Information Technology Challenges

January 31, 2012 | Comments (0)

There are numerous information technology trends that currently and into the future will challenge Lansing Community College’s ability to provide an effective and efficient teaching and learning environment for students, faculty and staff. Among them are the following which will be discussed in this briefing paper:

  • Cloud Computing
  • Mobile Devices/Bring Your Own Device (BYOD)
  • Regulatory/Compliance Requirements
  • Information Security
  • Classroom Technology

Cloud Computing

Cloud computing is an information technology delivery model where applications or infrastructure (servers, storage) are accessed via the internet rather than through an on-premise implementation. LCC has implemented a number of cloud based applications such as: course management (Angel, Desire2Learn); expense reporting (Concur); job posting/hiring (PeopleAdmin); constituent relationship management (IntelliWorks); student email (Google); credit card payments (TouchNet); social networking (Facebook, twitter) and student financial aid disbursements (HigherOne).

There is a lot of hype related to cloud computing and its potential for more user self service, faster implementations, and cost savings. The risks and challenges associated with moving into the cloud include data security and privacy, integration with other systems, data location and portability, eDiscovery requirements, and vendor viability and lock-in. Cloud computing services are continuing to evolve and mature, but may not yet be ready for use at Lansing Community College for mission critical or confidential data related applications.

The ITS Division is responsible for providing and supporting a safe, secure, and reliable information services environment for the College. The ability of employees and students to easily and independently engage cloud computing resources challenges the ability of ITS to fulfill this mission. Students, faculty and staff should be aware of these risks before committing to storing sensitive and confidential information in cloud service vendor’s systems.

Mobile Devices/Bring Your Own Device (BYOD)

The saturation of mobile devices (Smart phones, Tablets, and Laptops) into American lives continues at an unprecedented rate. The use of mobile devices is no longer limited to young technical professionals but has expanded to include almost every demographic. The rapid increase in use of these mobile devices has led to a new set of challenges for IT departments across the country. As the traditional IT mindset of keeping a tight leash on all hardware and software being used is giving way to a “bring your own device” or BYOD environment. The first step Lansing Community College faces in addressing this new set of challenges is to catalogue exactly what they are.

When a person brings a mobile device onto campus they introduce an unknown system to the campus network. The college has certain controls in place for college owned devices such as group policy, application approval, and antivirus/antimalware. All of this allows for mitigation of many of the risks outside of the campus environment. In addition, when machines are native to campus there are also further controls from firewalling, email spam filtering, and intrusion prevention, which provide for a safer environment. Native campus machines are also much easier to support since the system setups are standard and the installed applications are fully tested for compatibility. Also, patching, software installs, upgrades, OS fixes, etc. is an automated process with native campus machines. Student devices and non campus owned employee devices do not have all of these protections in place and thus can introduce risks such as malware/viruses etc to the campus environment.
BYODs invite many technical issues and detailed questions that have to be addressed prior to allowing non-LCC owned devices to connect to the College’s infrastructure. Among them are:

  • Will the device be running Windows Mobile, Apple IoS, Android, Blackberry OS, WebOS, or something else entirely?
  • Will the mobile device be connecting via the College’s wireless network, a physical network port or use mobile carrier?
  • How will the campus authenticate and control access to the network?
  • Will the campus be able to track machines and users who are malicious or infected?
  • What level of access are people expecting from each type of access?
    • What type of network controls will be applied?
    • How much bandwidth will be utilized or allowed to be utilized and what impact will it have on the rest of campus services.
  • What type of information are people expecting to have access to?
    • Do they just want access to the internet?
    • What activities will be allowed browsing, gaming, peer to peer?
    • Do they want full access to their email and files?
    • Do they want their email and calendar information on these personal mobile devices?
    • Do they need full access to secure files?
    • Do they need full access to our secure systems?
    • Will they want secure information stored on these devices?
  • What level of support is expected for these devices?
    • What is the LCC’s liability with supporting Non-LCC mobile devices?
  • What kind of data will be on these devices.
    • Is it encrypted?
    • Is it sensitive?
    • Should the device go missing/stolen what is lost?

Regulatory/Compliance Requirements

The higher education environment is ideally a place for the exploration of new concepts and the acquisition of greater in-depth information. This open environment must be respected with a realization that federal and state laws and regulations place controls on what the information worker can access and how to configure associated information systems.

Laws are being created to safeguard the information gathered by schools and also to provide transparency into the operations of the college. As threats are realized by policy makers, new laws are being developed to mitigate these threats. Since the information security threat environment is constantly evolving, policy changes will continue to occur to catch up. Most of the regulatory mandates involve the implementation of best practices in the information technology management environment, so there are often solutions readily available, but at a cost to the IT operation and to the college in the form of process changes.

The college has numerous federal, state and contractual compliance requirements including: FERPA, FTC Red Flag Rules (Identity Theft), GLBA (Gramm Leach Bliley Act for financial Aid), PCI-DSS (Payment Card Industry Data Security Standards), HIPAA (Health Information Portability and Accountability Act). These compliance requirements are often unknown by the average person, but impose restrictions on how information is gathered, stored, transmitted and accessed, and therefore form the restrictions that an IT organization must place on its systems and its users. As information becomes more mobile and also located in alternative repositories and systems, it becomes increasingly difficult to prove compliance with these regulations.

The consequence of a failure of one of the information security controls is what is often referred to as breach notification. The State of Michigan, as well as almost all of the other 49 states, has a notification law for the breach of privacy for Social Security Numbers. It requires the college to notify a person in the event of a breach of the privacy of their information. The college may also choose to notify people if other information is compromised that could lead to the theft of their identity. The notification of a breach to a large audience can have reputational damage that can influence future student enrollment or fund raising. A breach can also become a large financial liability for the college from fines and costs associated with forensics and mitigation.

The regulatory environment is asking IT to place increasing controls on where information resides and at the same time the user is asking for more convenience by using personal devices and home based computers, making for a difficult evaluation of options. The reduction of Personally Identifiable Information (PII) to only computer systems that require it may require changes in our processes for student and employee information access and even grade reporting.

Information Security

The college and indeed the whole world are reliant on a stable Internet and its computer applications. What would you do if the Internet was down? Jot down what would be unavailable to you. Angel, Student Email, Facebook, student payments, and the finance department uploading paychecks. These are worst case scenarios, but they fall into the realm of information security. Risk is evaluated by people by how likely it is to occur. It may not be likely that a nation-state will declare cyber war on LCC, but it is much more likely that a LCC computer will browse the Internet and get infected with a virus that steals the user’s personal information.

There is an ever increasing sophistication to the attacks that the staff and students of LCC are subjected to. Phishing emails that attempt to fool a person into giving up confidential information or to click on a dangerous link are becoming increasingly difficult even for trained personnel to recognize. Some of these scams have whole organizations running behind them to fool the targets that this is legitimate. The other area of advancement is in the understanding of the vulnerabilities in computer applications. Who has not tired of the continuous updates to computer applications like Adobe, Java and Windows? These are patches to problems in the computer applications that the bad guy will attempt to exploit. Patching is a required continuous activity to safeguard the computer systems on campus.

Information security can not only consider the hardware and software that make up a computer system, but it must also consider the person using the system. It costs a lot for the bad guys to reach a level of technical sophistication to break into systems, but it is relatively cheap to ask people to give up their username and password. Social engineering is not unique to computers, but computers give the social engineer many methods to ply his trade. Security awareness training offsets this imbalance by informing people what to look out for. The bad guys also take advantage of the fact that many people that use personal laptops, smart phones and tablets do not have the technical protections in place like a college supplied laptop and so any information on them is at greater risk. Compliance requirements mandate that access to a student’s information is protected by password or two-factor authentication. Are all the personal devices that you use password protected?

Social networks like Facebook and twitter are examples of another type of information security risk and that is stealing trust. Most users of social networking sites have a degree of trust that the post from a friend is safe to read. Hijacking an account or getting people to repost an incredible story on Facebook allow a bad guy to post links to malware sites or adware sites. When you see a link for the latest hurricane footage or a sex tape, you should evaluate if you trust the source. Not everyone in cyberspace is good. How do you inform and convince over 20,000 individuals not to click on a link that promises the latest info on Heidi Klum? (http://home.mcafee.com/advicecenter/most-dangerous-celebrities?ctst=1)

Changing Classroom Technology

LCC has undergone a transformation in the last ten years in terms of technology installed in classrooms. Prior to the changes, the AV equipment available for faculty use was typical fair of the times; overhead projectors, portable slide projectors, film projectors. The equipment was moved from room to room as needed. In 1998 the college installed its first classroom teaching station consisting of a computer, fixed projector, VCR, and document camera. Since that time, over 200 classrooms have been outfitted with teaching stations and fixed AV equipment. Along with the equipment has been the installation of the requisite wiring and connectivity infrastructure that allows the equipment systems to function

Because of the varied ways the classrooms are used, the different preferences and teaching styles of faculty, and the desire to equip many classrooms, it can be challenging in determining which AV technologies to deploy on a large scale. Efficiencies and economies of scale aren’t realized if the approach is to customize each individual classroom. With varied setups and configurations, faculty and room users would be confronted with different equipment interfaces for each classroom.

Evolving and changing expectations by students and faculty over classroom technology also presents a challenge. Much of what is happening in regards to audio and video content is about the personalization of delivery. In the years ahead, it will be important for us to determine classroom AV setups and configurations that allow users to be comfortable with using the technologies while also being efficient and effective in purchasing and support.

The audio and video systems on campus are currently a mix of analog and digital technologies. As time and budget allow, analog components are being upgraded and replaced with digital versions. We have reached the point where the backbone and infrastructure of the AV systems need to be upgraded. The digital upgrades will allow new functions and features to be made available to faculty and the classrooms and will help future-proof the college’s systems. A significant challenge will be to complete the infrastructure changeovers while keeping existing systems up and available.

LCC currently has a video library for use by faculty in the classroom that contains over 3700 titles. These titles are in many different analog and digital formats (VHS, U-Matic, Laserdisc & DVD). Integrating the titles into a server-based, “Video on Demand” system, that is more convenient and accessible for faculty, will be challenging due to current copyright laws. The titles need to be transferred to the servers where they can be accessed via LCC’s IP network. In this case, the difficulty is not rooted in implementing technology, but in how the copyright law is applied.

Technology changes bring about the need for training and professional development. As new technology is deployed it is imperative that Media Services staff complete the training necessary to support and maintain the hardware and software. In addition, end users need to be trained on how to utilize the equipment in their classrooms.

Providing training resources to over 2000 faculty members on how to utilize evolving classroom technology systems is challenging. The fact that over 80% of LCC faculty are adjunct provides additional challenges. Typically, adjunct faculty have other jobs and come to LCC only to teach their courses and do not spend much additional time on campus. In order to maximize opportunities for access, training resources should be offered in a variety of formats (printed instruction sheets posted in classrooms, live face-to-face and web based multi-media). Providing multiple options for obtaining information increases, but does not guarantee, that training resources will be utilized. Successful training will go a long ways toward increasing the comfort level of end users and the successful integration of AV technology into classroom instruction.

Category: Briefing Papers, Challenges

Leave a Reply




If you want a picture to show with your comment, go get a Gravatar.