|
|
|
|
 |
EDUCAUSE 2008 ASM Constituent Group Meeting NotesCreated by Kevin Shalla (University of Illinois at Chicago) on November 13, 2008
Administrative System Management Constituent Group Meeting NotesOct 29, 2008 12:40 - 2:10 PM Orlando, Florida
About 60 attendees were present. There were brief introductions followed by a discussion of topics submitted in advance.
SSN Eradication / masking strategiesUniversity IDs need to be created separately from SSNs. Systematically analyze reports and screens to remove SSNs from as many as possible; University IDs are usually a satisfactory substitute for SSN. Some schools are attempting to define university ID as FERPA directory information, citing the need to have a public unique identifier (so that SSN can remain private), plus the fact that most university officials already have access to university ID, and so it should not be used for authentication. Others oppose this, as they use it for authentication purposes.
Determining the optimal balance between baseline and customized systemsThe gray area between baseline and completely customized is the most interesting and where most schools are. A starting point in this discussion is the definition of a customization. At one university, two different people had radically different conclusions on how customized a particular system was; one said that the system was only slightly customized, and the other said that it was heavily customized. As an example, which is more of a modification, adding a new Peoplesoft object, or modifying an existing one? One useful definition of a customization is that it can be determined by whether it is lost or retained after a system upgrade.
Another useful concept in this discussion is the net present value of the cost of the modifications. This accounts for all costs associated with making and maintaining a modification over the life of the software, discounted by interest rates (so costs borne now are more expensive than the same costs borne later). These total costs are often not considered when making decisions. One school commented that it contracts with the vendor to make nearly all modifications and maintain these with all upgrades. How should a school determine whether to make a modification or not? The IT departments at some schools try to illuminate the total costs of the various projects for functional departments, then let those departments decide which projects should proceed, based upon value and cost. Some schools which have minimized customizations report that they can respond to requests for data and small ancillary systems without the need for prioritization from departments, diverting effort from administration to production.
Portfolio ManagementHow do you inventory all the systems on campus when the current information is only in the heads of the technical staff? How do we expose the information for users about what is in the portfolio? Several schools report success using wikis because they are easy to set up and use, and so more likely to be updated. Others have tried packaged software for portfolio management successfully.
Maintenance Cost MinimizationSome schools are investigating 3rd party support to minimize costs. Others are investigating Kuali to use for particular pieces of portfolio. Some are considering hosted ERP.
|
 |
|
 |
 |
||
| Unless otherwise noted, EDUCAUSE holds the copyright on all materials published by the association, whether in print or electronic form. In certain cases the work remains the intellectual property of the individual author(s) (see Special Circumstances). Content from conference speeches, presentations, blogs, wikis and feeds reflect the opinions of the author, and not necessarily those of EDUCAUSE or its members. | |||
I offer a few thoughts on "SSN Abatement"
First, the old habit of using the SSN as an authenticator (e.g. logging into an account) was a bad idea because it was not an effective "shared secret" between the user and the sysetm. Replacing SSN in this function with a Student ID lessens the impact of disclosure, but it remains a weak authenticator, subjecting the system to the increased likelyhood of intrusion. Using a University ID (assuming it a number) thus is a poor choice for an authentication mechanism (It reminds me of the bridge keeper in Monty Python and the Holy Grail). It might as well be the user's name. It is time for IT folks to get out of that mainframe program and using an authentication mechanism that is flexible and meets security requirements.
Second, the University ID, if it is numeric, should just be another key label for a person's identity. It is not ALL encompassing, but allows rapid lookups and indexing. This will make it common, and IMHO, it should be public.
lux-in-tenebris@case.edu
Many states have enacted laws that place certain restrictions on universities’ use of SSNs
Arizona passed legislation that prohibits those universities under the jurisdiction of the Arizona Board of Regents from assigning an identification number to faculty, staff, or students at a university that is identical to the individual’s SSN
Here's an interesting read http://atd.agranite.com/emerald-coast/education/how-notre-dame-put-my-ssn-on-the-internet/