Skip to Content

ITPG Meeting Notes: 2011-01-20

Printer-friendly versionPrinter-friendly version

Attendees (29):

Michelle Adderley, John Ajao, Arlene Allen, Jeffrey Barteet, Kip Bates, Michael Colee, Bill Doering, Doug Drury, Matthew Dunham, Guylene Gadal, Karl Heins, Mihoko Jones, Richard Kip, Bill Koseluk, Tom Lawton, Dan Lloyd, Elise Meyer, Bruce Miller, Alan Moses, Mike Oliva, Tom Putnam, Andy Satomi, Glenn Schiferl, Kevin Schmidt, Jason Simpson, Jamie Sonsini, Heidi Straub, Chas Thompson, and Jim Woods

Administrative Items

  1. The minutes of the November 18, 2010 meeting were approved, and so the draft designation will be removed.

Informational Items

CIO Report - Tom Putnam

iTOE is trying to be more effective, and may even save money.  There have been several meetings with the Operational Effectiveness Steering Committee.  Tom & Doug presented their project list which lead with the Financial Information System, Student Information System, followed by GauchoSpace, North Hall Data Center and Identity Management.  All of these projects are being addressed in some way.  So the next three projects on the list were selected, and they are Outsourcing Student Email, Collaboration Software, and Telephone/VoIP.  Three people offered to be the iTOE champion for these projects: Lubo for Outsourcing Student Email, Doug for Collaboration Software and Elise for Telephone/VoIP.  iTOE isn't going to do this work, the intent is to have all of the work go through the ITPG, e.g., asking Jamie's Campus Calendaring Workgroup to expand its scope to take on collaboration.  Communications Services has activities scheduled to start the discussion to build their strategic plan for future telephone service.  The resulting plan would then come through ITPG and BEG.  We know that there won't be a lot of money to do projects, and the current prospect is for even less, so why should we do anything at all?  We currently have the University's attention through this Operational Effectiveness activity, which is broader than IT, since it also includes shops, ticketing, etc.  If we can plug our process into that process, we'll get better attention.  In the long run, having a plan doesn't get us money, but not having a plan guarantees we won't get money.

iTOE discussions have included IT project governance process and IT organization.  These discussions have not been different from things we've discussed in the past.  The IT project governance process was not enthusiastically received by the Operational Effectiveness Steering Committee - they saw it as more bureaucracy and they really want to get things done.  We want a process that avoids situations like GauchoSpace, which is wonderful, but not fully funded.  His reading is that the Operational Effectiveness Steering Committee doesn't believe that the process/organization doesn't make a difference for funding.  However, warmth is growing, and there is interest in seeing an idea or concept.  With respect to IT organization, there is a proposal for a matrix organization with dual lines of reporting.  For example, in Administrative Services Doug has the lead role (as part of their matrix organization) and would have dual reporting lines to VCAS and also to CIO office.  In Student Affairs Lubo would report to both the Student Affairs control point and the CIO.  For Academic areas there are a lot of different pieces; we would create a rotating chair person that would have a dotted line relationship to CIO, this would be the same for ORUs too.  The rotation would be like our process of rotating ITPG chairs.  This discussion has started.  The OE Steering Committee likes the concept, and believes it could improve communication, and give them a better idea of what is going on in the University.  iTOE is working on what exactly the dotted lines mean.  This is a proposal for discussion, not a fait accompli.  The goal is to  improve communication and sharing, and perhaps to promote standards.  If you have ideas please let Doug or Tom know.  The draft document with both the proposed IT project governance process and IT organization is here.  Responsibility belongs to the Operational Effectiveness initiative, but for success they need to get buy-in from campus IT.

The Operational Effectiveness process is to pick a list of things to do, and the OE Steering Committee has approved our list.  Then for each approved project, come up with a plan for resources and what we get out of it.  The OE Steering Committee will have lots of proposals from the 4 working groups, then the things that show a lot of promise can get funded.  We are supposed to have these proposals ready in April.  There is no deadline on the organization discussion.

There was a question about the process, e.g., would calendaring go through normal process at ITPG, and then through OE?  No, ITOE is off to the side, and a champion.  Hope to have something to present for each project in April.  iTOE is a side activity to the primary development efforts.  The objective for April is to have the IT organization and IT project process fleshed out enough to be able to present to the OE Steering Committee.  They asked for this, and here's what we think.  Regarding the three projects: the committees that already exist will continue on their current path, with nudges from iTOE.  For example, here's the scope from iTOE, can this be incorporated/merged with the original committee's scope?   We may or may not revise schedules.  But keep the basic the channels of communications open, and use an approach to not making major changes. We need quick & deep coordination.  We get to decide what “meet that timeframe” means.  We are supposed to put together a project plan, and we get to specify what that means.

At the ITLC the system wide PPS Replacement Project has been described as a Freight train coming down tracks.  It is being driven by the CFO group with backing from OP.  An issue for UCSB is that it will be occurring in the same timeframe as our FIS move.

CISO Report - Karl Heins

PPS: The PPS Project Manager met with UC President Yudof and was given the green light to go forward.  The plan is to have the vendor selected by 4/15 and the contract signed by 5/15/2011.  Participating in this process are the Controllers, HR, a few Academic individuals and Karl.  They are moving forward very fast.  They did not consider an in-house solution.  The vendor solution could be cloud, in-house hosted, or out-house hosted :-) solution.  The scope includes more than payroll, e.g., HR and other processes.  The plan is that at least the payroll piece will be a single instance, with the other modules being centralized or distributed.  This is a fast moving, large, critical project.  The RFP is in process.  They plan on 2-3 years for full implementation.  They will first bring it up, and then go around campus by campus.  ?It would include OACIS? It hasn't been determined yet whether it will either track training or do training.  It will do the HR piece that supports payroll, and it needs to get converted to something that can get into the general ledger. 

The IT Security Program web site is being updated, including instructions on how to access the Information Security Tutorial.  The website will be refreshed on a regular basis.

TRAINING: He participated in the system-wide RFP for commercial training; they are looking for a 30 minute course.  There is now HIPAA security awareness training available ?link please?, which focuses on the health providing services, but anyone can take it.  The target for these courses is non-IT professionals, and they are initially focused on those who work with PII.  But as the system-wide course gets rolled out, it may become mandated for everyone.  There are supplementary courses for IT professionals ?link please?.

IS-3: There will be a proposed change to ask that each campus conform their incident response plan to the system wide response and notification process.  The University, in addition to providing insurance, is also provding support, e.g., checklists.  They are trying to develop a relationship ?with the vendor?, so that if there is a breach, we can call on them.

ECP: He can't see a clear direction for where they will end up.  Privacy is difficult & complex topic, and when it is also combined with the diverse, academic freedom at a university, it makes it very difficult.  ?Salted 18 mos for the project?.  Regarding our annual IS-3 Assessment, we will need to do something.  Internal Audit is also talking about doing something similar.  Robert ?Lastname? is the acting Audit Director.

If you have an incident, or concern please call Karl at any time day or night.  He wants to know about a breach on a machine that contains restricted information or health information.  The NOC notification emails include boiler-plate information to determine if there is PII then contact Karl.  Please email if tyou think that something is going on.  They can look at logs, especially if you are not sure.  The new HIPAA regulations have really strict deadlines for notification.  There is both institutional and personal liability if we don't notify in time.  HIPAA is a concern to both Counseling and research centers.  One institution had to pay a $250K fine for not notifying quickly enough.  If you have a question, call Karl.  The threshold for concern is an administrator's system with 6-12 SSNs.  The University is providing more support than they have in the past, including investigation.  The primary cause now for notification is stolen laptops and storage devices, where it used to be breaking into websites.  We are working on encryption for those devices.

The Enterprise Risk Management process is going through another year.  The chief risk they identified: applications on the mainframe.  There will be questionnaire: do you have any mainframe applications, or any applications that rely on data from the mainframe?  Now they are looking for the next big risk to the enterprise.  If you are aware of something, please contact Karl.  Ron Cortes & Carrie Frandsen are leading this effort.

Subcommittee Reports

Backbone Engineering Group (BEG) - Glenn Schiferl

They have not met since our last meeting, but they will be meeting soon. 

Security Working Group (SEC-WG) – Kevin Schmidt/Karl Heins

They have not met since our last meeting, but they will be meeting the 1st week next month.

Web Standards and Content Working Group (WSG) - Heidi Straub

They met on 1/18/2011, and beginning in February they are moving their meetings from the 3rd to the 1st Tuesday of the month.  They are in the process of nominating their next co-chair.  The candidates are Heidi Straub and Aaron Martin.  Other topics include planning their next training activities.  They will be having a PCI Compliance brown bag next month and a mobile media brown bag, presented by Guylene Gadal and Joe Sabado, on 3/16/2011; both will be in the EH&S training room.  They are also planning a social media workshop during the last week of April. There will also be two training sessions on CSS, one a hands-on lab given by Brian Wolf, and followed by an intermediate training session.

A question came from ITPG whether there are any laws that state that any website needs to be compliant for accessibility.  (NB: Instead of documenting the discussion verbatim, the rest of the section has been updated by Ann Dundon to reflect current policy and law so that people aren't confused.)

If you need your site assessed for accessibility, contact Mark Grosch of the Disabled Students Program.

The Web Standards group gives an annual workshop on Web accessibility and ADA compliance.  Their UCSB Web Guide features the UCSB Web Accessibility Guidelines, and includes links to UCOP's Resources for Designing Accessible Web Sites. Related policy information is available at

If you have a student or faculty member who needs to use your website and can't, then you may be liable to a lawsuit.  If you know there is someone who needs assistance, work with them; Disability Resources and/or the Disabled Students Program can help. If an accommodation is needed, then you'll have to drop everything to do it.  One University got hit with a big lawsuit.  Separate but equal is not preferred.

Is there a policy that says we have to, or is it just best effort? It's not just policy, it's the law.  The UCSB Web Accessibility Guidelines state, "Accessibility is a Civil Rights issue and inaccessible Web sites violate the effective communications requirement of the Americans with Disabilities Act (ADA) as well as provisions of Section 504 and 508 of the Rehabilitation Act."

ITPG Communications - Bruce Miller

We discussed more fine-tuning of the website, and other ways to improve communcations.  There should be an article in upcoming 93106.

Identity Management Subcommittee (IdM) - Matthew Dunham/Karl Heins

They have not met since our last meeting.  Their next meeting is scheduled for 1/26/2011 from 2:00 - 3:00 in SAASB 2201A. They will rotate around shibboleth, UC trust, and what these mean.  Shibboleth underpins UC trust.  It is used by some campuses for SSO  intercampus federation.  We should consider intracampus federation as a long term goal with respect to IdM service providers.  For the applications that currently use ldap binds, in the medium term, have them switch to using shibboleth.  Participation in UC trust prohibits us from allowing unfettered ldap access.

Status update on the IdM refresh project: most major elements have been done, and now have to be integrated and installed on production system.  This next step should take 8-10 weeks.  They are aiming for spring break, since they need to de-couple from umail.  Information will be going out to service providers about how their operation of the service may change.  All interested parties should come to their meeting.

Campus Calendaring Workgroup - Jamie Sonsini

They have met 4 times since our last meeting.  Their meeting highlights are:

  • They have discussed many times that any viable calendaring solution is also going to have an email component.  The question is do they apply the same amount of rigor that will be used to analyze the calendaring functionality, to the email functionality of the product, including requirements, functions, support, service etc.  Their gneral sense is that with respect to email, most are happy with the email service they currently have.  Others might be willing to migrate.  The general consensus is that something that allows opt-in is preferable to something that demands switching.
  • They think the current set of possible products are: Google Apps, MSFT Exchange (outsourced), MSFT Exchange (locally hosted), MSFT Live (outsourced), Zimbra (locally hosted or outsourced).  Zimbra is in use by Texas A&M.  They revisited Oracle Beehive, but to date there is hardly any penetration and Oracle is only giving it limited attention.  See PC World article.  Some of these products are only available as outsourced. 
  • Their next focus is to prepare a summary of issues with respect to outsourcing, and they will make use of UCB's & ITLC's prior work.  It will include the issues that we should be concerned with.  The members are supportive of a solution that involves outsourcing.  But if outsourcing is unpalatable to our campus, then they won't present an outsourced solution as one of our options.  They need to understand the scope of the available options.  Once summary is complete they will bring it to ITPG and then ITB.  Jamie plans to present Calendaring to the ITB to engage them in the dialogue. 
  • They have also commissioned a subcommittee of Exchange users to explore what cross-calendaring is truly available with Exchange.  This solution should dovetail with the IdM solution.  Google Apps wants to use a federation base, that is the UCSBnetID would live on a UCSB server, and then it would use SAML to pass back authorization tokens.  The initial authorization would be done locally.  They think that MSFT Exchange has a shibboleth interface.  They don't know about Live & Zimbra.  It was requested that the migration should include export & import of Oracle Calendar data.  Last time they did something inhouse.  The tricky part is when a calendaring item has lots of strings attached.  They can't promise.  UC Berkeley is going with bedework (which doesn't cross-calendar with Exchange).  They hired someone to sync Oracle Calendar with the cal dev environment.  Maybe we can use that or something similar.  We know from previous looks at email & calendaring, that there is a lot of other stuff that people have hooked from their systems, e.g., lab access if email provisioned.  We need to catalog what people have done.  We need to be wary of situation such as getting free student email, but needing $100K to adapt to it.  Another issues is Calendar sync software for smartphones.

Please visit their website for more information.

Liaison Reports

Information Technology Board (ITB) – Jim Woods

Their next meeting is tomorrow.

Enterprise Information Systems Planning Group (EISPG)

Today's meeting was canceled.  They are still reconstituting their charge.

Academic Technology Planning Group (ATPG) - Alan Moses

Their next meeting is scheduled for 1/31/2011, and an agenda has been sent out.

Research CyberInfrastructure - Arlene Allen

They have not met since our last meeting.

IT Operational Effectiveness - Doug Drury/Tom Putnam

Please see CIO report above.

Project Reports - a brief report or location where projects will be located

North Hall Data Center - Tom Putnam

This project has been waiting for a governance committee to be formed by the VCR to determine what the rates and policies are going to be.  Financing is the first issue.  EVC Lucas has formed a NHDC Finance Board and they will first meet next week. This board consists of Gene Lucas, Todd Lee, Mike Witherell, Tom Putnam, Pierre Wiltzius, and Frank Doyle.  They will use the documents that Arlene has prepared for the CI group.  Completion is estimated to be mid-November 2011, and they are on target.  There also needs to be network model etc., and a plan for all the hard infrastructure, such as iso platforms, racks, pdu infrastructure, network infrastructure, and some recharge services need to be costed out.  The question was asked whether information will be available in time for existing tenants to include in their rates for service.  The answer given was that they believe that the current rates are sufficient.  Is there any compelling reason to move the umail servers to NHDC?  Talk to the library.  If you have a current server room, then it is cheaper to run your own.  However, if want to build a new server room...  It has never been as part of plan, to take existing machines to NHDC.  But when buying new machines, or wanting new server rooms, those we want to go to NH.  Talk to your representative on that group.

Financial Information System (FiS) - Doug Drury

They are progressing with their assessment phase.  The next step is to develop a detailed project plan, schedule, and budget.  There is collaboration with UCLA and UCSB departments.  The plan is due in April.

Student Information System (SiS) - Lubo Bojilov

They just finished the vendor evaluation phase including the proof of concept for migrating the administrative and registrar systems off the mainframe.  They hope to start the actual project next month.

Collaborate - Alan Moses

They just finished their first year of this program.

  • For the Classroom technology projects they were able to set up good coordination between Instructional Development, Faciltities, Registrar, and LSIT and they were able to coordinate dates and services so that upgraded rooms could also get new paint, etc. Collaborate finished first 6 classroom upgrades.
  • 50% of the current enrollment are now on GauchoSpase.  There are 750 course sites. (sections could be separate sites)  There may have been as much as 50% growth from last year.  It's been open for a year, but training is still required.  

Discussion Items

  1. ResNET bandwidth increase request: The established process for these requests is that  the NOC reviews the request for any problems or conflicts, and if there are none, the NOC brings the request to ITPG for comment and questions.  ResNET has requested raising their hard limit from 500 Mb/s to 1 Gb/s.  Traditionally, they increase their soft limit in small increments up to the hard limit.  The NOC anticipates there will be no uilization issues with our 6 1Gb/s links and our 1 10 Gb/s link, nor any apparent conflicts either on or off campus.  The ITPG approved the requested bandwidth increase.
  2. UCSB interactive map (Presented by Guylene Gadal since Dillon Parenti was out sick.) A document describing the project is available at  There has been over 5-10 years of planning for this project.  They used ESRI GIS data.  Please contact Dillon Parenti for more features.  The Interactive Campus Map is available at  They maintain it by having interns going out and getting information.  There is some access control.  You can use on your website.  It works on ipads, android phones, etc.  Who is supporting this?  Geography created this.  Ask Dylan
  3. Upcoming ITPG business: We are approaching new vice-chair election time.  Think about it, also if available for nominating committee think about that.  Those two are mutually exclusive.

Member Announcements

MRL (Jeffrey Barteet): He and Paul Weakliem did get their purchase order in to HP for a $750K+ cluster.  It will be in sometime by March 2011.  It will be located in the new computing center in CNSI ?breaking off? High Performance Computing for the campus there.

SSL & EC (Michelle Adderley): She introduced new Advancement Services staff member, Mihoko Jones.

Communications Services (Bruce Miller): They will be updating web portal later this month.

OIT (Kevin Schmidt): The last core router was swapped out this morning.  Andrew Bowers was working on encryption documentation and the process for making the PGP encryption software available to departments.  It's currently being tested in a beta department. 

Physics (Glenn Schiferl): He has a CNT III position open.