Technology Purchasing Guidelines and is in the process of gaining approval as an APL. Purchasing standards provide a cost-effective solution and enhance the acquisition, delivery, implementation, maintenance, support, compliance, and disposal for technology suitable for the educational and business needs of the University of Maine System students, faculty, and staff. Standardization lowers the total cost of ownership through reduced support costs and right-sizing based on a standard lifecycle. By leveraging the buying power of the University, we receive significant cost savings.
US:IT has published Computer Standards for system-wide use. IT has a contract with Dell that allows UMS to leverage contract pricing with volume discounts as well as utilize Dell to provide value-added services. We have integrated the purchasing experience through MaineStreet Marketplace with a Standard Hardware menu with the ability to upgrade components seamlessly. In the partnership with Dell, US:IT has been working to onboard Asset reporting and tagging, Factory Imaging, Asset Resale and Recycling, and Warehousing of critical inventory. Additionally, US:IT has stood up the Dell Techdirect Service Portal to enable our desktop services staff to have access to technical resources, priority support, and the ability to self-order warranty parts. Campus IT teams are available to discuss specific requirements and assist with the IT Hardware Standards team to offer review, guidance, and options if exceptions are necessary.
US:IT is developing Readystock Warehousing, allowing the inventory of standard models to ship within 3-5 days, to address the current supply chain issues of laptops, desktops, monitors, and docking stations.
US:IT is developing Apple standards and should have these standards added in early January 2022.
NETWORK INFRASTRUCTURE UPGRADES
Campus Telephone Service
After more than three decades of service, the University of Maine at Presque Isle’s and University of Southern Maine’s legacy phone systems have been shut down. These systems have been replaced with IP-based telephones bringing these campuses in line with the rest of the University System. Along with new phones, Voicemail sync with GMail and Fax over IP are also now available to the campuses.
MaineREN Northern Ring Upgrade
This past summer Networkmaine brought a significant increase in network capacity and performance into production around the northern ring of Maine’s research and education (R&E) network, MaineREN. MaineREN’s Northern Ring services Hancock, Washington, Aroostook, and northern Penobscot counties.
The project expanded and improved service for all of Maine’s R&E entities in this region in terms of capacity, agility, service resiliency, and operational aspects similarly to what had already been completed in the 2017 equipment refresh for locations that roughly fall below the 45th parallel (Ellsworth, Bangor, Farmington). The Northern Ring now provides an aggregate of 100 Gbps of bandwidth shared across all sites with the technical capacity to add future 100 Gbps channels as needed. This represents a 5x increase to the previous service.
MSLN / UMS Transport Services
In October of 2020, Networkmaine released an RFP for Transport Services starting July 1, 2021, which resulted in awards to five (5) transport providers totaling $5.2 million in value annually.
As part of this effort, Networkmaine set a minimum connectivity goal for the MSLN Project at 1.0 Gbps. The resulting contracts achieved this goal for 95% of all MSLN participants. Networkmaine continues to work with its transport providers to bring full 1.0 Gbps connectivity to our remaining 14 members.
Public Access WiFi – projectConnect
Networkmaine partnered with the Maine State Library, the Information Technology Disaster Resource Center (ITDRC), and AT&T to boost connectivity in 70 Maine locations, expanding and upgrading WiFi technology at libraries, parks, schools, community centers, town halls, and other locations across the state. 50 of these locations participate in the Maine School and Library Network operated by Networkmaine. Networkmaine is providing Internet access, management systems and ongoing technical support for the schools and libraries participating in this project.
ITDRC volunteers are currently making their way across Maine, working with Networkmaine and local organizations to extend existing WiFi and upgrade aging technology. Technicians have installed new equipment, funded in part by AT&T and the Maine State Library, to boost WiFi signal and extend service into parking lots and surrounding areas. To date, 57 of the 70 planned ITDRC projectConnect sites in Maine (47 of 50 schools and libraries) have been completed. Locations of the upgrades extend across the state of Maine to dozens of communities. Of the 70 sites being serviced, the majority are at libraries in rural communities, with schools, town halls, community centers, and more also included.
VENDOR REVIEW FOR SECURITY AND ACCESSIBILITY
US:IT plays an integral part in the procurement process when it comes to any large or small procurements that include technology materials or services. Current Information Security and Digital Accessibility practices involve vetting contractors, products, and services for their ability and agreement to comply with university standards, which are driven by statutory requirements and university policy. With the help of Strategic Procurement, these processes have matured over the years especially when it comes to large-scale procurements such as RFPs.
With the reduction in p-card usage during 2020 and 2021, the visibility into smaller purchases that carry with them significant data exposure and accessibility risk, was improved. Many business units were unaware of these compliance requirements and risk assessments had been bypassed. A team was formed to streamline and communicate the processes. It is integrating the separate component reviews into a more cohesive experience for campus sponsors. Campus IT Officers, our campus/customer liaisons, will continue to ensure that university sponsors and activities have access to the technology resources and services they need.
Information Security bases its reviews on risk which is mostly determined by the amount and classification of data. Whereas cloud-based systems for highly sensitive data may require deep vetting of the contractor’s abilities to control data, purchases with limited data sets of less sensitive data may only need the contractor to agree to the Universities safeguarding standards. Behind the scenes, the Information Security Office uses a rubric for managing vendor risk, a standardized questionnaire will simplify the process.
Similarly, the extent of Digital Accessibility reviews, to ensure that equal opportunity is provided to all members of the university community and public activities, has increased as visibility into smaller purchases improved. We improved the review process this year and are reallocating capacity to improve the timeliness of reviews. Digital Accessibility complaints in higher education nationwide are a continuing issue and risk for institutions.
We have long utilized the Higher Education Community Vendor Assessment Toolkit (HECVAT) to help determine the risk associated with information security in technology acquisitions. Educause has recently added Digital Accessibility to the HECVAT and we are working with Strategic Procurement to integrate those changes into our standard procurement processes and forms.