Thursday, October 4, 2012 3:00 pm - 5:00 pm 25 Science Park Room 663 In attendance: Roseann Adams (PMO), Faith Brown, Karen Colburn-Murphy, Michael Dula, John Jibilian, Susan Kelley, Jane Livingston, Kim Miller, Lec Maj, Susan Monsen, Joe Paolillo, Len Peters, Randy Rode, Russell Sharp, Alan Usas, Susan West (ITS Staff). 1. ITS505 START Replacement - Request to Initiate - Adriene Radcliffe (Director Service Management) (3:00-3:20) Please see slides for additional information Service Management has several projects throughout the year; this is for the replacement of the START technology. Overview:

• Service is outdated and challenging to support, in a fragile state. • Some of underlying technology in START is tied to Oracle, R12 upgrade would affect START. START

has dependencies with the R12 Oracle Project. Some of the START features must be changed for R12. Currently, there is a hard date of April 2013 for the START changes. The changes must be in place to support R12. The START work is very complex because of the impact across university. START has a number of workflows for university business offices. Therefore, the change management required is a heavy lift across the university. For example, Randy R. team would be significantly impacted if START is impacted.

• Determined it would be worthwhile to replace START rather than upgrade it with the upgrade of R12. • No internal resources available. This project is for outsourcing. • Many pages of PDF forms that must be filled out for requests throughout the university that could be

moved into this framework in the future and implemented successfully. • This would eventually allow automation of the fulfillment process. • Biggest risk is the change management aspect, various pieces that affect the entire university. • Automated status view of requests would provide significant drop in # of calls based on.

Questions and Discussion:

• Hard date for completion is April 2013. Is this a requirement? Yes. • Would all PDF request forms be replaced by this new functionality? Not by June, but eventually, yes. • What is the final request for funding? Currently estimated at $300-$350K assuming we source the work

(including project management, change management, business analysis, and implementation). Original estimate at $84K is low. With further analysis, request must be higher.

• What are ongoing costs? Expect to retain .5 of an FTE to maintain existing START plus .5 FTE to implement the growth in future development.

• How will it work with licensing? To use request in ServiceNow we do not need additional licensing. If one logs into tool to do things like approvals will need a license. Many folks like the client account already have a license. After the START changes, the business users will need a license so there will be additional costs.

• What is overall spending for the program? 5 projects in the program, could delay, remove, or decrease cost in other projects. Overall spend for program - 5 projects in the program of 750K. Today's request is 100K. Leaves us other questions for the other projects in the program. Already approved CMDB project. Need to examine overall program spending

Propose the planning proceed, with agreement to return with total program proposal and further analysis of funding and funding sources. Motion (Faith). Second (Susan K). In favor: 14 Against: 0 Abstain: 0

2. HEAL13-A YSM - AS400 Decommission: Student Affairs' Migration - Check-in after Plan/Analyze phases - Request to continue through deployment phase - Tom Hancock (Project Manager/Business Analyst) and Vijay Menta (Dir Client Team Lead Academic Admin) (3:20-3:40) Please see attached slides for further information.

• AS400 has been in place since 1983 and has been in maintenance mode for several years. • Want to migrate Student Systems Data only, other applications are out of scope (such as BMS HR and

Research Systems). Also does not include decommissioning of AS400. • Why do this project? (See slide) • Who are the offices involved? Office of Student Services. Within this, office of Student Affairs will be

affected most greatly with Student Records data. Admissions office does not have any application data on AS400 this year, but has archival data from 1986 to this year that must be migrated.

• Implementation cost: Asking for $160K (includes external funding requests of $85K) Questions:

• Are you suggesting that this information move to Banner? The student information, yes. The Admissions information would move to the new system. The Financial Web App would not be moved (already interfacing with Banner). Don't want to be building a Financial Aid Web Application just for the School of Medicine when there is already a central Financial Aid Web App. YSM would be using the central web app, we would not be creating a new one. Student affairs office in Med school will feel the most impact. Financial aid office data will be impacted and must be redirected for data access. The sources of data to the web app will have to be redirected, student info will go to Banner, application data in a new program; will build new interfaces to Financial Aid web office. Want to make sure we are not building an interface when we use the central office financial aid. Will be very transparent to users . For other smaller offices, will have little impact.

• Migration of two phases of data: Starting with active students as most important and necessary, then looking back at archiving data only from 1995 on. Banner does not go back prior to 1995, so it is not possible to go back further.

• Why does it take 4 months to move student records? The fit gap analysis we have to do will be time consuming. Involves collecting information that is not part of the Banner standard package.

• Timeline includes actual reports necessary. No second phase to project. • Would be ideal to have this complete by July. No service interruptions. Seems an odd time of year for

project - during academic year. Office of Student Services will continue to use AS400 data throughout Academic Year 2013, but will cut off at the end of the year. Would be ready to convert in January, but will not convert until Fall.

• Are the Human/Animal protocol systems included? They are on AS400, but not included in the scope of this piece of the project. Another project exists to determine the plan for pieces not being migrated in this year. Project 13B will analyze what it will take to get the remaining applications off the AS400.

• Question for RE team: where does the MS HRP transition fit in the roadmap? • Need approval for: for $160K that includes $85K for external expenses. Received pre-approval for $20K

for planning and analysis. Motion to approve (Len). Second (Kim). In Favor: 14 Against: 0 Abstain: 0 3. Yale Dining Core Systems Don Landry (Project Manager), Vijay Menta (Director Client Team Lead Academic Administration, Jeanette Norton (Deputy Director Dining) (3:40-4:00) Guests: Howard Bobb from Dining Services See attached slides for further information. Change Point of Sale System

• Currently a lot of manual labor and work to calculate Sales Tax. Current system not integrated with inventory system. Many other activities require a lot of manual work.

• See slides for further information detailing Goals, Scope, etc. • Many advantages to proposed Cardsmith program. • Equipment maintenance cheaper. One half of cost of proof of concept is rebatable of POC does not

work. The POC will not be in a dining hall, it will be in a lab setting. Currently, we have issues collecting the appropriate tax so our mitigation is to overtax to ensure we are not at risk.

• How is this funded. Orig project $717 allocated in portfolio - difference is the additional features (like dual swipe) that culminated in a new cost. We also found refinements in technical 18 interfaces. The goal is is to come back to the committee after the POC as we will know more about the actual costs.

Questions:

• What is the relationship of the Odyssey system? What about meal tracking and planning? Odyssey would be replaced in order to allow for improved meal planning and meal tracking. Also enhanced reporting back. Odyssey would be decommissioned at the back end.

• We would redesign the 900 plans to make sure function correctly. No replacement of existing cards, but in future only issuing 1 card per person - Cardsmith card can handle multiple plans.

• What is the $49K in the software Proof of Concept total cost? Software to prove that the transactions go through correctly. If we decide not to go through with the system after 30days, this amount is entirely reimbursable.

• Where are planning to do proof of concept? Will not be full implementation, limited locations, plans, etc. • Benefits in tax? Currently over-tax on meal plans in order to make up for the error in estimating tax. • More flexibility to sell plans to non-traditional individuals. • How is this funded? Total request for $845K for project, original allocation was $717K. In evaluating the

project in the past few months, some quotes were not originally available and estimate not accurate. • Where is the $130K over original allocation for this project coming from? Goal is to come back after

proof of concept to TOC with further detail and estimate on final cost, hoping to bring the price down further.

• This would be concluded over the summer 2013. • Is this hosted? Yes, we would host this here. The Cardsmith is the only solution hosted in the Cloud.

Save $250K by hosting it locally. Motion to approve the proof of concept (Faith). Second (Karen). In favor: 14 Against: 0 Abstain: 0 4. Information Security Program Overview and Request for Two Change Orders - Rich Mikelinich (Chief Information Security Officer) and John Guidone (Project Manager) (4:00-4:30) - Please review this QuickBase Report in advance to see the projects that are part of this program https://www.quickbase.com/db/bg7qbciar?a=q&qid=1000269 There are ten projects within the Information Security Portfolio (see slides for more information:

1. Network analysis & design. Recommendation from the Verizon analysis. Received report today regarding network improvements.

2. Vulnerability Management Small project aimed at exploring vulnerabilities. Our approach is to perform a new scan and retire current data because of missing information on servers, etc…

3. Private IP migration. Plan to situate workstations on private IP. We hit some bumps with Web sense. The issues have been resolved now but the ultimate solution is Palo Alto. We want to step up our move to Private IP for Lock 2-3 data.

4. Application risk assessment. Necessary for HIPAA compliance. The goal is to assess risk and issue remediation plan. There is a potential change order will be forthcoming if other departments step up and request risk assessment.

5. eGRC SaaS system. Will provide one place we can identify house all information (i.e. street information, UPS interruptions, building on fire, etc..). We can also tag system with compliance requirements (HIPAA, etc…) Is this available to IT Partners? Yes. How will it integrate with SN, need to do dependencies but OOTB integration? Are the timelines going to align?ServiceNow and eGRC are not linked today, but they can be linked in the future.

6. Enterprise Firewall. We strengthened with the Next Generation Firewalls. Settled on Palo Alto solution because it can detect bad traffic, can identify data that should not leave Yale, and can block URLs. We need additional policies from OGC. We discovered that Yale is hosting two high schools. Websense is coming up for renewal, we may be able to replace Websense.

7. RSA 2 factor authentication - HPC had issues but they have not decided on proposed solution yet. 8. VPN Access - Decommission VPN from all accts that should not have it. The team is thorough testing

so users will not be impacted. This is linked to the very complicated library compliance problem. Identified a core weakness in the current identity management system.

9. Strategy evaluation of IAM. The Gartner project is complete. Working to close the project.

10. Virtual Directory service. Middleware to allow us to continue to operate with old systems and will allow for new systems later

• The 10 projects were approved as a Program at $2M We’ve broken into smaller projects. Two projects received preTOC approval.

• For today, 2 change requests. Total InfoSec portfolio originally requested as 2 projects around $2M, now in 10 projects. 2 of those projects now requesting change request.

• Proposal to group these projects together, look at them holistically, and approve them together as opposed to one at a time into the 10 projects.

• What is the impact of waiting to approve until we know the requests for the entire portfolio? Two projects asking for approval:

• Private IP migrations!involves site visits, looking at and moving. A lot of the time based on coordination.

o How many more are there left to be done? We would like to hit all lock2 and lock3 systems. Without an IDM system, it is hard to know how many there are.

• Locating asset system. Students will request a license, and given as requested. Requesting $13K more because of the drop in number of licenses raises an increase in cost per license by $5. Plan to purchase a smaller subset as opposed to 11,000 licenses.

o Will the free feature available on new Mac computers for location services allow this to be expanded.

o Would it be worthwhile to expand this to professional schools? Wanted to make it a token effort to see if the students are interested, if they are then expand it out.

Proposal to get the information needed and come back with further proposal. 5. DEV01 Blackbaud Development and Alumni Relations System Implementation - Check-in - Marcia Schels (Dir Client Team Lead Development & Association of Yale Alumni), Doug Hawthorne (Associate Vice President for Development, Director, Information and Support Services), Lynn Andrewsen (Managing Director, Yale Alumni Fund), Jenny Chavira ( Deputy Executive Director, Association of Yale Alumni) (4:30-5:00) See attached slides for further information. Went live with DARCY on July 23rd but still some things to be completed.

1. DARCY: 13 defects, 1 change request, 23 deliverables 2. Completion of Yale College Reunion System

Questions:

• Was the Yale College Reunion System originally part of this project? Yes. • This is the continuation of DARCY, other projects are separate. • Can some of these items be pushed to Phase 2? Seems unlikely with a Phase 2 total cost of $100K.

Now funding is estimated for $513K. This is a $413K difference. • Could this be recovered in labor costs? Uncertain because not listed in the proposal. Must review

staffing budget to understand if there is a gap. Phase 2

• Deliverables that were postponed because they were not needed at the time. • Had anticipated that we could use our core team to roll this out the next few years (about 7 FTEs).

However, our staff shrunk during the implementation because we had some staff resign. Request for clarity on what funding request is internal vs. external. Go back and revise the project proposal and come back with final funding numbers. Health Review Roseann Adams, PMO Director

• Faculty Financial Activity and Reporting project, about a month slippage on the project. Additional points:

• Discussed Infrastructure Services organizational changes. • Len has invited Meg Bellinger from ODAI to come to TOC to present in future.

!

1

1

IT Service Management Program START Replacement Project

Adriene Radcliffe

2

Project Introduction

•  What is it? –  FY13 Project as part of the IT Service Management Program. START is our

current self-service IT order and access request portal. We would like to move the client self-service request and approval processes into our service management platform ServiceNow

•  Overall Project Scope –  Replace all START order screens and workflows with ServiceNow workflows

via a user friendly self-service portal which provides status information on the stage of your orders

–  Align approval processes with more current financial and functional roles –  Build interfaces to the fulfillment applications as needed

2

3

Project Introduction

•  Problems/Opportunities –  Current product is written in code which is not easily maintainable

and must be upgraded with the R12 project, by accelerating this project we avoid the upgrade work

–  R12 Program requests this work be complete by April 2013 –  Status information on the �status and state of an order� is currently

not available to the community and causes hundred of �status check� calls to service providers

–  Opportunity to expand catalog beyond what START offers today

•  How is success defined? –  Successful replacement, modification, or sunset of all START

workflows –  Successful roll out to community with improved customer

satisfaction scores –  Overall project complete and on budget

Internal Resources & External Spend Request

•  Total Estimated Project Cost ROM was $89K based on specific assumptions which are no longer valid

•  Internal resources for a planning phase: –  Part time business analyst/SME (Barbara Manville) –  Part time technical analyst (Current START maintainer Igor B) –  Part time solution architect (Shane Anderson) –  Part time or shared Change Management with R12 (Wendy Battles)

•  External spend request $99K covers key resources for a planning: –  $55K on Program/Project Management resource (160hrs/month Oct-

Dec@115/hr) –  $44K on business analysis (160 hrs/month Oct-Dec@90/hr)

•  Plan is to return to TOC with vendor SOW, resource plan and full project budget and schedule in December 2012

4

10/8/12&

1&

1

Project Champion: Rafi Taherian Project Sponsor: Jeanette Norton Project Owner: Vijay Menta Project Manager: Donald Landry Functional Champions: Howard Bobb

Dining Core Systems

Tollgate Date Status Working Retail POS 11/1/12 Pending Approval Infogenesis and Eatec 6/7/12 Pending Approval Recipes, Nutrition, Cycles & Card Smith 6/27/12 Pending Approval

Project Charter - Dining Core Systems

Name Function Responsibility Howard Bobb Dining Financial Functional Owner Jeanne Ondeck Dining Training Functional Owner Veronica Arcoraci Meal Plan Sys Ad Functional Owner Lori Pierce Agilysys Project Management

Team Members

•  Comply with Sales Tax reporting •  Improve inventory management having just in time ordering •  Improve menu options and cycles •  Reduce manual labor involved in reconciliation and ordering

Goals & Objectives

The current system calculates sales tax by receipt exposing Yale to tax audit non-compliance. The ordering system only allows one PO per vendor per day requiring manual overrides. The inventory, menu and cycle planning are not integrated.

Problem Statement

The current system does not support sales tax by item by customer and is not integrated with other Dining applications. The new system will be tax compliant, will allow for better inventory management and will allow better menu and cycle planning

Business Case

Project Scope Scope – New POS, inventory, menu and cycle planning integrated system

Out of Scope – all other systems & processes, all existing hardware

Deliverables/Tollgates

Name Function Responsibility Rafi Taherian Dining Champion Jeanette Norton Dining Sponsor Vijay Menta ITS Owner

Steering Committee

Name Function Responsibility Dining Hall Managers Dining Mgmt Owners Dining Administrators Dining Admin Users Students Students Users

Stakeholders

Funding Requesting $100.8K for Proof of Concept •  The $100.8K includes Site license, F&B Outlet, Retail Module, Eatec

Pocket, DB Mgmt, F&B Inven Mgmt and Professional Services to get a retail establishment operational with sales tax functioning properly

•  Phase I – Requesting $614K - Infogenesis and Eatec working •  $ 84K for Professional Services •  $ 335K for Hardware and Licenses •  $ 195K for Consulting and Technical (18 Interfaces)

•  Phase II – Requesting $133K for Recipes, Nutrition, Cycles and Card Smith integrated

•  $ 50K for Professional Services •  $ 83K for Consulting and Technical

10/8/12&

2&

3

Extensive research has been done including Benchmarking, RFIs and Site Visits Benchmarks: Stanford University, Regis University, Fairleigh Dickenson University,

Brigham Young University, University of Southern California Site Visits: Agilysys and other vendors came on site to do a site survey and review the

operations to understand current processes and unique operating challenges such as the Fellows Program and “Dual Swipe”. This was all done at no cost as pre sales activity to make sure the solution would work at Yale University.

RFIs: Computrition, FoodPro, Cbord, Microsystems, Inc, Agilysys, CardSmith The functional team is also familiar with this vendor and software when they used this

solution at Stanford University.

Project Charter - Dining Core Systems

Accomplishments:

4

Project Charter - Dining Core Systems

The selected vendors, Agilysys and CardSmith both offer SaaS in the cloud. Agilysys also allows institutions to host the application locally. Agilysis estimates the Total Cost of Ownership including installation and configuration to be $728, 389 over 5 years if hosted locally versus $1,012,221 if used as a Software as a Service.

The Proof of Concept will prove that the system handles Sales Tax by item by customer and that the inventory is decremented. The current system only calculates Sales Tax per receipt which has to be reconciled. CardSmith is offering to do the PoC for free. Agilysys did a week of on site visits for free early in the year.

The Fellows program can be handled through configuration in CardSmith. The work done in the Proof of Concept will lay the foundation for the total project. All work done will be scalable to the full implementation. The Proof of Concept risk is also minimal as we are able to recover all software costs in the first 30 days if there is a no go decision

Proposal:

10/8/12&

3&

5

Yale Dining Benefits 1.  Implementation Management 2.  Host & Meal Plan Configuration 3.  On-Line Cardholder Account Center 4.  On-Line Add Value Service 5.  Personalized Training with Site Staff 6.  Daily Data Back-Up & Off Site Storage 7.  No Cost Software/Service Upgrades 8.  Campus-Wide Acceptance 9.  Choice of Open Standard Terminals 10.  On-Line Cardholder Account Center 11.  Live Agent Cardholder Care Service 12.  Managed Card Program Web Site 13.  Comprehensive Marketing Service 14.  Off-Campus Merchant Service 15.  On-Line Reporting 16.  Automated Daily ACH Settlement 17.  Interoperability Across Campuses 18.  Meal Plan Processing 19.  Bookstore Acceptance 20.  On-Line Vending 21.  On-Line Laundry 22.  On-Line Copy 23.  Pay-for-Print 24.  Campus Retail 25.  Self-Service Card Station 26.  Off-Campus 27.  E-Commerce 28.  Financial Aid Credits 29.  Weekly Reset & Semester Block Plans 30.  Dynamic Meal Unit Equivalency 31.  Custom Flex & DCB Plans 32.  “Board Mode” for Dining Halls 33.  Balance Display Option at Terminal 34.  Offline “Store and Forward” Mode 35.  Seamless Integration with Agilysys

Proper Calculation of Sales Tax by Item by Customer Reduction in Shrinkage and Spoilage Decrementing of Inventory On-line Cardholder Account Center (Students & Parents) Meal Plan Processing (Fellows) Integration of Agilysys and CardSmith Board Mode for Dining Halls Weekly Reset & Semester Block Plans Dynamic Meal Unit Equivalency * In blue is new functionality

Project Charter - Dining Core Systems

6

Build Recipes, Nutrition, Cycles – Phase II

Proof of Concept

June May April March Feb Dec Nov Oct Jan

If the project is approved on October 4th we can begin the proof of concept and report back on November 1st. Assuming the proof of concept is successful, Phase I funding would also be requested on November 1st in order to keep the project on time to meet an end of fiscal year and deliverable date during the summer recess

Rough Project Plan as of initiate phase

Plan, Analyze, Design, Build, Test and Deploy the Installation of Infogenisis, Eatec and CardSmith – Phase I

Project Charter - Dining Core Systems

Sept

Due Diligence, Vendors reviews, site visits, Benchmarking, Requests for Information, contract negociations,

10/8/12&

4&

7

The Proof of Concept will validate that the new system is integrated and can process sales tax properly. It can then be scaled to include all the hardware and licenses.

Project Charter - Dining Core Systems

Financial Benefits of installing new systems Non- Financial Benefits of installing new systems

1.  Compliance with State Sales tax 2.  Higher student and Parent satisfaction 3.  Less Manual Work Arounds and Reconciliation

Dollars

Yale)Technical)Costs $87,318Consulting)Costs $208,336Software $258,383Hardware $129,186Professional) $156,300Misc $5,742

Total)Budget) ) $845,265 Total)Budget)

CardSmith

Dollars

$0

$100,815

Summary)of)Costs)I)Proof)of)ConceptSummary)of)Costs)I)includes)Proof)of)Concept)

$18,160$49,632$2,293$21,850$8,880

Consulting)CostsSoftwareHardwareProfessional)ServicesAnnual)Maintenance

8

Q&A

Project Charter - Dining Core Systems

10/8/12&

1&

The$State$of$Informa.on$Security$c$

October$4th,$2012$

Prepared$by$$Richard$Mikelinich,$CISO$Yale$University$

10/8/12& Confiden-al& 1&

Overview&

The&state&of&security&at&Yale&has&been&a&major&concern&as&there&are&mul-ple&Informa-on&Technology&areas&that&need&immediate&improvement&to&reduce&risk.&The&level&of&Informa-on&Security&controls&in&place&is&not&correlated&to&the&pres-ge&and&importance&of&the&organiza-on.&

&

•  Yale&is&vulnerable&to&hos-le&intrusions,&loss&of&network&control&and&data&loss&events.&In&the&current&environment&incidents&are&likely&to&occur,&though&we&have&established&a&trend&of&lowering&this&probability.&&

•  This&current&state&has&served&as&the&catalyst&for&new&opera-onal&capabili-es,&polices&and&a&porIolio&of&projects&all&aimed&at&reducing&risk.&

10/8/12& Confiden-al& 2&

10/8/12&

2&

Risk&Overview&•  Network&Security&

–  The&absence&of&network&and&separa-on&firewalls&&(except'YPD,'ROTC,'Facili4es,'Security,'YUHS'&'Investments)'

–  No&ac-ve&Intrusion&Protec-on&System&(IPS)&–  Most&worksta-ons&are&on&public&IP&addresses&–  Remote&access&ports&and&services&are&open&to&the&world&(Except&RDP)&–  Malicious&scanning&of&staff&and&faculty&worksta-ons&is&occurring&–  No&ac-ve&log&management,&correla-on&or&analysis&–  Student&/&Faculty&/&Staff&are&all&on&the&same&network&with&liUle&or&no&

separa-on.&

•  Email&Security&–  No&Secure&Email&Gateway&&(no&encryp-on&of&Email)&

&•  Applica-on&Security&

–  No&secure&coding&program&–  Only&star-ng&vulnerability&management&

10/8/12& Confiden-al& 3&

Risk&Overview&•  Compliance$and$Assurance$

–  SDR&process&does&not&address&legacy&popula-on.&&

–  GLBA:&Planning&Assessment&Schedule&for&2012&

–  FERPA:&Planning&Assessment&Schedule&for&2012&

–  PCI:&Planning&Assessment&Schedule&for&2012&

–  HEOA&(DMCA):&Up&to&date&–  CFR21&Part&11:&One&ac-ve&

request&–  HIPAA:&&

•  Risk&Assessments&begun&but&data&everywhere&and&comingled&with&other&data&

•  OCR&has&begun&audits&(150&CEs&with&Ernst&&&Young)&

•  Iden.ty$Management$–  System&vulnerabili-es&exist&–  Some&subsystems&were&

marked&end&of&life&in&years&past&and&should&be&decommissioned&per&the&manufacturer&

–  Account&compromises&are&occurring&&

–  There&is&no&two&factor&authen-ca-on&

–  The&password&reset&interval&is&not&inline&with&best&prac-ces&

–  No&centralized&way&to&audit&where&and&what&users&access.&

10/8/12& Confiden-al& 4&

10/8/12&

3&

10/8/12& Confiden-al& 5&

•  NonbITS&Server&Security&–  Servers&are&not&always&protected&by&Data&Center&Firewalls&–  Servers&are&not&hardened,&patching&is&inconsistent&–  No&vulnerability&management&

&•  Data&Loss&Preven-on&

–  Reliance&on&user&ac-on&and&tes-mony,&no&posi-ve&assurance&–  No&persistent&agent&–  No&iden-fica-on&of&ePHI&&–  Servers&are&scanned&annually&for&SSN&presence&

&•  Desktop&Security&

–  25%&of&known&worksta-ons&are&managed&and&reasonably&secure&–  Safe&Harbor&is&established&for&the&Covered&En-ty&component&

Risk&Overview&

Threat&Landscape&Inten-onal&

Foreign$Intelligence$•  Target&Research&&&Intellectual&

Property&•  Sophis-cated&&&Persistent&

Hack.vism$$•  Target&for&Embarrassment&and&

Reputa-on&•  Universi-es&are&Ac-ve&Target&(100&

this&week)&&Organized$Crime$•  Target&Iden-ty&and&Financial&Data&•  Bots&&&Malware&–&Constantly&

Evolving&&up&to&70K&new&per&day&

&

Accidental&USB$/$Mobile$Device$•  Loss,&Theg&&&&Lack&of&Encryp-on&•  HIPAA&Viola-ons&

3rd$Party$&$Cloud$•  Need&to&know&where&data&is&(outside&

US)&•  Proper&DUA&and&BAA&(Vendor&

Management)&

Data$Loss$•  Improper&Disposal&(over&100k&

Medical&Records&from&Laptop)&•  Legacy&Data&

10/8/12& Confiden-al& 6&

10/8/12&

4&

Business$Risks$Driving$Informa.on$Security$

10/8/12& Confiden-al& 7&

Verizon&Cybertrust&Enterprise&Security&Assessment&2012&

Yale&ISO&HIPAA&Enterprise&Security&Assessment&2012&

Quan.fied$ General$

Data&Loss&&•  Reputa-on&•  Liability&

&HIPAA,&PCI,&DMCA,&FERPA,&GLBA&&&Compliance&•  Reputa-on&•  Grant&&Opportuni-es&•  Revenue&Loss&

&Account&&&Network&Compromise&•  Spam&and&Phish&•  System&Availability&

&Lack&of&Controls&for&Access&•  Fraud&•  Legal&Risk&

Yale&ISO&Policy&Analysis&&&Assessment&

2012&

Projects&

10/8/12& Confiden-al& 8&

10/8/12&

5&

Informa.on$Security$Projects$

10/8/12& Confiden-al& 9&

1.   ITS404$$Network$Analysis$and$Redesign$b&a&project&to&assess&what&moderniza-on&is&needed&by&our&network.&Early&reports&from&Dimension&Data&indicate&network&infrastructure&changes&will&be&needed&to&build&security&into&the&network&itself.&$

2.   ITS405$$Vulnerability$Management$Program$–&verifica-on&and&remedia-on&of&the&server&level&vulnerabili-es&iden-fied&by&the&Verizon&assessment&across&the&whole&University.&&

3.   ITS406$$Private$IP$Migra.on$–&situate&worksta-ons&on&our&untrusted&open&network&onto&private&IP&addresses&to&afford&some&measure&of&data&protec-on&for&staff&working&with&Yale&confiden-al&and&or&SSN/pa-ent&data.&&

4.   ITS411$$Applica.on$Risk$Assessment$b&assess&risk&and&issue&remedia-on&requirements&for&systems&residing&in&the&covered&en-ty&components&of&Yale&(Nursing,&YSM,&YMG)&and&financial&applica-ons.&&

Informa.on$Security$Projects$

10/8/12& Confiden-al& 10&

5.   ITS416$$RSA$eGRC$Implementa.on$–&an&IT&governance&system&to&house&all&aspects&of&systems&risk&management.&&Enterprise&risk&management,&compliance,&policy,&incident&management&and&business&con-nuity&are&the&specific&func-ons&this&solu-on&provides.&

6.   ITS417$$Enterprise$Firewall$–&the&perimeter&of&the&Yale&Network&will&be&strengthened&with&a&Next&Genera-on&Firewall.&This&device&will&allow&us&to&apply&a&layer&of&silent&protec-on&by&deflec-ng&bad&traffic&from&the&Internet,&such&as&scanning,&brute&force&aUacks,&malware&and&hacking.&Addi-onally,&this&appliance&will&allow&us&to&decommission&our&problema-cal&Websense&Internet&proxy&as&it&provides&a&conduit&to&the&Internet&for&users.&

7.   ITS418$$RSA$2$Factor$Authen.ca.on$–&The&rate&of&account&compromise&at&Yale&is&unacceptably&high.&Events&that&have&occurred&warrant&addi-onal&protec-on&specifically&for&the&High&Performance&Compu-ng&Group&(HPC).&This&project&is&implemen-ng&a&proof&of&concept&facility&that&will&deploy&the&RSA&Secure&ID&(Twobfactor&authen-ca-on&solu-on)&for&HPC&and&lay&the&groundwork&for&deploying&addi-onal&popula-ons&onto&a&2bFactor&plaIorm.&

10/8/12&

6&

Informa.on$Security$Projects$

10/8/12& Confiden-al& 11&

8.   ITS415$$VPN$Access$–&A&coordina-on&of&effort&to&debprovision&the&VPN&from&the&Ac-ve&Directory&accounts&of&individuals&that&do&not&warrant&the&permission.&This&will&provide&a&security&and&Library&license&compliance&benefit.&

9.   IDM000$Strategic$Evalua.on$IAM$–$A&project&done&by&Gartner&to&assess&the&Iden-ty&Management&porIolio&of&systems&at&Yale.&

10.   ITS423$$Virtual$Directory$Service$(VDS)$–&The&primary&recommenda-on&of&Gartner&was&the&VDS&which&is&a&unique&technology&to&enable&organiza-ons&to&delink&the&cri-cal&path&of&IT&projects&from&the&cri-cal&path&of&IAM&projects&as&a&consistent&interface&point&is&maintained&in&the&VDS&layer&for&all&systems&needing&iden-ty&services.&This&project&is&limited&to&a&pilot&to&evaluate&the&suitability&of&this&technology&for&Yale.&

Appendix&

10/8/12& Confiden-al& 12&

10/8/12&

7&

What&is&VDS?&

•  Capability&based&on&Virtual$Directory$Services&(VDS)&

•  VDS&is&sobware&that&runs&on&a&server.&•  VDS&will&access&iden-ty&data&from&any$upstream$source&and&combine/present&it&in&any&format&needed&by&a&downstream&consumer.&

10/8/12& Confiden-al& 13&

10/8/12& Confiden-al& 14&

Virtual&Directory&Conceptual&View&

10/8/12&

8&

What$is$VDS?$

10/8/12& Confiden-al& 15&