In addition to the questions posted by others, I submit the following:
1) Scope of the Standard: “The standard addresses the following Supplemental service…”. The definition of Supplemental as per KSA is “Those aspects of information technology that are offered via a central entity on a non-exclusive basis”. However, later in the standard’s “Equipment Set up, Integration, and Security” section, bullet 5 states “All UNM owned devices must utilize Microsoft Active Directory (AD) authentication and must be joined to either HEALTH or COLLEGES UNM domains.” These statements seem conflicting to me. If a standard applies to a department offering a Supplemental service, can the standard specify that the non-exclusive central entity must use an Enterprise service? As usual, I’m confused. And why is it that only the HEALTH or COLLEGES UNM domains are specified? See my additional comments below.
2) Also in Equipment Set up Integration and Security: “Operating systems must be within manufactures {SIC} product life cycle.” What about a system that is not connected to the network at all via wired or wireless?
3) If the Standard is stating that everyone must now join the Enterprise AD, who will be responsible for the potentially extremely complex and costly (both in terms of people and downtime) process of migrating existing directory services to a different AD?
4) Can a department choose to join the HEALTH domain?
5) There are multiple items specified in the standard that do not belong, IMO. For example, under “Usage”, bullet 2 states “Publish best practices for users of the device.” Most of the section called “Support Plan” is not appropriate for a standard. There are multiple University Administrative Policies that specify departmental responsibilities for publishing policies. For example, here are snippets from UAP 2500 and UAP 2520. I’m sure there are others.
– UAP 2500 Acceptable Computer Use: “Individual departments within the University may define “conditions of use” for information resources under their control. These statements must be consistent with this overall policy but may provide additional detail, guidelines, and/or restrictions. Such policies may not relax, or subtract from, this policy. Where such “conditions of use” exist, the enforcement mechanisms defined within these departmental statements shall apply. Individual departments are responsible for publicizing both the regulations they establish and their policies concerning the authorized and appropriate use of the equipment for which they are responsible.”
– UAP 2520 Computer Security Controls: “Therefore, all departments operating University owned computers, including those operated by faculty, staff, and students, must develop departmental security practices which comply with the security practices listed herein. In addition, departments must have environment-specific management practices for business functions such as maintenance, change control procedures capacity planning, software licensing and copyright protection, training, documentation, power, and records management for computing systems under their control. This may be done by hiring a qualified employee, sharing resources with other departments, or contracting with UNM Information Technologies (IT). IT is available to assist and advise departments in planning how they can carry out compliance with this and other computer technology-related policies. Departments must document and periodically review established practices.”
Cyndi Johnson
- This reply was modified 8 years, 3 months ago by cdean.