Ryan, thank you for the update on the upcoming standard to be authored collaboratively, that’s a positive development.
Based on follow up comments, the standard appears to pivot more towards security, yet the document as it’s now written seems largely concerned with PC maintenance – would ROI/TCO recommendations and day to day support expectations perhaps live better in another, more general standard that encompasses SPI and non-SPI systems?
• Could an IT Agents or IT UNM meeting be scheduled that discusses dongles, wireless updates, and other plans to secure these systems? It sounds like there are significant changes coming, but I imagine this is the first many of us have heard of them.
• Could we get the definitions for Sensitive and Protected Information (SPI)?
• If a system is not used by students, but also doesn’t access SPI, does this standard apply to it?
• Will these SPI systems need to run WSM images?
• I know this is a recurring theme, but it appears Apple and Linux devices, among many others, would not be allowed to access SPI?
• An Active Directory doesn’t on its own guarantee a secure system – what specific implementations are forthcoming?
o Are there particular group policies or third party software that will be applied to these systems to lock them down? Will something like Software Restriction Policies or Applocker be used, or some other software that allows some software to run, and blocks everything else?
o Those have the potential to block much legitimate academic software used around campus, what testing protocol will be followed prior to software and other enforcements?
o If a department acquires new software and needs it to be unblocked, what is the process, and will there be a chargeback for that request?
• Would users of these SPI systems use one Windows PC to access SPI data, and then have another if they have to travel, do presentations, or if they need to install software as needed?
• What will the communication/change management process look like for these systems? If a group policy or other change blocks legitimate software, breaks printing, or disables an Internet browser for a user, as examples, should a user call C-IT, or their local IT? Will local IT receive prior notification about group policy changes?
o What cost-recovery will apply?
o Will a billing index be required to initiate a ticket?
o What SLAs will apply to support requests in these situations?
• Is an encryption system on the roadmap?
- This reply was modified 7 years, 4 months ago by ccovey01.