Connecting the IT Dots

Thursday, May 8, 2014 l 8:30 – 10:30 a.m. l Harvard Faculty Club

Agenda

• Implementing the Policy on Accessing Electronic information

• HUIT IT Workgroups• HUIT Business Continuity, Disaster Recovery • Project Delivery Framework • Cloud Dev Ops• Network

• General Q&A

Electronic Communications Policy Implementation

Thursday, May 8, 2014 l 8:30 – 10:30 a.m. l Harvard Faculty Club

Overview

• President Faust established the Electronic Communications Policy Task Force in Spring 2013 to “consider and recommend appropriate policies regarding access to, and confidentiality of, electronic communications that rely on University information systems.”

• Chaired by David Barron (HLS), the University-wide faculty task force met several times over the course of a year and consulted broadly with the Harvard community.

• The Task Force released its report and draft policy on February 26, 2014.

• The Harvard Corporation adopted the policy on March 31, 2014 .

Process• In carrying out its work, the Task Force:

– Focused on recommending a policy that aimed to honor the University’s commitment to academic freedom and free inquiry while being sensitive to the University’s administrative and operational needs.

– Considered the expectations of individuals and associated issues of notice and process

– Examined scenarios at Harvard and elsewhere to understand the complexities and implications of accessing electronic information

– Considered whether and to what extent Harvard’s policies should be University-wide or specific to certain parts of the University or particular institutional roles and responsibilities

– Consulted widely with the University community and peers to learn about best practices at the University and elsewhere

Examples of Legitimate Purposes for Granting Access• The Task Force outlined the following justifications for access:

– Protecting the life, safety, and health of a member of the University community.

– Handling litigation or complying with legal process, such as subpoenas.

– Protecting University information systems and devices from disruption and damage.

– Facilitating continuity of University operations.

– Facilitating internal investigations concerning misconduct.

Key Points of the Policy• Limited Justifications for Access: Access to electronic information should be

permitted only for a legitimate and important University purpose

• High-Level, Accountable Authorization: Access to electronic information for reasons other than systems maintenance and protection should be undertaken by IT staff only when specifically authorized by the head of the School or component of the University making the request, such as a dean of a faculty.

• Notice to Users: There should be a strong presumption that users should receive timely notice in any case in which access to their electronic information has been authorized.

• Minimization Rules and Protocols: Access to electronic information, if authorized, should be undertaken in a narrow manner

• Record-Keeping: Written records of decisions to access electronic information should be prepared in a manner that permits subsequent review of such decisions.

• Independent Oversight Committee: Decisions to authorize access to electronic information should be subject to periodic review to ensure an independent set of “eyes” also lends its perspective on any such decisions and on possible policy or process changes.

Implementation: Leadership Support

• There is work in progress to provide support for the faculty and administrators who have key responsibilities outlined by the policy, including the:

– Establishment of the Oversight Committee to supervise the application of the policy and the development of future iterations

– Development of a checklist for Deans and other “authorizers” who will be called upon to make decisions on whether or not to grant access

Implementation: Other Work Streams

IT

•• Create an IT Code of Conduct

•• Establish standard operating procedures for minimization

•• Develop a process for tracking requests and a format for reporting on them

HR

•• Develop a process for off-boarding staff/ transferring data to appropriate sources when staff leave

•• Establish a training process for the IT and HR workforces on the policy

Policy

•• Rationalize existing privacy and confidentiality notices

•• Develop an annual privacy notice process

Communication

•• Develop an engagement strategy for disseminating key information on the policy and training resources to staff

•• Develop a mechanism for ongoing communication related to policy

Timeline for Work Streams

Apr ’14 Jun ’14 Aug ’14 Dec ‘14IT• Develop IT code of

conduct• Develop

minimization protocols

• Create auditing mechanism

Policy• Inventory and

rationalize existing policies

• Develop annual privacy process

HR• Develop off-

boarding process• Create training

process and roll out

Communications• Develop

engagement strategy for implementation and training

• Disseminate key information on policy

Appendix A: IT Code of Conduct (DRAFT)

Appendix B: Minimization Procedures (DRAFT)

IT Workgroup IntroductionsConnecting the IT Dots

Thursday, May 8, 2014 l 8:30 – 10:30 a.m. l Harvard Faculty Club

Overview

• Why were these groups created?• Major areas of opportunity/need for improvement• Need to make progress across multiple HUIT goals

• The basic model• Inspired from a good model with Information Security• Exec group/Workgroup/”Big group”

• Shared set of deliverables• Strategy document• High-level multi-year plan• AY15 plan

Business Continuity /Disaster Recovery

Business Continuity/Disaster Recovery Work Group

Goals:

• Develop an overall strategy for BC/DR with a primary focus on HUIT, but an eye towardunderstanding what a University-wide approach would look like. – by 6/30

• The strategy needs to:• Address all aspects of events management: people, process, and tools/technology; • Ensure event escalation processes, clear roles and responsibilties are in place as events progress.• Address both applications and services;

• Address the current major enterprise applications and services housed at the University as well as

existing outsourced applications and services;

• Provide architectural guidance for the design of new applications and services, both purchased

and University-built.

Projected Outcome:

• Current state assessment, future state with gaps identified - 6/30• Develop overall strategy with workstreams and deliverables - 6/30• Develop a preliminary multi-year plan and budget to implement the strategy. – 6/30

• Simplify and clarify, clear people processes for how HUIT handle events

• Design and deploy our University technology services to ensure resiliency

• Develop appropriate DR plans where resiliency is not an option.

• Communicate, train and practice for DR events.

• Create a sustainable process to support ongoing BC/DR functions.

Strategic Objectives Guiding Principles Key Performance Indicators

• Will work closely in partnership with business leadership to ensure plans reflect requirements.

• Solutions shall be based on a small set of standardized options rather than custom solutions.

• Our plans and solutions will be communicated, understood, tested, and validated.

• Solutions shall maximize “bang for the buck”.

• Number of critical IT services that have a regularly tested DR solution.

• Existence of documented and implemented reference architectures

• Uptime or # of major incidents for critical infrastructure (network, power, etc.)

.

In order to support continuity of technology services for the University, HUIT will have established processes, defined roles and when possible resilient systems that can withstand and/or recover from a broad range of

incidents from minor to disaster.

HUIT Business Continuity Vision

HUIT BUSINESS CONTINUITY VISION

DRAFT – FOR DISCUSSION PURPOSES ONLY

Project Delivery Framework

Project Delivery Framework Work Group

Goals:

• Develop a standardized approach for delivering projects at HUIT for the full spectrum of projects done (small, medium, large, programs, PRC/ITCRB, applications, infrastructure, etc.)

• Integrating the best of our foundational practices (ITIL, Agile, Project Management)

• Bringing together our various disciplines (business, software development, Dev Ops, project management, architecture, etc.).

The Challenge

Vision

1. Keep it as simple as possible while still ensuring consistency and predictability

2. Deliver value incrementally and quickly to as many individuals as possible

3. Meet evolving University needs through continuous improvement

4. Promote collaboration within and between all groups

5. Support multiple methodologies and development patterns

Objectives Guiding Principles Key Performance Indicators

Enable HUIT to efficiently and consistently manage IT projects that deliver valuable services to the University through a simple and clear framework

The Vision for Project Delivery

1. Project - Define a standard framework (people, process and tools) for delivering value and transparency to the University from IT projects and programs of all sizes

2. Portfolio - Provide the ability to manage collections of current and future efforts

3. Governance - Enable clear models for evaluation, prioritization, funding, approval, resource management and measurement across governing bodies

4. Engagement & Adoption - Educate, collaborate and encourage adoption across HUIT and all of our partners

1. Increase quantity and distribution of projects utilizing Framework

2. Increased sponsor satisfaction with project outcome and process

3. Increasing stakeholder satisfaction with project portfolio

4. Reduction of number of projects delayed due to resource contention

5. Increased use of the framework for preparing proposals for governing bodies

6. Employee satisfaction with framework7. Number of staff that have attended

framework training

Draft Timeline

FY’14 FY’15 FY’16July 2014 January July 2015 January

Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4

Project Delivery

Portfolio Management

Governance

Engagement and Adoption

Cloud & Dev Ops

• To reduce the cost for the delivery of Information Technology services for Harvard University

• To reduce error, rework, and security risk in the implementation and maintaining of infrastructure

• To develop a service catalog that defines optimized offerings and how services are defined, approved, funded, enhanced, and retired

• To improve the reliability and resiliency of HUIT service offerings

• To enable greater agility and efficiency in the delivery of HUIT services

Strategic Objectives Guiding Principles Key Performance Indicators

• Drive operational accountability through process enablement

• The future state will be business outcome driven by best practices and not inhibited by current conditions

• Outcomes will include the delivery of toolsets, services, and optimized organization structures

• Defined processes should be flexible enough to allow for dynamic implementation by applications

• Transparency and openness are essential to our group’s success. Involved parties should not be privy to punitive actions.

• Percent change of the ongoing cost basis and chargeback rate

• Percent change for the # of infrastructure-related incidents

• Service value defined as usage compared against cost

• Defined SLA’s met or exceeded

• Length of time to close project requests across associated tickets

• Survey or Rating results from HUIT partners

Build the capability to configure, deploy, and operate HUIT Services in optimal ways in order to provide value for the Harvard Community

The Vision for the HUIT Cloud Dev Ops workgroup

Cloud Dev Ops Workgroup Vision

DRAFT – FOR INTERNAL DISCUSSION PURPOSES ONLY

Expected Deliverables

Deliverable Expectations Due Date

Vision One page Vision identifying strategic objectives, guiding principles, and key performance indicators.

April 18, 2014

Current State An assessment of organization, process, financial, and technology across domain areas, including known risks and opportunities for improvement.

May 2, 2014

Statement of Needs The requirements for HUIT and our partner organizations for any future usage of cloud offerings.

May 2, 2014

Future State Clear directive statements by domain mapped against objectives and benefits. Should include a visual overview of future.

June 13, 2014

Gap Analysis and Migration Approach

High-level activities across multiple tracks, indicating objective, benefit, and approximate timelines.Should include a visual roadmap.

July 7, 2014

FY15 Plan Achievable tasks for FY15. July 7, 2014

Network Workgroup

Network Workgroup Goals

• Develop a comprehensive strategy for the network for Harvard University and community

– baseline current state

– create vision of the future network

– outline future direction for the organization, processes, technology

• Build a multi-year plan on how to achieve that future network

– understand major workstreams

– revised financial models

– staffing and organizational changes

• Develop a revised FY15 plan that starts us in the right direction

– FY15 plans already underway and rates set

– rationalize investments and plans against new strategy

Network Workgroup: Scoping and Organizing the Effort

• “The network” really covers a vast array of technologies, services, and customers -- managed by HUIT, college IT departments, providers, end-users, etc.

• strategy and vision should be informed of this diversity without getting bogged down in it

• need a way to scope and organize the sprawl

• We have defined a series of swim lanes or service categories for the workgroup to use:

• division of labor amongst workgroup members

• grouping of like services and infrastructure elements

• potential future workstreams for roadmap

Network Workgroup Progress: Parallel Tracks for Discovery

• Workgroup members divided up to work on swim lanes in parallel, regularly reporting back on efforts and progress

• current state discovery

• identification of problems and opportunities

• initial cut at future direction for each major service area

• Swim Lanes:

Service Levels and BillingPhysical InfrastructureCore and DistributionAccess LayerDatacenter Networking

External Peering and ConnectivityNetwork SecurityHybrid Cloud/NetworkNetwork Automation, Mgmt, Monitoring

Network Workgroup Progress: Last 7 Days

• Current State:

• workgroup only started 3 weeks ago

• not quite as far along as the other HUIT workgroups

• currently working on a draft of the vision for network strategy

• currently working on discovery for current state description of the major service areas/swim lanes

Question(s)?